CVE-2009-2493

29.07.2009, 17:30

The Active Template Library (ATL) in Microsoft Visual Studio .NET 2003 SP1, Visual Studio 2005 SP1 and 2008 Gold and SP1, and Visual C++ 2005 SP1 and 2008 Gold and SP1; and Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold and SP2; does not properly restrict use of OleLoadFromStream in instantiating objects from data streams, which allows remote attackers to execute arbitrary code via a crafted HTML document with an ATL (1) component or (2) control, related to ATL headers and bypassing security policies, aka "ATL COM Initialization Vulnerability."

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	9.3 UNKNOWN	NETWORK	MEDIUM		AV:N/AC:M/Au:N/C:C/I:C/A:C
microsoft	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 96%

Vendor	Product	Version
microsoft	windows_2000	*
microsoft	windows_2003_server	*
microsoft	windows_server_2008	*
microsoft	windows_server_2008	-
microsoft	windows_vista	*
microsoft	windows_vista	*
microsoft	windows_vista	-
microsoft	windows_xp	*
microsoft	windows_xp	*

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-264 -

References

http://blogs.technet.com/srd/archive/2009/08/11/ms09-037-why-we-are-using-cve-s-already-used-in-ms09-035.aspx

http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00002.html

http://marc.info/?l=bugtraq&m=126592505426855&w=2

http://marc.info/?l=bugtraq&m=126592505426855&w=2

http://secunia.com/advisories/35967

http://secunia.com/advisories/36187

http://secunia.com/advisories/36374

http://secunia.com/advisories/36746

http://secunia.com/advisories/38568

http://secunia.com/advisories/41818

http://sunsolve.sun.com/search/document.do?assetkey=1-66-264648-1

http://sunsolve.sun.com/search/document.do?assetkey=1-66-266108-1

http://sunsolve.sun.com/search/document.do?assetkey=1-77-1020775.1-1

http://www.adobe.com/support/security/advisories/apsa09-04.html

http://www.adobe.com/support/security/bulletins/apsb09-10.html

http://www.adobe.com/support/security/bulletins/apsb09-11.html

http://www.adobe.com/support/security/bulletins/apsb09-13.html

http://www.novell.com/support/viewContent.do?externalId=7004997&sliceId=1

http://www.openoffice.org/security/cves/CVE-2009-2493.html

http://www.us-cert.gov/cas/techalerts/TA09-195A.html

http://www.us-cert.gov/cas/techalerts/TA09-223A.html

http://www.us-cert.gov/cas/techalerts/TA09-286A.html

http://www.us-cert.gov/cas/techalerts/TA09-342A.html

http://www.vupen.com/english/advisories/2009/2034

http://www.vupen.com/english/advisories/2009/2232

http://www.vupen.com/english/advisories/2010/0366

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-035

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-037

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-055

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-060

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-072

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6245

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6304

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6421

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6473

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6621

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6716

http://blogs.technet.com/srd/archive/2009/08/11/ms09-037-why-we-are-using-cve-s-already-used-in-ms09-035.aspx

http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00002.html

http://marc.info/?l=bugtraq&m=126592505426855&w=2

http://marc.info/?l=bugtraq&m=126592505426855&w=2

http://secunia.com/advisories/35967

http://secunia.com/advisories/36187

http://secunia.com/advisories/36374

http://secunia.com/advisories/36746

http://secunia.com/advisories/38568

http://secunia.com/advisories/41818

http://sunsolve.sun.com/search/document.do?assetkey=1-66-264648-1

http://sunsolve.sun.com/search/document.do?assetkey=1-66-266108-1

http://sunsolve.sun.com/search/document.do?assetkey=1-77-1020775.1-1

http://www.adobe.com/support/security/advisories/apsa09-04.html

http://www.adobe.com/support/security/bulletins/apsb09-10.html

http://www.adobe.com/support/security/bulletins/apsb09-11.html

http://www.adobe.com/support/security/bulletins/apsb09-13.html

http://www.novell.com/support/viewContent.do?externalId=7004997&sliceId=1

http://www.openoffice.org/security/cves/CVE-2009-2493.html

http://www.us-cert.gov/cas/techalerts/TA09-195A.html

http://www.us-cert.gov/cas/techalerts/TA09-223A.html

http://www.us-cert.gov/cas/techalerts/TA09-286A.html

http://www.us-cert.gov/cas/techalerts/TA09-342A.html

http://www.vupen.com/english/advisories/2009/2034

http://www.vupen.com/english/advisories/2009/2232

http://www.vupen.com/english/advisories/2010/0366

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-035

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-037

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-055

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-060

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-072

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6245

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6304

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6421

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6473

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6621

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6716