Microsoft Windows Active Template Library (ATL) Multiple Vulnerabilities( 12 August 2009 )

1. Microsoft Video ActiveX Control Vulnerability

A remote code execution vulnerability exists in the Microsoft Active Template Library (ATL) due to the function CComVariant::ReadFromStream used in the ATL header. This function does not properly restrict untrusted data read from a stream. This issue leads to reading data directly onto the stack instead of reading it into the area of memory allocated for an array, which could allow a remote, unauthenticated user to perform remote code execution on an affected system. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution.

2. ATL Header Memcopy Vulnerability

A remote code execution vulnerability exists in the Microsoft Active Template Library (ATL) due to an error in the Load method of the IPersistStreamInit interface. The Load method could allow calls to memcopy with untrusted data, which could allow a remote, unauthenticated user to perform remote code execution on an affected system. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution.

3. ATL Uninitialized Object Vulnerability

A remote code execution vulnerability exists in the Microsoft Active Template Library (ATL) due to a bug in the ATL headers that could allow an attacker to force VariantClear to be called on a VARIANT that has not been correctly initialized. Because of this bug, the attacker can control what happens when VariantClear is called during handling of an error by supplying a corrupt stream. This vulnerability only directly affects systems with components and controls installed that were built using Visual Studio ATL. This vulnerability could allow a remote, unauthenticated user to perform remote code execution on an affected system. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution.

4. ATL COM Initialization Vulnerability

A remote code execution vulnerability exists in the Microsoft Active Template Library (ATL) due to bugs in the ATL headers that handle instantiation of an object from data streams. This vulnerability only directly affects systems with components and controls installed that were built using Visual Studio ATL. For components and controls built using ATL, unsafe usage of OleLoadFromStream could allow the instantiation of arbitrary objects which can bypass related security policy, such as kill bits within Internet Explorer. This vulnerability could allow a remote, unauthenticated user to perform remote code execution on an affected system. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution.

5. ATL Object Type Mismatch Vulnerability

A remote code execution vulnerability exists in the Microsoft Active Template Library (ATL) due to a bug in the ATL header that could allow reading a variant from a stream and leaving the variant type read with an invalid variant. When deleting the variant, it is possible to free unintended areas in memory that could be controlled by an attacker.