-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2009.1101
         Vulnerabilities in Visual Studio Active Template Library
                Could Allow Remote Code Execution (969706)
                               29 July 2009

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Microsoft Visual Studio .NET 2003 Service Pack 1
                   Microsoft Visual Studio 2005 Service Pack 1
                   Microsoft Visual Studio 2005 Service Pack 1 64-bit Hosted 
                     Visual C++ Tools
                   Microsoft Visual Studio 2008
                   Microsoft Visual Studio 2008 Service Pack 1
                   Microsoft Visual C++ 2005 Service Pack 1
                   Microsoft Visual C++ 2008
                   Microsoft Visual C++ 2008 Service Pack 1
Publisher:         Microsoft
Operating System:  Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Unauthorised Access             -- Remote with User Interaction
Resolution:        Patch
CVE Names:         CVE-2009-2495 CVE-2009-2493 CVE-2009-0901

Original Bulletin: 
   http://www.microsoft.com/technet/security/bulletin/ms09-035.mspx

Comment: As there is a vulnerability in the Microsoft Active Template Library 
         (ATL), it is possible that third party applications using this library 
         could also be vulnerable. Anyone who is authoring their own components 
         and controls utilizing ATL (which may include software other than 
         ActiveX controls) should use the updated libraries available for 
         Visual Studio and make their updated software available to their 
         user-base as soon as practical.
                  
         Additionally ICASI have released a scanning service to aid developers 
         in identifying potential vulnerabilities in ActiveX controls and 
         components built with Microsoft's Active Template Libraries (ATL). For
         details see http://isaci.org

- --------------------------BEGIN INCLUDED TEXT--------------------

Microsoft Security Bulletin MS09-035 - Moderate

Vulnerabilities in Visual Studio Active Template Library Could Allow Remote 
Code Execution (969706)

Published: July 28, 2009

Version: 1.0

General Information

Executive Summary

   This security update addresses several privately reported vulnerabilities 
   in the public versions of the Microsoft Active Template Library (ATL) 
   included with Visual Studio. This security update is specifically intended 
   for developers of components and controls. Developers who build and 
   redistribute components and controls using ATL should install the update 
   provided in this bulletin and follow the guidance provided to create, and 
   distribute to their customers, components and controls that are not 
   vulnerable to the vulnerabilities described in this security bulletin.

   This security bulletin discusses vulnerabilities that could allow remote 
   code execution if a user loaded a component or control built with the 
   vulnerable versions of ATL.

   While most Microsoft Security Bulletins discuss the risk of a vulnerability 
   for a specific product, this security bulletin discusses the vulnerabilities 
   that may be present in products built using the ATL. Therefore, this 
   security update is rated Moderate for all supported editions of Microsoft 
   Visual Studio .NET 2003, Microsoft Visual Studio 2005, Microsoft Visual 
   Studio 2008, Microsoft Visual C++ 2005 Redistributable Package, and 
   Microsoft Visual C++ 2008 Redistributable Package.

   For more information on the impact of, and workarounds and mitigations for 
   controls and components that may be vulnerable to these issues, please see 
   Microsoft Security Advisory (973882).

   The security update addresses the vulnerabilities by modifying the ATL 
   headers so that components and controls built using the headers can safely 
   initialize from a data stream. For more information about the 
   vulnerabilities, see the Frequently Asked Questions (FAQ) subsection for the 
   specific vulnerability entry under the next section, Vulnerability 
   Information.

   Recommendation. Developers who have built components and controls using ATL 
   should download this update and recompile their components and controls 
   following the guidance provided in the following MSDN article.

   The majority of Visual Studio customers who have automatic updating enabled 
   will receive this update automatically and receive the updated ATL. However, 
   as noted earlier, additional steps will be needed to update potentially 
   vulnerable controls and components. Customers who have not enabled automatic 
   updating need to check for updates and install this update manually. For 
   information about specific configuration options in automatic updating, see 
   Microsoft Knowledge Base Article 294871.

   For administrators and enterprise installations or end users who want to 
   install this security update manually, Microsoft recommends that customers 
   apply the update immediately using update management software, or by 
   checking for updates using the Microsoft Update service.

   Known Issues. Microsoft Knowledge Base Article 969706 documents the 
   currently known issues that customers may experience when installing this 
   security update. The article also documents recommended solutions for these 
   issues.

Affected Software

   Microsoft Visual Studio .NET 2003 Service Pack 1   
   Microsoft Visual Studio 2005 Service Pack 1
   Microsoft Visual Studio 2005 Service Pack 1 64-bit Hosted Visual C++ Tools
   Microsoft Visual Studio 2008
   Microsoft Visual Studio 2008 Service Pack 1
   Microsoft Visual C++ 2005 Service Pack 1 Redistributable Package
   Microsoft Visual C++ 2008 Redistributable Package
   Microsoft Visual C++ 2008 Service Pack 1 Redistributable Package

Vulnerability Information

   ATL Uninitialized Object Vulnerability - CVE-2009-0901

   A remote code execution vulnerability exists in the Microsoft Active 
   Template Library (ATL) due to an issue in the ATL headers that could allow 
   an attacker to force VariantClear to be called on a VARIANT that has not 
   been correctly initialized. Because of this, the attacker can control what 
   happens when VariantClear is called during handling of an error by supplying 
   a corrupt stream. This vulnerability only directly affects systems with 
   components and controls installed that were built using Visual Studio ATL. 
   This issue could allow a remote, unauthenticated user to perform remote code 
   execution on an affected system. An attacker could exploit the vulnerability 
   by constructing a specially crafted Web page. When a user views the Web 
   page, the vulnerability could allow remote code execution.

   ATL COM Initialization Vulnerability - CVE-2009-2493

   A remote code execution vulnerability exists in the Microsoft Active 
   Template Library (ATL) due to issues in the ATL headers that handle 
   instantiation of an object from data streams. This vulnerability only 
   directly affects systems with components and controls installed that were 
   built using Visual Studio ATL. For components and controls built using ATL, 
   unsafe usage of OleLoadFromStream could allow the instantiation of arbitrary 
   objects which can bypass related security policy, such as kill bits within 
   Internet Explorer. This issue could allow a remote, unauthenticated user to 
   perform remote code execution on an affected system. An attacker could 
   exploit the vulnerability by constructing a specially crafted Web page. 
   When a user views the Web page, the vulnerability could allow remote code 
   execution.

   ATL Null String Vulnerability - CVE-2009-2495

   An information disclosure vulnerability exists in the Microsoft Active 
   Template Library (ATL) that could allow a string to be read without a 
   terminating NULL character. An attacker could manipulate this string to 
   read extra data beyond the end of the string and thus disclose information 
   in memory. This vulnerability only directly affects systems with components 
   and controls installed that were built using Visual Studio ATL. An attacker 
   who successfully exploited this vulnerability could run a malicious component 
   or control that could disclose information, forward user data to a third 
   party, or access any data on the affected systems that was accessible to the 
   logged-on user. Note that this vulnerability would not allow an attacker to 
   execute code or to elevate their user rights directly, but it could be used 
   to produce information that could be used to try to further compromise the 
   affected system.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iD8DBQFKb5mHNVH5XJJInbgRAuhtAJ0RIJzQev4uMGcMHG6ZenxyeronHwCghNCz
TtvOuF3eeynDo5R08w1tj8Q=
=2RVE
-----END PGP SIGNATURE-----