What is the purpose of this alert?
This alert is to provide you with an overview of two new security bulletins and one security advisory being released (out-of-band) on July 28, 2009.
NEW SECURITY BULLETIN SUMMARY
Bulletin ID: MS09-034
Bulletin Title: Cumulative Security Update for Internet Explorer (972260)
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: All supported versions of Internet Explorer on Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008
Bulletin ID: MS09-035
Bulletin Title: Vulnerabilities in Visual Studio Active Template Library Could Allow Remote Code Execution (969706)
Maximum Severity Rating: Moderate
Affected Software: Microsoft Visual Studio .NET 2003, Visual Studio 2005, Visual Studio 2008, Visual C++ 2005, and Visual C++ 2008
SECURITY ADVISORY 973882 - OVERVIEW
Microsoft is releasing Security Advisory 973882 to provide information about our ongoing investigation into vulnerabilities in the public and private versions of Microsoft's Active Template Library (ATL). This advisory also provides guidance as to what developers can do to help ensure that the controls and components they have built are not vulnerable to the ATL issues; what IT Professionals and consumers can do to mitigate potential attacks that use the vulnerabilities; and what Microsoft is doing as part of its ongoing investigation into the issue described in this advisory. This security advisory will also provide a comprehensive listing of all Microsoft Security Bulletins and Security Updates related to the vulnerabilities in ATL. Microsoft's investigation into the private and public versions of ATL is ongoing, and we will release security updates and guidance as appropriate as part of the investigation process.
Microsoft is aware of security vulnerabilities in the public and private versions of ATL. The Microsoft ATL is used by software developers to create controls or components for the Windows platform. The vulnerabilities described in this Security Advisory and Microsoft Security Bulletin MS09-035 could result in information disclosure or remote code execution attacks for controls and components built using vulnerable versions of the ATL. Components and controls created with the vulnerable version of ATL may be exposed to a vulnerable condition due to how ATL is used or due to issues in the ATL code itself.
Review security advisory 973882, security bulletin MS09-034, and security bulletin MS09-035 at the links provided below for an overview of the issue, details on affected components, mitigating factors, suggested actions, frequently asked questions (FAQs), and links to additional resources.
Customers who believe they are affected can contact Customer Service and Support (CSS) in North America for help with security update issues or viruses at no charge using the PC Safety line (866) PCSAFETY. International customers can contact Customer Service and Support by using any method found at http://www.microsoft.com/protect/worldwide/default.mspx.
• Microsoft Security Advisory 973882 – Vulnerability Vulnerabilities in Microsoft Active Template Library (ATL) Could Allow Remote Code Execution: http://www.microsoft.com/technet/security/advisory/973882.mspx
• Microsoft Security Bulletin MS09-034 – Cumulative Security Update for Internet Explorer (972260): http://www.microsoft.com/technet/security/bulletin/MS09-034.mspx
• Microsoft Security Bulletin MS09-035 – Vulnerabilities in Visual Studio Active Template Library Could Allow Remote Code Execution (969706): http://www.microsoft.com/technet/security/bulletin/MS09-035.mspx
• Landing Page for ATL Guidance (for consumers, IT Professionals and Developers): http://www.microsoft.com/atl/
• Microsoft Security Response Center (MSRC) Blog: http://blogs.technet.com/msrc/
• Microsoft Malware Protection Center (MMPC) Blog: http://blogs.technet.com/mmpc/
• Security Research & Defense (SRD) Blog: http://blogs.technet.com/srd/
PUBLIC BULLETIN RELEASE WEBCASTS
Microsoft will host two Webcasts to address customer questions on this Out-of-Band bulletin release.
Title: Information About Microsoft July 2009 Out-of-Band Security Bulletin Release
Date: Tuesday, July 28, 2009, 1:00 P.M. Pacific Time (U.S. & Canada)
Date: Tuesday, July 28, 2009, 4:00 P.M. Pacific Time (U.S. & Canada)
NEW BULLETIN TECHNICAL DETAILS
In the following tables of affected and non-affected software, software editions that are not listed are past their support lifecycle. To determine the support lifecycle for your product and edition, visit the Microsoft Support Lifecycle Web site at http://support.microsoft.com/lifecycle/.
Bulletin Identifier: Microsoft Security Bulletin MS09-034
Executive Summary: This security update is being released out of band in conjunction with Microsoft Security Bulletin MS09-035, which describes vulnerabilities in those components and controls that have been developed using vulnerable versions of the Microsoft Active Template Library (ATL). As a defense-in-depth measure, this Internet Explorer security update helps mitigate known attack vectors within Internet Explorer for those components and controls that have been developed with vulnerable versions of ATL as described in Microsoft Security Advisory (973882) and Microsoft Security Bulletin MS09-035.
