MS released two OOB bulletins and an advisory
Microsoft has released two Out of Band (OOB) bulletins and one advisory. The security advisory (973882) relates to issues discovered in Microsoft’s Active Template Library (ATL), which is included in Visual Studio. The first bulletin (MS09-035) describes how ATL is used, and some of the code within it that can lead to memory corruption information disclosure, and creation of object instances disregarding set security policy. A number of third party software packages will also have to be updated to reflect this change. The second bulletin (MS09-034) is a defense in depth mitigation for potential bypass of ActiveX killbits, commonly used to mitigate other vulnerabilities. Apply this patch ASAP. The impact of a user viewing an evil web page is arbitrary code execution. Related CVE entries are:
ATL Uninitialized Object Vulnerability - CVE-2009-0901
ATL COM Initialization Vulnerability - CVE-2009-2493
ATL Null String Vulnerability - CVE-2009-2495
Memory Corruption Vulnerability - CVE-2009-1917
HTML Objects Memory Corruption Vulnerability - CVE-2009-1918
Uninitialized Memory Corruption Vulnerability - CVE-2009-1919
Microsoft's investigation into MSvidctrl(MS09-032) apparently found the underlying issue in the ATL library, which is addressed in the bulletin and patches. More information will be available tomorrow at BlackHat . Here is a teaser advanced preview of the IE ActiveX killbit bypass being presented tomorrow: http://www.hustlelabs.com/bh2009preview/
Microsoft had provided advance notification of these releases 24 July 2009. We covered it here.
References:
http://blogs.technet.com/msrc/archive/2009/07/28/microsoft-security-advisory-973882-microsoft-security-bulletins-ms09-034-and-ms09-035-released.aspx
http://www.microsoft.com/technet/security/advisory/973882.mspx
http://www.microsoft.com/technet/security/bulletin/MS09-034.mspx
http://www.microsoft.com/technet/security/bulletin/MS09-035.mspx
http://blogs.technet.com/srd/archive/2009/07/28/overview-of-the-out-of-band-release.aspx
Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.
Comments