MA-184.072009: MyCERT Alert - Multiple Critical Vulnerabilities in Microsoft Active Template Library (ATL) 1.0 Introduction Multiple critical vulnerabilities have been identified in Microsoft Active Template Library (ATL), a set of C++ classes that are designed to simplify the creation of COM objects and ActiveX controls. According to Microsoft, the vulnerabilities are due to the use of uninitialized objects, unsafe usage of OleLoadFromStream, and the failure to check for a terminating NULL character. User interaction is required in that a user must visit a malicious web site that contains a specially crafted HTML file. This vulnerability would cause the application to crash and could potentially allow an attacker to take control of the affected system. 2.0 Impact By exploiting these vulnerabilities, an attacker could execute arbitrary code on vulnerable installations of controls and components created using vulnerable Active Template Library and gain the same privilege as the user. This vulnerability could be exploited to install malware on the user's computer. 3.0 Affected Products All controls and components created using vulnerable Active Template Library. The affected libraries are: - Microsoft Visual Studio .NET 2003 Service Pack 1
- Microsoft Visual Studio 2005 Service Pack 1
- Microsoft Visual Studio 2005 Service Pack 1 64-bit Hosted Visual C++ Tools
- Microsoft Visual Studio 2008
- Microsoft Visual Studio 2008 Service Pack 1
- Microsoft Visual C++ 2005 Service Pack 1 Redistributable Package
- Microsoft Visual C++ 2008 Redistributable Package
- Microsoft Visual C++ 2008 Service Pack 1 Redistributable Package
4.0 Recommendation 4.1 End Users For the end users, this vulnerability has been addressed in the update for Internet Explorer provided in Microsoft Security Bulletin MS09-034. This update helps prevent ActiveX controls that were built with the vulnerable ATL versions from being initialized with unsafe data patterns in Internet Explorer. MyCERT recommends end users to enable the Automatic Updates feature because the security update will be downloaded and installed automatically. For information about specific configuration options in automatic updating, please refer to this URL: http://support.microsoft.com/kb/294871 If user is not able to perform the update by using Automatic Updates feature, manual download for the patch can be obtained for specific Internet Explorer version and operating system at the following URL: http://www.microsoft.com/technet/security/bulletin/ms09-034.mspx 4.2 Developers For the developers who have created ActiveX controls using Microsoft ATL, MyCERT recommends to install the update for Microsoft Security Bulletin MS09-035 and recompile the ActiveX controls. This will cause the controls to use an updated ATL version that addresses these vulnerabilities. The update can be obtained here: http://www.microsoft.com/technet/security/bulletin/ms09-035.mspx
Generally, MyCERT advises the users of this software to be updated with the latest security announcements by the vendor. Users who receive suspicious URL can forward them to MyCERT for further analysis. MyCERT can be reached through the following channels: E-mail : mycert@mycert.org.my
Phone : +603 89926969 or 1-300-88-2999 (monitored during business hours)
Fax : +603 89453442
Handphone : +60 19 2665850 (24x7 call incident reporting)
SMS : +60 19 2813801 (24x7 SMS reporting)
Business Hours : Mon - Fri 08:30 -17:30 MYT
Web: http://www.mycert.org.my 5.0 References |
