CVE-2009-0901

29.07.2009, 17:30

The Active Template Library (ATL) in Microsoft Visual Studio .NET 2003 SP1, Visual Studio 2005 SP1 and 2008 Gold, and Visual C++ 2005 SP1 and 2008 Gold and SP1; and Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold and SP2; does not prevent VariantClear calls on an uninitialized VARIANT, which allows remote attackers to execute arbitrary code via a malformed stream to an ATL (1) component or (2) control, related to ATL headers and error handling, aka "ATL Uninitialized Object Vulnerability."

Code Injection

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	8.8 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 99%

openSUSE / SLES Releases

openSUSE Product

Release

flash-player

suse enterprise desktop 12	11.2.202.406-1.3 fixed
suse enterprise desktop 12 SP1	11.2.202.548-111.1 fixed
suse enterprise sap 12	11.2.202.406-1.3 fixed
suse enterprise sap 12 SP1	11.2.202.548-111.1 fixed
suse enterprise server 12	11.2.202.406-1.3 fixed
suse enterprise server 12 SP1	11.2.202.548-111.1 fixed
suse enterprise workstation 12	11.2.202.406-1.3 fixed
suse enterprise workstation 12 SP1	11.2.202.548-111.1 fixed

flash-player-gnome

suse enterprise desktop 12	11.2.202.406-1.3 fixed
suse enterprise desktop 12 SP1	11.2.202.548-111.1 fixed
suse enterprise sap 12	11.2.202.406-1.3 fixed
suse enterprise sap 12 SP1	11.2.202.548-111.1 fixed
suse enterprise server 12	11.2.202.406-1.3 fixed
suse enterprise server 12 SP1	11.2.202.548-111.1 fixed
suse enterprise workstation 12	11.2.202.406-1.3 fixed
suse enterprise workstation 12 SP1	11.2.202.548-111.1 fixed

Common Weakness Enumeration

References

http://blogs.technet.com/srd/archive/2009/08/11/ms09-037-why-we-are-using-cve-s-already-used-in-ms09-035.aspx

http://marc.info/?l=bugtraq&m=126592505426855&w=2

http://secunia.com/advisories/35967

http://secunia.com/advisories/36187

http://secunia.com/advisories/36374

http://secunia.com/advisories/36746

http://sunsolve.sun.com/search/document.do?assetkey=1-66-266108-1

http://www.adobe.com/support/security/advisories/apsa09-04.html

http://www.adobe.com/support/security/bulletins/apsb09-10.html

http://www.adobe.com/support/security/bulletins/apsb09-11.html

http://www.adobe.com/support/security/bulletins/apsb09-13.html

http://www.novell.com/support/viewContent.do?externalId=7004997&sliceId=1

http://www.securityfocus.com/bid/35832

http://www.us-cert.gov/cas/techalerts/TA09-195A.html

http://www.us-cert.gov/cas/techalerts/TA09-223A.html

http://www.us-cert.gov/cas/techalerts/TA09-286A.html

http://www.vupen.com/english/advisories/2009/2034

http://www.vupen.com/english/advisories/2009/2232

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-035

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-037

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-060

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6289

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6311

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6373

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7581

http://blogs.technet.com/srd/archive/2009/08/11/ms09-037-why-we-are-using-cve-s-already-used-in-ms09-035.aspx

http://marc.info/?l=bugtraq&m=126592505426855&w=2

http://secunia.com/advisories/35967

http://secunia.com/advisories/36187

http://secunia.com/advisories/36374

http://secunia.com/advisories/36746

http://sunsolve.sun.com/search/document.do?assetkey=1-66-266108-1

http://www.adobe.com/support/security/advisories/apsa09-04.html

http://www.adobe.com/support/security/bulletins/apsb09-10.html

http://www.adobe.com/support/security/bulletins/apsb09-11.html

http://www.adobe.com/support/security/bulletins/apsb09-13.html

http://www.novell.com/support/viewContent.do?externalId=7004997&sliceId=1

http://www.securityfocus.com/bid/35832

http://www.us-cert.gov/cas/techalerts/TA09-195A.html

http://www.us-cert.gov/cas/techalerts/TA09-223A.html

http://www.us-cert.gov/cas/techalerts/TA09-286A.html

http://www.vupen.com/english/advisories/2009/2034

http://www.vupen.com/english/advisories/2009/2232

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-035

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-037

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-060

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6289

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6311

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6373

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7581