CVE-2009-2493

29.07.2009, 17:30

The Active Template Library (ATL) in Microsoft Visual Studio .NET 2003 SP1, Visual Studio 2005 SP1 and 2008 Gold and SP1, and Visual C++ 2005 SP1 and 2008 Gold and SP1; and Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold and SP2; does not properly restrict use of OleLoadFromStream in instantiating objects from data streams, which allows remote attackers to execute arbitrary code via a crafted HTML document with an ATL (1) component or (2) control, related to ATL headers and bypassing security policies, aka "ATL COM Initialization Vulnerability."

Code Injection

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	8.8 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 97%

Affected Products (NVD)

Vendor	Product	Version
microsoft	windows_2000	*
microsoft	windows_2003_server	*
microsoft	windows_server_2008	*
microsoft	windows_server_2008	-
microsoft	windows_vista	*
microsoft	windows_vista	*
microsoft	windows_vista	-
microsoft	windows_xp	*
microsoft	windows_xp	*

𝑥

= Vulnerable software versions

openSUSE / SLES Releases

openSUSE Product

Release

flash-player

suse enterprise desktop 12	11.2.202.406-1.3 fixed
suse enterprise desktop 12 SP1	11.2.202.548-111.1 fixed
suse enterprise sap 12	11.2.202.406-1.3 fixed
suse enterprise sap 12 SP1	11.2.202.548-111.1 fixed
suse enterprise server 12	11.2.202.406-1.3 fixed
suse enterprise server 12 SP1	11.2.202.548-111.1 fixed
suse enterprise workstation 12	11.2.202.406-1.3 fixed
suse enterprise workstation 12 SP1	11.2.202.548-111.1 fixed

flash-player-gnome

suse enterprise desktop 12	11.2.202.406-1.3 fixed
suse enterprise desktop 12 SP1	11.2.202.548-111.1 fixed
suse enterprise sap 12	11.2.202.406-1.3 fixed
suse enterprise sap 12 SP1	11.2.202.548-111.1 fixed
suse enterprise server 12	11.2.202.406-1.3 fixed
suse enterprise server 12 SP1	11.2.202.548-111.1 fixed
suse enterprise workstation 12	11.2.202.406-1.3 fixed
suse enterprise workstation 12 SP1	11.2.202.548-111.1 fixed

Common Weakness Enumeration

References

http://blogs.technet.com/srd/archive/2009/08/11/ms09-037-why-we-are-using-cve-s-already-used-in-ms09-035.aspx

http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00002.html

http://marc.info/?l=bugtraq&m=126592505426855&w=2

http://secunia.com/advisories/35967

http://secunia.com/advisories/36187

http://secunia.com/advisories/36374

http://secunia.com/advisories/36746

http://secunia.com/advisories/38568

http://secunia.com/advisories/41818

http://sunsolve.sun.com/search/document.do?assetkey=1-66-264648-1

http://sunsolve.sun.com/search/document.do?assetkey=1-66-266108-1

http://sunsolve.sun.com/search/document.do?assetkey=1-77-1020775.1-1

http://www.adobe.com/support/security/advisories/apsa09-04.html

http://www.adobe.com/support/security/bulletins/apsb09-10.html

http://www.adobe.com/support/security/bulletins/apsb09-11.html

http://www.adobe.com/support/security/bulletins/apsb09-13.html

http://www.novell.com/support/viewContent.do?externalId=7004997&sliceId=1

http://www.openoffice.org/security/cves/CVE-2009-2493.html

http://www.us-cert.gov/cas/techalerts/TA09-195A.html

http://www.us-cert.gov/cas/techalerts/TA09-223A.html

http://www.us-cert.gov/cas/techalerts/TA09-286A.html

http://www.us-cert.gov/cas/techalerts/TA09-342A.html

http://www.vupen.com/english/advisories/2009/2034

http://www.vupen.com/english/advisories/2009/2232

http://www.vupen.com/english/advisories/2010/0366

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-035

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-037

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-055

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-060

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-072

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6245

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6304

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6421

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6473

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6621

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6716

http://blogs.technet.com/srd/archive/2009/08/11/ms09-037-why-we-are-using-cve-s-already-used-in-ms09-035.aspx

http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00002.html

http://marc.info/?l=bugtraq&m=126592505426855&w=2

http://secunia.com/advisories/35967

http://secunia.com/advisories/36187

http://secunia.com/advisories/36374

http://secunia.com/advisories/36746

http://secunia.com/advisories/38568

http://secunia.com/advisories/41818

http://sunsolve.sun.com/search/document.do?assetkey=1-66-264648-1

http://sunsolve.sun.com/search/document.do?assetkey=1-66-266108-1

http://sunsolve.sun.com/search/document.do?assetkey=1-77-1020775.1-1

http://www.adobe.com/support/security/advisories/apsa09-04.html

http://www.adobe.com/support/security/bulletins/apsb09-10.html

http://www.adobe.com/support/security/bulletins/apsb09-11.html

http://www.adobe.com/support/security/bulletins/apsb09-13.html

http://www.novell.com/support/viewContent.do?externalId=7004997&sliceId=1

http://www.openoffice.org/security/cves/CVE-2009-2493.html

http://www.us-cert.gov/cas/techalerts/TA09-195A.html

http://www.us-cert.gov/cas/techalerts/TA09-223A.html

http://www.us-cert.gov/cas/techalerts/TA09-286A.html

http://www.us-cert.gov/cas/techalerts/TA09-342A.html

http://www.vupen.com/english/advisories/2009/2034

http://www.vupen.com/english/advisories/2009/2232

http://www.vupen.com/english/advisories/2010/0366

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-035

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-037

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-055

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-060

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-072

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6245

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6304

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6421

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6473

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6621

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6716