search menu icon-carat-right cmu-wordmark

CERT Coordination Center

ActiveX controls built with Microsoft ATL fail to properly handle initialization data

Vulnerability Note VU#456745

Original Release Date: 2009-07-28 | Last Revised: 2010-02-24

Overview

ActiveX controls that are built using a Microsoft ATL template may fail to properly handle initialization data, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

Description

Microsoft Active Template Library (ATL) is a set of C++ classes that are designed to simplify the creation of COM objects and ActiveX controls. An ActiveX control can be designated as "safe for scripting," which means that it can be used by an untrusted caller such as JavaScript in a web page, and/or it may be designated as "safe for initialization," which means that it can accept untrusted initialization data. ActiveX controls that are developed using the Microsoft ATL technology may fail to properly handle initialization data. The specific vulnerabilities include the use of uninitialized objects, unsafe usage of OleLoadFromStream, and the failure to check for a terminating NULL character. This may result in memory corruption that can be leveraged to execute code, or it may bypass Internet Explorer kill bit restrictions on unsafe controls.

Impact

By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code.

Solution

Apply an update

This vulnerability has been addressed in the update for Internet Explorer provided in Microsoft Security Bulletin MS09-034. This update helps prevent ActiveX controls that were built with the vulnerable ATL versions from being initialized with unsafe data patterns in Internet Explorer. This also includes techniques that can be used to bypass the kill bit in Internet Explorer.

Update and recompile ActiveX controls

Developers who have created ActiveX controls using Microsoft ATL should install the update for Microsoft Security Bulletin MS09-035 and recompile the ActiveX controls. This will cause the controls to use an updated ATL version that addresses these vulnerabilities.

Disable ActiveX

Disabling ActiveX controls in the Internet Zone (or any zone used by an attacker) appears to prevent exploitation of this and other ActiveX vulnerabilities. Instructions for disabling ActiveX in the Internet Zone can be found in the "Securing Your Web Browser" document.

Vendor Information

456745
 
Affected   Unknown   Unaffected

Adobe

Updated:  July 30, 2009

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References

Addendum

Please see the Adobe PSIRT blog entry: Impact of Microsoft ATL vulnerability on Adobe Products. Adobe has relased APSB09-11 for Shockwave Player and APSB09-10 for Flash Player.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Aurigma Inc.

Notified:  July 28, 2009 Updated:  July 29, 2009

Statement Date:   July 29, 2009

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Cisco Systems, Inc.

Notified:  July 28, 2009 Updated:  July 29, 2009

Statement Date:   July 29, 2009

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Cisco Systems has published Cisco Security Advisory cisco-sa-20090728-activex in response to this issue. Users of the affected product(s) should review this advisory and apply the mitigations it describes.

F5 Networks, Inc.

Notified:  July 28, 2009 Updated:  July 29, 2009

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

FirePass Controls for 5.5,5.5.1,5.5.2, 6.02, and 6.03; SAM 8.0 Controls are affected.

Microsoft Corporation

Updated:  July 28, 2009

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References

Addendum

Apply an update

This vulnerability has been addressed in the update for Internet Explorer provided in Microsoft Security Bulletin MS09-034. This update helps prevent ActiveX controls that were built with the vulnerable ATL versions from being initialized with unsafe data patterns in Internet Explorer. This also includes techniques that can be used to bypass the kill bit in Internet Explorer.

Update and recompile ActiveX controls

Developers who have created ActiveX controls using Microsoft ATL should install the update for Microsoft Security Bulletin MS09-035 and recompile the ActiveX controls. This will cause the controls to use an updated ATL version that addresses these vulnerabilities.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OSISoft

Updated:  August 04, 2009

Statement Date:   August 03, 2009

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References

Addendum

Please see the OSISoft Security Alert for more details.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SoftArtisans, Inc

Notified:  July 28, 2009 Updated:  February 24, 2010

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Please see SoftArtisans support document 1331.

Vendor References

SonicWall

Notified:  July 28, 2009 Updated:  October 28, 2009

Statement Date:   July 30, 2009

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The XTSAC.cab file, which is used in the SSL-VPN 200, 2000 and 4000 products for IE browser-based RDP connections is affected by the issue.

SonicWALL has addressed VU#456745 for the following products at the specified firmware version:

SSL-VPN 200: 3.5.0.2-7sv (posted 9/16/2009)
SSL-VPN 2000/4000: 3.5.0.11-29sv (posted 9/16/2009)

Sun Microsystems, Inc.

Updated:  August 05, 2009

Statement Date:   August 05, 2009

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References

Addendum

Please see Sun Alert 264648 for more details.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Apple Inc.

Notified:  July 28, 2009 Updated:  July 31, 2009

Status

  Not Vulnerable

Vendor Statement

No Apple products are affected by the ATL issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

IBM Corporation

Notified:  July 28, 2009 Updated:  July 29, 2009

Statement Date:   July 28, 2009

Status

  Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

LogicNP

Notified:  July 28, 2009 Updated:  July 30, 2009

Status

  Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

This issue does not affect us since our ActiveX controls are based on MFC and do not use ATL templates.

