SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Adobe Shockwave Vendors:   Adobe Systems Incorporated
(Adobe Issues Fix for Shockwave Player) Microsoft Visual Studio Active Template Library Bugs Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1022615
SecurityTracker URL:  http://securitytracker.com/id/1022615
CVE Reference:   CVE-2009-0901, CVE-2009-2493, CVE-2009-2495   (Links to External Site)
Date:  Jul 29 2009
Impact:   Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 11.5.0.600 and prior versions
Description:   Several vulnerabilities were reported in Microsoft Visual Studio. A remote user can cause arbitrary code to be executed on the target user's system. Adobe Shockwave Player is affected.

A remote user can create a specially crafted file that, when loaded by the target user, will trigger a flaw in the Microsoft Active Template Library (ATL) and execute arbitrary code on the target system. The code will run with the privileges of the target user.

A specially crafted ATL header can cause the VariantClear() function to be called on an incorrectly initialized VARIANT [CVE-2009-0901].

A specially crafted ATL header can invoke OleLoadFromStream() to instantiate arbitrary objects that can bypass related security policy [CVE-2009-2493].

A specially crafted string without a terminating NULL character may allow a remote user to obtain potentially sensitive information [CVE-2009-2495].

David Dewey of IBM ISS X-Force reported one of the vulnerabilities. Ryan Smith of VeriSign iDefense Labs reported the other two vulnerabilities.

Impact:   A remote user can create HTML that, when loaded by the target user, will execute arbitrary code on the target user's system or access potentially sensitive information on the target user's system.
Solution:   Adobe has issued a fix (11.5.1.601) for Shockwave Player, which is affected by these vulnerabilities. The fix is available at:

http://get.adobe.com/shockwave/

The Adobe advisory is available at:

http://www.adobe.com/support/security/bulletins/apsb09-11.html

Cause:   Access control error
Underlying OS:  Windows (Any)

Message History:   This archive entry is a follow-up to the message listed below.
Jul 28 2009 Microsoft Visual Studio Active Template Library Bugs Let Remote Users Execute Arbitrary Code



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC