2 New Security Bulletins and AdvisoriesNew Security Bulletins and Advisories –1 New Security Advisory –1 New Critical Bulletin –1 New Moderate Bulletin Other Security ResourcesOther Security Resources –Detection and Deployment –Links Contact InformationContact Information
MS Internet Explorer Internet Explorer on Windows 2000, Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008 MS Visual Studio Microsoft Visual Studio.NET 2003, Microsoft Visual Studio 2005, Microsoft Visual Studio 2008, Microsoft Visual C , Microsoft Visual C
Title & KB Article: Vulnerabilities in Microsoft Active Template Library (ATL) Could Allow Remote Code Execution Affected Software: All controls and components created using vulnerable Active Template LibraryAll controls and components created using vulnerable Active Template Library Purpose of Advisory: This advisory provides customers with Workarounds, Mitigating Factors, and Suggested Actions for the publicly disclosed vulnerabilities that are discussed Security Bulletins MS09-032, MS09-034, and MS09-035This advisory provides customers with Workarounds, Mitigating Factors, and Suggested Actions for the publicly disclosed vulnerabilities that are discussed Security Bulletins MS09-032, MS09-034, and MS ATL Information: The Active Template Library (ATL) is a set of template-based C++ classes that lets you create small, fast Component Object Model (COM) objects. ATL has special support for key COM features, including stock implementations, dual interfaces, standard COM enumerator interfaces, connection points, tear-off interfaces, and ActiveX controls. ATL Vulnerability: The issue is caused in some cases by the way ATL is used, and in other cases by the ATL code itself. In these cases, data streams may be handled incorrectly, which can lead to memory corruption, information disclosure, and instantiation of objects without regard to security policy.The issue is caused in some cases by the way ATL is used, and in other cases by the ATL code itself. In these cases, data streams may be handled incorrectly, which can lead to memory corruption, information disclosure, and instantiation of objects without regard to security policy.
Title & KB Article: Vulnerabilities in Visual Studio Active Template Library Could Allow Remote Code Execution (969706) Affected Software: Visual Studio.NET 2003 SP1Visual Studio.NET 2003 SP1 Visual Studio 2005 SP1 and Visual Studio 2005 SP1 64-bit Hosted Visual C++ ToolsVisual Studio 2005 SP1 and Visual Studio 2005 SP1 64-bit Hosted Visual C++ Tools Visual Studio 2008 and Visual Studio 2008 SP1Visual Studio 2008 and Visual Studio 2008 SP1 Visual C SP1 Redistributable PackageVisual C SP1 Redistributable Package Visual C and Visual C SP1 Redistributable PackageVisual C and Visual C SP1 Redistributable Package Replaced Updates: NoneNone Vulnerabilities: CVE | ATL Uninitialized Object Vulnerability CVE | ATL Uninitialized Object Vulnerability CVE | ATL COM Initialization Vulnerability CVE | ATL COM Initialization Vulnerability CVE | ATL Null String Vulnerability CVE | ATL Null String Vulnerability Publicly Disclosed / and/or Exploited: These vulnerabilities have not been publicly disclosed prior to releaseThese vulnerabilities have not been publicly disclosed prior to release These vulnerabilities have not been exploited in the wild at releaseThese vulnerabilities have not been exploited in the wild at release Exploitability Index: __ 1 - Consistent exploit code likely | __ 2 - Inconsistent exploit code likely | __ 3 - Functioning exploit code unlikely
Vulnerability Summary: A remote code execution vulnerability exists in the Microsoft Active Template Library (ATL) due to an issue in the ATL headers that could allow an attacker to force VariantClear to be called on a VARIANT that has not been correctly initialized. Because of this, the attacker can control what happens when VariantClear is called during handling of an error by supplying a corrupt stream. This vulnerability only directly affects systems with components and controls installed that were built using Visual Studio ATL. This issue could allow a remote, unauthenticated user to perform remote code execution on an affected system.A remote code execution vulnerability exists in the Microsoft Active Template Library (ATL) due to an issue in the ATL headers that could allow an attacker to force VariantClear to be called on a VARIANT that has not been correctly initialized. Because of this, the attacker can control what happens when VariantClear is called during handling of an error by supplying a corrupt stream. This vulnerability only directly affects systems with components and controls installed that were built using Visual Studio ATL. This issue could allow a remote, unauthenticated user to perform remote code execution on an affected system. Attack Vectors: Maliciously Crafted Web PageMaliciously Crafted Web Page Mitigations: By default, Visual Studio as a product is not vulnerable to this issue. Instead, components and controls built with the vulnerable versions of ATL may be vulnerableBy default, Visual Studio as a product is not vulnerable to this issue. Instead, components and controls built with the vulnerable versions of ATL may be vulnerable Mitigating factors and Workarounds for potentially vulnerable components and controls are located in Microsoft Security Advisory (973882)Mitigating factors and Workarounds for potentially vulnerable components and controls are located in Microsoft Security Advisory (973882) Workaround:
Vulnerability Summary: A remote code execution vulnerability exists in the Microsoft Active Template Library (ATL) due to issues in the ATL headers that handle instantiation of an object from data streams. This vulnerability only directly affects systems with components and controls installed that were built using Visual Studio ATL. For components and controls built using ATL, unsafe usage of OleLoadFromStream could allow the instantiation of arbitrary objects which can bypass related security policy, such as kill bits within Internet Explorer.A remote code execution vulnerability exists in the Microsoft Active Template Library (ATL) due to issues in the ATL headers that handle instantiation of an object from data streams. This vulnerability only directly affects systems with components and controls installed that were built using Visual Studio ATL. For components and controls built using ATL, unsafe usage of OleLoadFromStream could allow the instantiation of arbitrary objects which can bypass related security policy, such as kill bits within Internet Explorer. Attack Vectors: Maliciously Crafted Web PageMaliciously Crafted Web Page Mitigations: By default, Visual Studio as a product is not vulnerable to this issue. Instead, components and controls built with the vulnerable versions of ATL may be vulnerableBy default, Visual Studio as a product is not vulnerable to this issue. Instead, components and controls built with the vulnerable versions of ATL may be vulnerable Mitigating factors and Workarounds for potentially vulnerable components and controls are located in Microsoft Security Advisory (973882)Mitigating factors and Workarounds for potentially vulnerable components and controls are located in Microsoft Security Advisory (973882) Workaround:
Vulnerability Summary: An information disclosure vulnerability exists in the Microsoft Active Template Library (ATL) that could allow a string to be read without a terminating NULL character. An attacker could manipulate this string to read extra data beyond the end of the string and thus disclose information in memory.An information disclosure vulnerability exists in the Microsoft Active Template Library (ATL) that could allow a string to be read without a terminating NULL character. An attacker could manipulate this string to read extra data beyond the end of the string and thus disclose information in memory. Attack Vectors: Maliciously Crafted Web PageMaliciously Crafted Web Page Mitigations: By default, Visual Studio as a product is not vulnerable to this issue. Instead, components and controls built with the vulnerable versions of ATL may be vulnerableBy default, Visual Studio as a product is not vulnerable to this issue. Instead, components and controls built with the vulnerable versions of ATL may be vulnerable Mitigating factors and Workarounds for potentially vulnerable components and controls are located in Microsoft Security Advisory (973882)Mitigating factors and Workarounds for potentially vulnerable components and controls are located in Microsoft Security Advisory (973882) Workaround:
Affected Platform Windows Update Microsoft Update MBSA 2.1 WSUS 3.0 WSUS 3.0 SMS SUSFP SMS ITMU SCCM 2007 Visual Studio.NET 2003 NoNoNoNoYesNoNo Visual Studio 2005 NoYesYesYesNoYesYes Visual Studio bit Hosted Visual C++ Tools NoYesYesYesNoYesYes Visual Studio 2008 NoYesYesYesNoYesYes Visual C Redistributable Package NoYesYesYesNoYesYes Visual C Redistributable Package NoYesYesYesNoYesYes
Restart Requirement: You MUST restart your system after you apply this security updateYou MUST restart your system after you apply this security update Installation and Removal: Use Add / Remove Programs tool in Control PanelUse Add / Remove Programs tool in Control Panel More Information: For more Information, please review these links: Microsoft Security Bulletin MS Microsoft Knowledge Base Article (969706)
