CERT-MU :Vulnerability

Home | Search | FAQ | Site Map | Contact Us

|| Hotline : 800 2378 || To contact CERT-MU send e-mail on --> info[at]cert-mu.gov.mu || To report incident e-mail on --> incident[at]cert-mu.gov.mu || To report Vulnerabilities send e-mail on --> Vulnerability[at]cert-mu.gov.mu ||

Charter & Mission

CERT-MU Services

Constituency

Authority

Incident Reporting

Vulnerability Reporting

Incident Statistics Forms

Vol. 2, Feb 2012

Vol. 1, Oct 2011

World CERTs

Security Sites

Security Tools

Antivirus Resources

Email Abuse

Network Abuse

Anti-Spam Initiative

Cyber Security Portal

Safer Internet Day

Computer Security Day

National Computer Board

Authorized to use CERT(TM) - CERT is a mark owned by Carnegie Mellon University

CERT-MU Vulnerability Note VN-2009-19

Microsoft Visual Studio Active Template Library (ATL) Multiple Vulnerabilities

Original Issue Date: July 29, 2009

Severity Rating: Medium

Affected Softwares

Microsoft Visual Studio .NET 2003 Service Pack 1
Microsoft Visual Studio 2005 Service Pack 1
Microsoft Visual Studio 2005 Service Pack 1 64-bit Hosted Visual C++ Tools
Microsoft Visual Studio 2008
Microsoft Visual Studio 2008 Service Pack 1
Microsoft Visual C++ 2005 Service Pack 1 Redistributable Package
Microsoft Visual C++ 2008 Redistributable Package
Microsoft Visual C++ 2008 Service Pack 1 Redistributable Package

Overview

Multiple vulnerabilities have been reported in Microsoft Active Template Library (ATL). Successful exploitation of these vulnerabilities could allow an attacker to execute an arbitrary code and take complete control of the affected system or cause the Information disclosure.

Overview

Multiple vulnerabilities have been reported in Opera, which can be exploited by an attacker to execute arbitrary code or conduct cross-site scripting attacks.

Description

Microsoft Active Template Library (ATL) Header Code Execution Vulnerability (CVE-2009-0901)

This is a remote code execution vulnerability exists due to an error in ATL headers which allow an attacker to call the VariantClear function on an improperly initialized variant. A remote attacker could exploit this vulnerability to execute arbitrary code on the system.
Microsoft Active Template Library (ATL) COM Initialization Vulnerability (CVE-2009-2493)

This is a remote code execution vulnerability exists due to an error in ATL headers when handling object instantiation from data streams related to unsafe usage of OleLoadFromStream function. A remote attacker could exploit this vulnerability to execute arbitrary code on the system.
Microsoft Active Template Library (ATL) Null String Information Disclosure Vulnerability (CVE-2009-2495)

This vulnerability is caused due to an error in Microsoft ATL that allows reading a string without terminating null bytes. A remote attacker could obtain sensitive information by reading beyond end of string.

Note: Microsoft has released security advisory (Microsoft security advisory 973822) to provide information about Active Template Library (ATL) vulnerabilities and guidance to developer, IT professional/ consumer and home users.