This security update also resolves three privately reported vulnerabilities in Internet Explorer. The security update addresses these vulnerabilities by modifying the way that Internet Explorer handles objects in memory and table operations.
Severity Ratings and Affected Software: This security update is rated Critical for Internet Explorer 5.01 and Internet Explorer 6 Service Pack 1, running on supported editions of Microsoft Windows 2000; Critical for Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8 running on supported editions of Windows XP; Critical for Internet Explorer 7 and Internet Explorer 8 running on supported editions of Windows Vista; Moderate for Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8 running on supported editions of Windows Server 2003; and Moderate for Internet Explorer 7 and Internet Explorer 8 running on supported editions of Windows Server 2008.
CVE-2009-1917 | Memory Corruption Vulnerability (EI = 1)*
CVE-2009-1918 | HTML Objects Memory Corruption Vulnerability (EI = 2)**
CVE-2009-1919 | Uninitialized Memory Corruption Vulnerability (EI = 2)**
*Exploitability Index Rating of 1: consistent exploit code likely
**Exploitability Index Rating of 2: inconsistent exploit code likely
• These vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer.
• Users would have to be persuaded to visit a malicious web site.
• Exploitation only gains the same user rights as the logged on account. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
• By default, all supported versions of Microsoft Outlook and Microsoft Outlook Express open HTML e-mail messages in the Restricted Sites zone.
• By default, IE on Windows 2003 and Windows 2008 runs in a restricted mode.
Restart Requirement: This update requires a restart.
• For Windows 2000, Windows XP and Windows Server 2003: Use Add or Remove Programs tool in Control Panel or the Spuninst.exe utility.
• For Windows Vista and Windows Server 2008: WUSA.exe does not support uninstall of updates. To uninstall an update installed by WUSA, click Control Panel, and then click Security. Under Windows Update, click View installed updates and select from the list of updates.
Bulletins Replaced by This Update: MS09-019
Full Details: http://www.microsoft.com/technet/security/bulletin/MS09-034.mspx
Bulletin Identifier: Microsoft Security Bulletin MS09-035
Executive Summary: This security update addresses several privately reported vulnerabilities in the public versions of the Microsoft Active Template Library (ATL) included with Visual Studio. This security update is specifically intended for developers of components and controls. Developers who build and redistribute components and controls using ATL should install the update provided in this bulletin and follow the guidance provided to create, and distribute to their customers, components and controls that are not vulnerable to the vulnerabilities described in this security bulletin. This security bulletin discusses vulnerabilities that could allow remote code execution if a user loaded a component or control built with the vulnerable versions of ATL. The security update addresses the vulnerabilities by modifying the ATL headers so that components and controls built using the headers can safely initialize from a data stream.
Severity Ratings and Affected Software:
While most Microsoft Security Bulletins discuss the risk of a vulnerability for a specific product, this security bulletin discusses the vulnerabilities that may be present in products built using the ATL. Therefore, this security update is rated Moderate for all supported editions of Microsoft Visual Studio .NET 2003, Microsoft Visual Studio 2005, Microsoft Visual Studio 2008, Microsoft Visual C++ 2005 Redistributable Package, and Microsoft Visual C++ 2008 Redistributable Package.
CVE-2009-0901 | ATL Uninitialized Object Vulnerability (EI = 1)*
CVE-2009-2493 | ATL COM Initialization Vulnerability (EI = 1)*
CVE-2009-2495 | ATL Null String Vulnerability (EI = 3)**
**Exploitability Index Rating of 3: functioning exploit code unlikely
• A specially crafted Web page.
• By default, Visual Studio as a product is not vulnerable to this issue. Instead, components and controls built with the vulnerable versions of ATL may be vulnerable.
• Mitigating factors and Workarounds for potentially vulnerable components and controls are located in Microsoft Security Advisory (973882).
Restart Requirement: This update requires a restart.
Removal Information: Use Add or Remove Programs tool in Control Panel.
Bulletins Replaced by This Update: None
Full Details: http://www.microsoft.com/technet/security/bulletin/MS09-035.mspx
REGARDING INFORMATION CONSISTENCY
We strive to provide you with accurate information in static (this mail) and dynamic (Web-based) content. Microsoft’s security content posted to the Web is occasionally updated to reflect late-breaking information. If this results in an inconsistency between the information here and the information in Microsoft’s Web-based security content, the information in Microsoft’s Web-based security content is authoritative.
If you have any questions regarding this alert please contact your Technical Account Manager or Application Development Consultant.
Microsoft CSS Security Team