Title & KB Article: Cumulative Security Update for Internet Explorer (972260) Affected Software: IE 5.01 and IE 6 SP1 on Windows 2000 (All Supported Versions)IE 5.01 and IE 6 SP1 on Windows 2000 (All Supported Versions) IE 6.0, IE 7, and IE 8 on Windows XP (All Supported Versions)IE 6.0, IE 7, and IE 8 on Windows XP (All Supported Versions) IE 6.0, IE 7, and IE 8 on Windows Server 2003 (All Supported Versions)IE 6.0, IE 7, and IE 8 on Windows Server 2003 (All Supported Versions) IE 7 and IE 8 on Windows Vista (All Supported Versions)IE 7 and IE 8 on Windows Vista (All Supported Versions) IE 7 and IE 8 on Windows Server 2008 (All Supported Versions)IE 7 and IE 8 on Windows Server 2008 (All Supported Versions) Replaced Updates: MS09-019MS Vulnerabilities: CVE | Memory Corruption Vulnerability CVE | Memory Corruption Vulnerability CVE | HTML Objects Memory Corruption Vulnerability CVE | HTML Objects Memory Corruption Vulnerability CVE | Uninitialized Memory Corruption Vulnerability CVE | Uninitialized Memory Corruption Vulnerability Publicly Disclosed / and/or Exploited: These vulnerabilities have not been publicly disclosed prior to releaseThese vulnerabilities have not been publicly disclosed prior to release These vulnerabilities have not been exploited in the wild at releaseThese vulnerabilities have not been exploited in the wild at release Exploitability Index: __ 1 - Consistent exploit code likely | __ 2 - Inconsistent exploit code likely | __ 3 - Functioning exploit code unlikely
Summary: As a defense-in-depth measure, this Internet Explorer security update helps mitigate known attack vectors within Internet Explorer for those components and controls that have been developed with vulnerable versions of ATL.As a defense-in-depth measure, this Internet Explorer security update helps mitigate known attack vectors within Internet Explorer for those components and controls that have been developed with vulnerable versions of ATL. : Defense-in-Depth Details: The first defense-in-depth measure is enabled by default and modifies how ATL-based ActiveX controls read persisted data. The first mitigation is a change to modify how ATL-based controls read persisted data by detecting specific call patterns that are problematic.The first defense-in-depth measure is enabled by default and modifies how ATL-based ActiveX controls read persisted data. The first mitigation is a change to modify how ATL-based controls read persisted data by detecting specific call patterns that are problematic. The second defense-in-depth measure is related to the first, but provides stronger protections and increases application compatibility risk. This defense- in-depth measure is disabled by default and offers the ability to regulate usage of IPersistStream* and IPersistStorage* interface implementations within individual controls.The second defense-in-depth measure is related to the first, but provides stronger protections and increases application compatibility risk. This defense- in-depth measure is disabled by default and offers the ability to regulate usage of IPersistStream* and IPersistStorage* interface implementations within individual controls. FEATURE_RESTRICT_OBJECT_DATA_ATTRIBUTE FEATURE_RESTRICT_OBJECT_DATA_ATTRIBUTE Additional Defense in Depth Mitigations and Workaround : By default, the majority of ActiveX controls are not included in the default allow-list for ActiveX controls in IE 7 or IE 8By default, the majority of ActiveX controls are not included in the default allow-list for ActiveX controls in IE 7 or IE 8 IE 8 offers enhanced protections by enabling DEP/NX memory protections by default for users on Windows XP SP3, Windows Vista SP1 and SP2, and Windows 7IE 8 offers enhanced protections by enabling DEP/NX memory protections by default for users on Windows XP SP3, Windows Vista SP1 and SP2, and Windows 7 IE 7 and IE 8 on Windows Vista and later operating systems run in Protected Mode by default in the Internet security zoneIE 7 and IE 8 on Windows Vista and later operating systems run in Protected Mode by default in the Internet security zone
Vulnerability Summary: 3 remote code execution vulnerabilities exist in the way Internet Explorer handles a memory object, handles table operations in specific situations, and accesses an object that has been deleted, which could allow an attacker to take complete control of an affected system if a user views a specially crafted Web page3 remote code execution vulnerabilities exist in the way Internet Explorer handles a memory object, handles table operations in specific situations, and accesses an object that has been deleted, which could allow an attacker to take complete control of an affected system if a user views a specially crafted Web page Attack Vectors: Maliciously Crafted Web PageMaliciously Crafted Web Page Mitigations: Users would have to be persuaded to visit a malicious web siteUsers would have to be persuaded to visit a malicious web site Exploitation only gains the same user rights as