CERT-In Vulnerability Note
CIVN-2009-0128
Multiple Vulnerabilities in Microsoft Office Active Template Library
Original Issue Date:October 15, 2009
Severity Rating: HIGH
Systems Affected
- Microsoft Outlook 2002 Service Pack 3
- Microsoft Office Outlook 2003 Service Pack 3
- Microsoft Office Outlook 2007 Service Pack 1 and Microsoft Office Outlook 2007 Service Pack 2
- Microsoft Visio 2002 Viewer
- Microsoft Office Visio 2003 Viewer
- Microsoft Office Visio Viewer 2007, Microsoft Office Visio Viewer 2007 Service Pack 1, and Microsoft Office Visio Viewer 2007 Service Pack 2
Overview
Multiple vulnerabilities have been reported in Microsoft Office Active Template Library ATL . Successful exploitation of these vulnerabilities could either disclose information or run an arbitrary code in user's context and provide complete control of the affected system.
Description
The Active Template Library (ATL) is a set of template-based C++ classes that let the user to create small, fast Component Object Model (COM) objects. It has special support for key COM features, including stock implementations, dual interfaces, standard COM enumerator interfaces, connection points, tear-off interfaces, and ActiveX controls.
1. ATL Uninitialized Object Vulnerability
(
CVE-2009-0901
)
This is a remote code execution vulnerability which is caused due to an issue in the ATL headers that could allow an attacker to call `VariantClear()' on a variant that has not been correctly initialized. For developers who created a component or control using ATL in this manner, the resulting component or control could allow remote code execution in logged on user's context.
The attacker could exploit these vulnerabilities by creating specially crafted Web site and then persuade a user to visit it. Successful exploitation of this vulnerability could provide complete control of the affected system.
Note: This vulnerability only directly affects systems with vulnerable components and controls installed that were built using affected versions of Microsoft's ATL.
2. ATL COM Initialization Vulnerability
(
CVE-2009-2493
)
This is a remote code execution vulnerability which is caused due to issues in the ATL headers that handle instantiation of an object from data streams. For components and controls built using ATL, unsafe usage of `OleLoadFromStream' could allow the instantiation of arbitrary objects which can bypass certain related security policies.
This vulnerability could allow remote code execution if the user visits a specially crafted Web page with Internet Explorer, instantiating a vulnerable component or control. An attacker who successfully exploited this vulnerability could gain the rights of the logged-on user and take complete control of an affected system.
Note: This vulnerability only directly affects systems with components and controls installed that were built using Visual Studio ATL.
3. ATL Null String Vulnerability
(
CVE-2009-2495
)
This is an information disclosure vulnerability which is caused from an issue in the ATL headers that could allow a string to be read with no ending NULL bytes. An attacker could manipulate this string to read extra data beyond the end of the string and thus disclose information in memory.
An attacker who successfully exploited this vulnerability could run a malicious component or control that could disclose information; forward user data to a third party, or access any data on the affected systems that was accessible to the logged-on user.
Note: This vulnerability only directly affects systems with components and controls installed that were built using Visual Studio ATL.
Workaround
- Do not open or save Microsoft Office files received from untrusted sources
Solution
Apply appropriate updates as mentioned in the Microsoft Security Bulletin
MS09-060
Vendor Information
Microsoft
http://www.microsoft.com/technet/security/bulletin/ms09-060.mspx
References
Secunia
http://secunia.com/advisories/37005/
SecurityTracker
http://securitytracker.com/alerts/2009/Jul/1022610.html
SecurityFocus
http://www.securityfocus.com/bid/35832
http://www.securityfocus.com/bid/35828
http://www.securityfocus.com/bid/35830
Cisco
http://tools.cisco.com/security/center/viewAlert.x?alertId=18725
http://tools.cisco.com/security/center/viewAlert.x?alertId=18726
http://tools.cisco.com/security/center/viewAlert.x?alertId=18727
VUPEN
http://www.vupen.com/english/advisories/2009/2895
CVE Name
CVE-2009-0901
CVE-2009-2493
CVE-2009-2495
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Email: info@cert-in.org.in Phone: +91-11-2436857
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India
|