ActiveX controls that are built using a Microsoft ATL template may fail to properly handle initialization data, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.
By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code.
Apply an update
This vulnerability has been addressed in the update for Internet Explorer provided in Microsoft Security Bulletin MS09-034. This update helps prevent ActiveX controls that were built with the vulnerable ATL versions from being initialized with unsafe data patterns in Internet Explorer. This also includes techniques that can be used to bypass the kill bit in Internet Explorer.
Cisco Systems, Inc.
F5 Networks, Inc.
Sun Microsystems, Inc.
America Online, Inc.
Computer Associates eTrust Security Management
Computer Emergency Response Team Brazil
E-Book Systems Inc.
GameTap-Turner Broadcasting subsidiary
InterActual Technologies, Inc.
Juniper Networks, Inc.
Kodak Easy Share Gallery
Media Technology Group
Move Networks, Inc.
Namzak Labs Inc.
PNI Digital Media
Panda Software Ltd.
Research in Motion (RIM)
WinZip Computing, Inc.
Thanks to Microsoft for reporting this vulnerability, who in turn credit David Dewey of IBM ISS X-Force and Ryan Smith of Verisign iDefense labs.
This document was written by Will Dormann.