the logged on accountExploitation only gains the same user rights as the logged on account By default, all supported versions of Microsoft Outlook and Microsoft Outlook Express open HTML messages in the Restricted Sites zoneBy default, all supported versions of Microsoft Outlook and Microsoft Outlook Express open HTML messages in the Restricted Sites zone By default, IE on Windows 2003 and Windows 2008 runs in a restricted modeBy default, IE on Windows 2003 and Windows 2008 runs in a restricted mode IE 5.01 SP4 on Windows 2000 is not affected by CVE IE 5.01 SP4 on Windows 2000 is not affected by CVE Workaround: Set Internet and local Intranet settings to High to prompt before running ActiveX and Active Scripting in these zonesSet Internet and local Intranet settings to High to prompt before running ActiveX and Active Scripting in these zones Configure IE to prompt before running ActiveX and Active ScriptingConfigure IE to prompt before running ActiveX and Active Scripting
*SMS SUSFP does not support Internet Explorer 7, Internet Explorer 8, Exchange Server 2007, Windows Media Player 11, Works 8.5 and 9.0, Office System 2007, OneNote 2007, Windows Vista, Windows Server 2008, or any Windows x64 or Windows ia64 systems Affected Platform Windows Update Microsoft Update MBSA 2.1 WSUS 3.0 WSUS 3.0 SMS SUSFP SMS ITMU SCCM 2007 Windows 2000 YesYesYesYesYesYesYes Windows XP YesYesYesYesYesYesYes Windows XP x64 YesYesYesYes No * YesYes Windows 2003 YesYesYesYesYesYesYes Windows 2003 x64 YesYesYesYes No * YesYes Windows 2003 ia64 YesYesYesYes No * YesYes Windows Vista YesYesYesYes No * YesYes Windows Vista x64 YesYesYesYes No * YesYes Windows 2008 YesYesYesYes No * YesYes Windows 2008 x64 YesYesYesYes No * YesYes Windows 2008 ia64 YesYesYesYes No * YesYes
Restart Requirement: You must restart your system after you apply this security updateYou must restart your system after you apply this security update Installation and Removal: Use Add / Remove Programs tool in Control PanelUse Add / Remove Programs tool in Control Panel Scriptable installation and removal supported (except Windows Vista and Windows Server 2008)Scriptable installation and removal supported (except Windows Vista and Windows Server 2008) More Information: For more Information, please review these links: Microsoft Security Bulletin MS Microsoft Knowledge Base Article (972260)
YesYesYesYes Yes 1 YesYes NoYesYesYes No 1 YesYes 1.SMS SUSFP does not support Internet Explorer 7, Internet Explorer 8, Office System 2007, Works 8.5 & 9.0, ISA 2006, DirectX, Virtual PC and Virtual Server, Windows Vista, Windows Server 2008, or any Windows x64 or Windows ia64 systems 2.Windows Update only supports native Windows Security Update packages
ATL Issue Landing Page | Issue Landing Page | Security Bulletin MS | Bulletin MS | Knowledge Base Article (972260) | Knowledge Base Article (972260) | Security Bulletin MS | Bulletin MS | Knowledge Base Article (969706) | Knowledge Base Article (969706) | Security Advisory | Advisory | Knowledge Base Article (973882) | Knowledge Base Article (973882) | MSDN ATL Guidance | ATL Guidance | ICASI / Verizon Business ATL Scan Tool | / Verizon Business ATL Scan Tool | The Microsoft Security Response Center (MSRC) Blog | Microsoft Security Response Center (MSRC) Blog | Security Research & Defense Blog | Research & Defense Blog | The Security Development Lifecycle Blog | Security Development Lifecycle Blog |
Bulletins Links: Bulletins Links: Security Bulletins Search Security Bulletins Search Security Advisories Security Advisories Microsoft Security Bulletin Summary for July 2009 Microsoft Security Bulletin Summary for July Supplemental updated monthly reference articles: Supplemental updated monthly reference articles: KB Detection and deployment guidance for Microsoft Security Updates KB Detection and deployment guidance for Microsoft Security Updates KB Description of Software Update Services and Windows Server Update Services changes in content for KB Description of Software Update Services and Windows Server Update Services changes in content for New, Revised, and Rereleased Updates for Microsoft Products other than Microsoft Windows New, Revised, and Rereleased Updates for Microsoft Products other than Microsoft Windows KB The Microsoft Windows Malicious Software Removal Tool helps remove specific, prevalent malicious software from computers that are running Windows Vista, Windows Server 2003, Windows XP, or Windows KB The Microsoft Windows Malicious Software Removal Tool helps remove specific, prevalent malicious software from computers that are running Windows Vista, Windows Server 2003, Windows XP, or Windows Blogs: Blogs: MSRC Blog MSRC Blog SRD Team Blog SRD Team Blog MSRC Ecosystem Strategy Team MSRC Ecosystem Strategy Team MMPC Team Blog MMPC Team Blog