Status Tracking Note JVNTR-2009-19

Microsoft Windows, Internet Explorer, and Active Template Library (ATL) Vulnerabilities (TA09-209A)

Overview

Microsoft has released out-of-band updates to address critical vulnerabilities in Microsoft Internet Explorer running on most supported versions of Windows. The updates also help mitigate attacks against ActiveX controls developed with vulnerable versions of the Microsoft Active Template Library (ATL).
Event Information

Date (UTC)Description
2009-07-30 20:47 US-CERT
Adobe Releases Shockwave Player Update and Flash Player Security Advisory
US-CERT Current Activity
Additionally, Adobe has released Flash Player 10.0.22.87 and 9.0.246.0 to address the ATL issue and additional vulnerabilities in Flash Player. Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code.
2009-07-30 13:34 Adobe
APSB09-10: Security Updates available for Adobe Flash Player
Adobe recommends users of Adobe Flash Player 9.x and 10.x and earlier versions update to Adobe Flash Player 9.0.246.0 and 10.0.32.18. Adobe recommends users of Adobe AIR version 1.5.1 and earlier versions update to Adobe AIR 1.5.2.
2009-07-29 14:12 US-CERT
Adobe Releases Shockwave Player Update and Flash Player Security Advisory
US-CERT Current Activity
Adobe has released Shockware Player 11.5.1.601 because previous versions used a vulnerable version of the Microsoft Active Template Library (ATL). Additionally, Adobe has released a security advisory to address the same issue in Flash Player. Exploitation of this vulnerability may allow an attacker to execute arbitrary code.
2009-07-29 04:44 JPCERT/CC
JPCERT-AT-2009-0014: Vulnerabilities in Microsoft ATL affect Multiple Products
2009-07-28 22:58 SANS Internet Storm Center
MS released two OOB bulletins and an advisory (Version: 2)
Microsoft has released two Out of Band (OOB) bulletins and one advisory.
2009-07-28 22:40 Microsoft
ms09-jul: Microsoft Security Bulletin Summary for July 2009 (out-of-band)
For the out-of-band security bulletins added to Version 2.0 of this bulletin summary, MS09-034 and MS09-035.
2009-07-28 21:56 US-CERT
TA09-209A: Microsoft Windows, Internet Explorer, and Active Template Library (ATL) Vulnerabilities
Via US-CERT Mailing List
2009-07-28 21:29 Microsoft
Microsoft Security Advisory (973882): Vulnerabilities in Microsoft Active Template Library (ATL) Could Allow Remote Code Execution
Advisory published.
2009-07-28 18:00 Cisco Systems
cisco-sa-20090728-activex: Active Template Library (ATL) Vulnerability
Certain Cisco products that use Microsoft Active Template Libraries (ATL) and headers may be vulnerable to remote code execution. In some instances, the vulnerability may be exploited against Microsoft Internet Explorer to perform kill bit bypass. In order to exploit this vulnerability, an attacker must convince a user to visit a malicious web site.
2009-07-28 17:18 US-CERT
Microsoft Releases Two Out-of-Band Security Bulletins and a Security Advisory
US-CERT Current Activity
Microsoft has released two out-of-band security bulletins. The first bulletin, MS09-034, is a cumulative security update for Internet Explorer that addresses several vulnerabilities. These vulnerabilities may allow a remote attacker to execute arbitrary code. The second bulletin, MS09-035, addresses vulnerabilities in the Visual Studio Active Template Library (ATL). Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code.
2009-07-28 17:15 Symantec
ThreatCON (2) => (2)
Microsoft has released two out-of-band security bulletins, MS09-034 and MS09-035, that address vulnerabilities in the Visual Studio Active Template Library (ATL) and Internet Explorer. Users should apply patches immediately.
2009-07-28 10:10 Adobe
APSA09-04: Security advisory for Adobe Flash Player
Adobe Flash Player 9.0.159.0 and 10.0.22.87, and earlier 9.x and 10.x versions installed on Windows operating systems for use with Internet Explorer leverage a vulnerable version of the Microsoft Active Template Library (ATL) described in Microsoft Security Advisory (973882).
2009-07-28 10:10 Adobe
APSB09-11: Security Update available for Shockwave Player