VanDyke Software

Notified:  July 28, 2009 Updated:  August 04, 2009

Statement Date:   July 31, 2009

Status

  Not Vulnerable

Vendor Statement

Our development team has confirmed that VU#456745 does *not* affect any of our products.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Alcatel-Lucent

Notified:  July 28, 2009 Updated:  July 28, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

America Online, Inc.

Notified:  July 28, 2009 Updated:  July 28, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Attachmate

Notified:  July 28, 2009 Updated:  July 28, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Axis

Notified:  July 28, 2009 Updated:  July 28, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

BT

Notified:  July 28, 2009 Updated:  July 28, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Business Objects

Notified:  July 28, 2009 Updated:  July 28, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Callisto Corporation

Notified:  July 28, 2009 Updated:  July 28, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Computer Associates eTrust Security Management

Notified:  July 28, 2009 Updated:  July 28, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Computer Emergency Response Team Brazil

Notified:  July 28, 2009 Updated:  July 28, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Corel Corporation

Notified:  July 28, 2009 Updated:  July 28, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

E-Book Systems Inc.

Notified:  July 28, 2009 Updated:  July 28, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

ESET, LLC.

Notified:  July 28, 2009 Updated:  July 28, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Electronic Arts

Notified:  July 28, 2009 Updated:  July 28, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

GOVCERT-NL

Notified:  July 28, 2009 Updated:  July 28, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

GameTap-Turner Broadcasting subsidiary

Notified:  July 28, 2009 Updated:  July 28, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Gracenote

Notified:  July 28, 2009 Updated:  July 28, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Hewlett-Packard Company

Notified:  July 28, 2009 Updated:  July 28, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Husdawg

Notified:  July 28, 2009 Updated:  July 28, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Iconics, Inc.

Notified:  July 28, 2009 Updated:  July 28, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IncrediMail Ltd.

Notified:  July 28, 2009 Updated:  July 28, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Infotriever, Inc.

Notified:  July 28, 2009 Updated:  July 28, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

InterActual Technologies, Inc.

Notified:  July 28, 2009 Updated:  July 28, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Intuit, Inc.

Notified:  July 28, 2009 Updated:  July 28, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Juniper Networks, Inc.

Notified:  July 28, 2009 Updated:  July 28, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Kodak Easy Share Gallery

Notified:  July 28, 2009 Updated:  July 28, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Lenovo

Notified:  July 28, 2009 Updated:  July 28, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

LizardTech, Inc

Notified:  July 28, 2009 Updated:  July 28, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Lotus Software

Notified:  July 28, 2009 Updated:  July 28, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Media Technology Group

Notified:  July 28, 2009 Updated:  July 28, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Motive

Notified:  July 28, 2009 Updated:  July 28, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Move Networks, Inc.

Notified:  July 28, 2009 Updated:  July 28, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Namzak Labs Inc.

Notified:  July 28, 2009 Updated:  July 28, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Nokia

Notified:  July 28, 2009 Updated:  July 28, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Novell, Inc.

Notified:  July 28, 2009 Updated:  July 28, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Oracle Corporation

Notified:  July 28, 2009 Updated:  July 28, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

PNI Digital Media

Notified:  July 28, 2009 Updated:  July 28, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Panda Software Ltd.

Notified:  July 28, 2009 Updated:  July 28, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Radiant Systems

Notified:  July 28, 2009 Updated:  July 28, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

RealNetworks, Inc.

Notified:  July 28, 2009 Updated:  July 28, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Research in Motion (RIM)

Notified:  July 28, 2009 Updated:  July 28, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

SAP

Notified:  July 28, 2009 Updated:  July 28, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

SafeNet

Notified:  July 28, 2009 Updated:  July 28, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

ScriptLogic

Notified:  July 28, 2009 Updated:  July 28, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Siemens

Notified:  July 28, 2009 Updated:  July 28, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Simba Technologies

Notified:  July 28, 2009 Updated:  July 28, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

SupportSoft, Inc.

Notified:  July 28, 2009 Updated:  July 28, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

SwiftView

Notified:  July 28, 2009 Updated:  July 28, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Symantec

Notified:  July 28, 2009 Updated:  July 28, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Trend Micro

Notified:  July 28, 2009 Updated:  July 28, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Unigraphics Solutions

Notified:  July 28, 2009 Updated:  July 28, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

View22

Notified:  July 28, 2009 Updated:  July 28, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

WeOnlyDo! Software

Notified:  July 28, 2009 Updated:  July 28, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

WinZip Computing, Inc.

Notified:  July 28, 2009 Updated:  July 28, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Worldspan

Notified:  July 28, 2009 Updated:  July 28, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Xerox

Notified:  July 28, 2009 Updated:  July 28, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Yahoo, Inc.

Notified:  July 28, 2009 Updated:  July 28, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

eBay

Notified:  July 28, 2009 Updated:  July 28, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

View all 70 vendors View less vendors


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Acknowledgements

Thanks to Microsoft for reporting this vulnerability, who in turn credit David Dewey of IBM ISS X-Force and Ryan Smith of Verisign iDefense labs.

This document was written by Will Dormann.

Other Information

CVE IDs: CVE-2009-0901, CVE-2009-2493, CVE-2009-2495
Severity Metric: 47.08
Date Public: 2009-07-09
Date First Published: 2009-07-28
Date Last Updated: 2010-02-24 15:28 UTC
Document Revision: 44

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.