CERT-MU :Vulnerability

Home | Search | FAQ | Site Map | Contact Us

|| Hotline : 800 2378 || To contact CERT-MU send e-mail on --> info[at]cert-mu.gov.mu || To report incident e-mail on --> incident[at]cert-mu.gov.mu || To report Vulnerabilities send e-mail on --> Vulnerability[at]cert-mu.gov.mu ||

Charter & Mission

CERT-MU Services

Constituency

Authority

Incident Reporting

Vulnerability Reporting

Incident Statistics Forms

Vol. 2, Feb 2012

Vol. 1, Oct 2011

World CERTs

Security Sites

Security Tools

Antivirus Resources

Email Abuse

Network Abuse

Anti-Spam Initiative

Cyber Security Portal

Safer Internet Day

Computer Security Day

National Computer Board

Authorized to use CERT(TM) - CERT is a mark owned by Carnegie Mellon University

CERT-MU Vulnerability Note VN-2009-27

Multiple Vulnerabilities in Microsoft Office Active Template Library

Original Issue Date: October 15, 2009

Severity Rating: High

Affected Softwares

Microsoft Outlook 2002 Service Pack 3
Microsoft Office Outlook 2003 Service Pack 3
Microsoft Office Outlook 2007 Service Pack 1 and Microsoft Office Outlook 2007 Service Pack 2
Microsoft Visio 2002 Viewer
Microsoft Office Visio 2003 Viewer
Microsoft Office Visio Viewer 2007, Microsoft Office Visio Viewer 2007 Service Pack 1, and Microsoft Office Visio Viewer 2007 Service Pack 2

Overview

Multiple vulnerabilities have been reported in Microsoft Office Active Template Library (ATL) . Successful exploitation of these vulnerabilities could either disclose information or run an arbitrary code in user's context and provide complete control of the affected system.

Description

The Active Template Library (ATL) is a set of template-based C++ classes that let the user to create small, fast Component Object Model (COM) objects. It has special support for key COM features, including stock implementations, dual interfaces, standard COM enumerator interfaces, connection points, tear-off interfaces, and ActiveX controls.

ATL Uninitialized Object Vulnerability

This is a remote code execution vulnerability which is caused due to an issue in the ATL headers that could allow an attacker to call ‘VariantClear()' on a variant that has not been correctly initialized. For developers who created a component or control using ATL in this manner, the resulting component or control could allow remote code execution in logged on user's context.

The attacker could exploit these vulnerabilities by creating specially crafted Web site and then persuade a user to visit it. Successful exploitation of this vulnerability could provide complete control of the affected system.

Note: This vulnerability only directly affects systems with vulnerable components and controls installed that were built using affected versions of Microsoft's ATL.
ATL COM Initialization Vulnerability

This is a remote code execution vulnerability which is caused due to issues in the ATL headers that handle instantiation of an object from data streams. For components and controls built using ATL, unsafe usage of ‘OleLoadFromStream' could allow the instantiation of arbitrary objects which can bypass certain related security policies.

This vulnerability could allow remote code execution if the user visits a specially crafted Web page with Internet Explorer, instantiating a vulnerable component or control. An attacker who successfully exploited this vulnerability could gain the rights of the logged-on user and take complete control of an affected system.

Note: This vulnerability only directly affects systems with components and controls installed that were built using Visual Studio ATL.
ATL Null String Vulnerability

This is an information disclosure vulnerability which is caused from an issue in the ATL headers that could allow a string to be read with no ending NULL bytes. An attacker could manipulate this string to read extra data beyond the end of the string and thus disclose information in memory.

An attacker who successfully exploited this vulnerability could run a malicious component or control that could disclose information; forward user data to a third party, or access any data on the affected systems that was accessible to the logged-on user.

Note: This vulnerability only directly affects systems with components and controls installed that were built using Visual Studio ATL.

Workarounds
- Do not open or save Microsoft Office files received from untrusted sources
Solution

Apply appropriate updates as mentioned in the Microsoft Security Bulletin MS09-060

Note: Microsoft recommends that users of Microsoft Visio Viewer 2002 and Microsoft Visio Viewer 2003 upgrade to Microsoft Office Visio Viewer 2007 Service Pack 2 and apply respective patch for it.

Vendor Information

Microsoft
http://www.microsoft.com/technet/security/bulletin/ms09-060.mspx

CVE Name
CVE-2009-3459

References

Secunia
http://secunia.com/advisories/37005/

SecurityFocus
http://www.securityfocus.com/bid/35832
http://www.securityfocus.com/bid/35828
http://www.securityfocus.com/bid/35830

SecurityTracker
http://securitytracker.com/alerts/2009/Jul/1022610.html

Cisco
http://tools.cisco.com/security/center/viewAlert.x?alertId=18725
http://tools.cisco.com/security/center/viewAlert.x?alertId=18726
http://tools.cisco.com/security/center/viewAlert.x?alertId=18727

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.