Adobe Shockwave Player 11.5.0.600 and earlier versions on Windows leverages a vulnerable version of the Microsoft Active Template Library (ATL) described in Microsoft Security Advisory (973882).
2009-07-24 23:45 Microsoft
ms09-jul: Microsoft Security Bulletin Advance Notification for July 2009 (out-of-band)
This is an advance notification of two out-of-band security bulletins that Microsoft is intending to release on July 28, 2009. One bulletin will be for the Microsoft Visual Studio product line; application developers should be aware of updates available affecting certain types of applications. The second bulletin contains defense-in-depth changes to Internet Explorer to address attack vectors related to the Visual Studio bulletin, as well as fixes for unrelated vulnerabilities that are rated Critical. Customers who are up to date on their security updates are protected from known attacks related to this out-of-band release.
2009-07-24 23:33 SANS Internet Storm Center
Microsoft Out of Band Patch
Several readers have pointed out that Microsoft has provided notification of an Out-of-Band patch to be released this coming Tuesday, July 28th.
2009-05-06 iDefense
Microsoft Internet Explorer HTML TIME 'ondatasetcomplete' Use After Free Vulnerability
Memory Corruption Vulnerability (CVE-2009-1917, MS09-034)
Vulnerability Reported
The vulnerability occurs when the 'ondatasetcomplete' event method of a timeChildren object is referenced. If this occurs when the object is in an inconsistent state, a heap chunk will be freed, and then reused after being freed. This results in an uninitialized VTABLE being used, which can result in the execution of arbitrary code when the pointer is dereferenced.
2009-04-28 Zero Day Initiative (ZDI)
ZDI-09-048: Microsoft Internet Explorer CSS Behavior Memory Corruption Vulnerability
Uninitialized Memory Corruption Vulnerability (CVE-2009-1919, MS09-034)
Vulnerability Reported
The specific flaw exists when accessing embedded style sheets within an HTML file. When modifying the properties of rules defined in the style the behavior element is improperly processed resulting in a memory corruption which can be further leveraged to execute arbitrary code under the context of the current user.
2009-04-28 Zero Day Initiative (ZDI)
ZDI-09-047: Microsoft Internet Explorer getElementsByTagName Memory Corruption Vulnerability
HTML Objects Memory Corruption Vulnerability (CVE-2009-1918, MS09-034)
Vulnerability Reported
The specific flaw exists in the appending of elements to an invalid object. When appending malformed elements to a empty DIV element memory corruption can occur. A properly constructed web page can result in remote code execution under the context of the current user.
2008-12-05 iDefense
Multiple Vendor Microsoft ATL/MFC ActiveX Security Bypass Vulnerability
ATL COM Initialization Vulnerability (CVE-2009-2493, MS09-035, MS09-037)
Vulnerability Reported
Exploitation of this vulnerability allows an attacker to bypass security checks (such as kill-bits in Internet Explorer). Successful exploitation would require the attacker to convince his or her victim into visiting a specially crafted Web page leveraging the vulnerability. While there is no way to forcibly make a victim visit a website, exploitation may occur through normal Web browsing.
2008-12-05 iDefense
Multiple Vendor Microsoft ATL/MFC ActiveX Information Disclosure Vulnerability
ATL Null String Vulnerability (CVE-2009-2495, MS09-035)
Vulnerability Reported
Depending upon certain characteristics of an OLE component designed with the Microsoft ATL, it is possible to read arbitrary memory inside the Internet Explorer process. By loading a vulnerable ActiveX control and passing in specially crafted persistent storage data, an attacker can cause a string to be read in without being properly NULL terminated. After the object is initialized the attacker may read the data using Java Script. Since the string functions rely on NULL termination to keep track of the end of the string, the attacker may read into the next chunk of memory continuing until two NULL bytes are encountered.

Reference

Date first published (UTC): 2009-07-31T22:03+00:00
Date last updated (UTC): 2009-08-23T23:08+00:00
Valid HTML 4.01!