HP has released a security bulletin and updated software to address the Microsoft Active Template Library null string information disclosure vulnerability.
Description
Microsoft Visual Studio 2005 and Visual Studio 2008 contain an information disclosure vulnerability that could allow an unauthenticated, remote attacker to view arbitrary files on an affected system.
The vulnerability is due to errors in the Active Template Library (ATL), which is redistributable into ActiveX controls. Therefore, this vulnerability can affect ActiveX components that are built using vulnerable versions of Visual Studio. An unauthenticated, remote attacker could exploit this issue by constructing a malicious web page and convincing users to visit that page. If a user has an installed ActiveX component that uses an affected method from the vulnerable ATL codebase, the attacker could exploit this vulnerability to view any file on the system that the user can access.
Microsoft has confirmed this vulnerability in a security bulletin and released software updates.
Warning Indicators
The following Microsoft Visual Studio products contain vulnerable ATL code. ActiveX controls that are built using these products may include vulnerable methods:
Visual Studio .NET 2003 Service Pack 1
Visual Studio 2005 Service Pack 1
Visual Studio 2005 Service Pack 1 64-bit Hosted Visual C++ Tools
Visual Studio 2008
Visual Studio 2008 Service Pack 1
Visual C++ 2005 Service Pack 1 Redistributable Package
Visual C++ 2008 Redistributable Package
Visual C++ 2008 Service Pack 1 Redistributable Package
IntelliShield Analysis
This vulnerability primarily concerns developers of components and controls, because it is a vulnerability included in public libraries that are distributed in Microsoft Visual Studio. Developers of software that include ATL code may have introduced this vulnerability into their software. Developers are encouraged to contact the Microsoft Developer Network for more information on how to identify vulnerable code and take corrective action for their software.
Microsoft corrected this vulnerability by correctly enforcing buffer allocation. Updated versions of the ATL are available for developers to use with their software.
Vendor Announcements
Microsoft has released a security bulletin at the following link: MS09-035 and MS09-060
Attachmate has released release notes at the following links: 2471 and 2446
F5 Networks has released a security advisory for registered users at the following link: SOL10441
IBM has released a security alert at the following link: CVE-2009-2495
HP has released a security bulletin c01997644 at the following link: HPSBMA02488 SSRT100013
Sun has released an alert notification at the following link: 264648
US-CERT has released a vulnerability note at the following link: VU#456745
Impact
An unauthenticated, remote attacker could exploit this vulnerability to view files on a user's system. If the user has increased privileges on an affected system, the attacker may be able to disclose significant amounts of information.
Technical Information
The vulnerability exists in the Visual Studio ATL. Components and controls that were built using a vulnerable ATL may contain this vulnerability and should be rebuilt using a corrected version of this software. This vulnerability allows a string to be read with no ending null bytes. An attacker could exploit this condition to read data beyond the end of the string, disclosing the contents of memory. Exploitation involves loading a vulnerable ActiveX control and then passing it persistent data. This data can include strings that are not null terminated, allowing the attacker to use JavaScript to read chunks of memory in the affected application beyond the end of the specified string.
An unauthenticated, remote attacker could exploit this vulnerability by convincing a user to view a malicious website. Successful exploitation could allow the attacker to view memory contents and access data that is available to the user.
The Industry Consortium for Advancement of Security on the Internet (ICASI) is collaborating with a third party to offer a scanning service to help developers identify potential vulnerabilities in their code. More information is available at the following link: ICASI
Safeguards
Administrators are advised to apply the appropriate updates.
Developers are encouraged to correct vulnerable software that may include the affected ATL code.
Additional safeguards are available in Microsoft Security Advisory 973882.
Patches/Software
Microsoft customers can obtain updates directly by using the links in the security bulletin. These updates are also distributed by Windows automatic update features and available on the Windows Update website. Microsoft Windows Server Update Services (WSUS), Systems Management Server, and System Center Configuration Manager can assist administrators in deploying software updates.
Adobe has released updated software at the following links:
Version 10, March 23, 2010, 8:52 AM: F5 Networks has released a security advisory and updated software to address the Microsoft Active Template Library null string information disclosure vulnerability.
Version 9, October 13, 2009, 2:57 PM: Microsoft has released an additional security bulletin and software updates to address the Microsoft Active Template Library null string information disclosure vulnerability in Microsoft Outlook and the Visio Viewer.
Version 8, October 9, 2009, 4:14 PM: Attachmate has released two lists of changes and updated software to address the Microsoft Active Template Library null string information disclosure vulnerability.
Version 7, August 27, 2009, 1:03 PM: IBM has released a security alert to address the Microsoft Active Template Library null string information disclosure vulnerability.
Version 6, August 20, 2009, 6:06 PM: Additional technical information is available regarding the Microsoft Active Template Library null string information disclosure vulnerability.
Version 5, August 6, 2009, 8:05 AM: Sun has released an alert notification and updated software to address the Microsoft Active Template Library null string information disclosure vulnerability.
Version 4, August 3, 2009, 1:49 PM: Adobe has re-released a security advisory and updated software to address the Microsoft Active Template Library null string information disclosure vulnerability.
Version 3, July 31, 2009, 9:51 AM: Adobe has released an additional security advisory and updated software to address the Microsoft Active Template Library null string information disclosure vulnerability.
Version 2, July 29, 2009, 5:19 PM: Adobe has released two security advisories and updated software to address the Microsoft Active Template Library null string information disclosure vulnerability. Additional technical information is also available.
Version 1, July 28, 2009, 2:29 PM: Microsoft Visual Studio contains an information disclosure vulnerability in the Active Template Library. ActiveX controls that include this library may be vulnerable. Patches are available.
The security vulnerability applies to the following combinations of products.
Primary Products:
Microsoft, Inc.
Visual C++
Original Release Base
Microsoft, Inc.
Visual Studio
.NET 2003 Base, SP1 | 2005 Base, SP1 | 2008 Base
Associated Products:
Adobe
Acrobat Professional
9.0 .0 | 9.1 .0, .1, .2
Adobe
Acrobat Professional Extended
9.0 .0 | 9.1 .0, .1, .2
Adobe
Acrobat Reader
9.1 .0, .1, .2
Adobe
Acrobat Standard
9.0 .0 | 9.1 .0, .1, .2
Adobe
Adobe Flash Player
10.0 .12.36 | 10.0.22.87 Base | 9.0.115.0 Base | 9.0.124.0 Base | 9.0.151.0 Base | 9.0.159.0 Base | 9.0.16.0 Base | 9.0.20.0 Base | 9.0.45.0 Base | 9.0.47.0 Base | 9.0.48.0 Base
Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the
Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service.
This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment. Cisco is pleased to offer a free trial of the service.
To register for full access, please visit the IntelliShield trial registration page.
LEGAL DISCLAIMER The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
