Информационная безопасность
[RU] switch to English


Многочисленные уязвимости в библиотеке Microsoft Active Template Library (ATL)
дополнено с 29 июля 2009 г.
Опубликовано:13 октября 2009 г.
Источник:
SecurityVulns ID:10106
Тип:библиотека
Уровень опасности:
9/10
Описание:Повреждения памяти, утечка информации, проблема с инициализацией, приводящие к обходу проверки kill-bit.
Затронутые продукты:MICROSOFT : Windows 2000 Server
 MICROSOFT : Windows 2000 Professional
 MICROSOFT : Windows XP
 MICROSOFT : Windows 2003 Server
 MICROSOFT : Windows Vista
 MICROSOFT : Windows 2008 Server
CVE:CVE-2009-2495 (The Active Template Library (ATL) in Microsoft Visual Studio .NET 2003 SP1, Visual Studio 2005 SP1 and 2008 Gold and SP1, and Visual C++ 2005 SP1 and 2008 Gold and SP1 does not properly enforce string termination, which allows remote attackers to obtain sensitive information via a crafted HTML document with an ATL (1) component or (2) control that triggers a buffer over-read, related to ATL headers and buffer allocation, aka "ATL Null String Vulnerability.")
 CVE-2009-2493 (The Active Template Library (ATL) in Microsoft Visual Studio .NET 2003 SP1, Visual Studio 2005 SP1 and 2008 Gold and SP1, and Visual C++ 2005 SP1 and 2008 Gold and SP1; and Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold and SP2; does not properly restrict use of OleLoadFromStream in instantiating objects from data streams, which allows remote attackers to execute arbitrary code via a crafted HTML document with an ATL (1) component or (2) control, related to ATL headers and bypassing security policies, aka "ATL COM Initialization Vulnerability.")
 CVE-2009-0901 (The Active Template Library (ATL) in Microsoft Visual Studio .NET 2003 SP1, Visual Studio 2005 SP1 and 2008 Gold, and Visual C++ 2005 SP1 and 2008 Gold and SP1; and Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold and SP2; does not prevent VariantClear calls on an uninitialized VARIANT, which allows remote attackers to execute arbitrary code via a malformed stream to an ATL (1) component or (2) control, related to ATL headers and error handling, aka "ATL Uninitialized Object Vulnerability.")
Оригинальный текстdocumentMICROSOFT, Microsoft Security Bulletin MS09-055 - Critical Cumulative Security Update of ActiveX Kill Bits (973525) (13.10.2009)
 documentMICROSOFT, Microsoft Security Bulletin MS09-055 - Critical Cumulative Security Update of ActiveX Kill Bits (973525) (13.10.2009)
 documentIDEFENSE, iDefense Security Advisory 07.28.09: Multiple Vendor Microsoft ATL/MFC ActiveX Security Bypass Vulnerability (20.08.2009)
 documentIDEFENSE, iDefense Security Advisory 07.28.09: Multiple Vendor Microsoft ATL/MFC ActiveX Information Disclosure Vulnerability (20.08.2009)
 documentIDEFENSE, iDefense Security Advisory 08.11.09: Multiple Vendor Microsoft ATL/MFC ActiveX Type Confusion Vulnerability (20.08.2009)
 documentMICROSOFT, Microsoft Security Bulletin MS09-037 - Critical Vulnerabilities in Microsoft Active Template Library (ATL) Could Allow Remote Code Execution (973908) (11.08.2009)
 documentCISCO, Cisco Security Advisory: Active Template Library (ATL) Vulnerability (29.07.2009)
 documentCERT, US-CERT Technical Cyber Security Alert TA09-209A -- Microsoft Windows, Internet Explorer, and Active Template Library (ATL) Vulnerabilities (29.07.2009)
 documentMICROSOFT, Microsoft Security Bulletin MS09-035 - Moderate Vulnerabilities in Visual Studio Active Template Library Could Allow Remote Code Execution (969706) (29.07.2009)
Файлы:Microsoft Security Bulletin MS09-037 - Critical Vulnerabilities in Microsoft Active Template Library (ATL) Could Allow Remote Code Execution (973908)
 Microsoft Security Bulletin MS09-060 - Critical Vulnerabilities in Microsoft Active Template Library (ATL) ActiveX Controls for Microsoft Office Could Allow Remote Code Execution (973965)
 Microsoft Security Bulletin MS09-035 - Moderate Vulnerabilities in Visual Studio Active Template Library Could Allow Remote Code Execution (969706)
 Microsoft Security Bulletin MS09-055 - Critical Cumulative Security Update of ActiveX Kill Bits (973525)

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород