#VU1474 Improper initialization in Microsoft products - CVE-2009-2493
Published: December 21, 2016 / Updated: April 21, 2017
Vulnerability identifier: #VU1474
Vulnerability risk: Critical
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Red
CVE-ID: CVE-2009-2493
CWE-ID: CWE-665
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Windows
Windows Server
Microsoft Active Template Library
Windows
Windows Server
Microsoft Active Template Library
Software vendor:
Microsoft
Microsoft
Description
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to improper initialization in the Microsoft Active Template Library (ATL) when handling objects from data streams related to unsafe usage of OleLoadFromStream() function. A remote attacker can create a specially crafted Web site that instantiates a vulnerable component or control using the IE browser, trick the victim into viewing it and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The weakness exists due to improper initialization in the Microsoft Active Template Library (ATL) when handling objects from data streams related to unsafe usage of OleLoadFromStream() function. A remote attacker can create a specially crafted Web site that instantiates a vulnerable component or control using the IE browser, trick the victim into viewing it and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Remediation
Install update from vendor's website:
Microsoft Windows 2000 Service Pack 4:
https://www.microsoft.com/downloads/details.aspx?FamilyID=edfea805-9544-4dc0-a52c-d7594205657b
http://go.microsoft.com/fwlink/?LinkId=157386
Windows XP Service Pack 2 and Windows XP Service Pack 3:
https://www.microsoft.com/downloads/details.aspx?FamilyID=171d43d3-669c-4923-b266-e47591833c05
http://go.microsoft.com/fwlink/?LinkId=157386
Windows XP Professional x64 Edition Service Pack 2:
https://www.microsoft.com/downloads/details.aspx?FamilyId=c08623bf-94bc-4c50-8c10-f50fb8448a0b
http://go.microsoft.com/fwlink/?LinkId=157386
Windows Server 2003 Service Pack 2:
https://www.microsoft.com/downloads/details.aspx?FamilyID=f3249c99-82e4-45dc-a254-28e647e822c8
http://go.microsoft.com/fwlink/?LinkId=157386
Windows Server 2003 x64 Edition Service Pack 2:
https://www.microsoft.com/downloads/details.aspx?FamilyID=1ad3f7b3-58d5-4507-ae20-a265e47cee9c
http://go.microsoft.com/fwlink/?LinkId=157386
Windows Server 2003 with SP2 for Itanium-based Systems:
https://www.microsoft.com/downloads/details.aspx?FamilyID=575e75d9-e348-4fbb-9eaa-43240e4d715e
http://go.microsoft.com/fwlink/?LinkId=157386
Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2:
https://www.microsoft.com/downloads/details.aspx?FamilyID=7313c03b-8844-4086-a0cc-43dfdb3ca48c
http://go.microsoft.com/fwlink/?LinkId=157386
Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2:
https://www.microsoft.com/downloads/details.aspx?FamilyID=7216bcb1-ff16-402b-ad1b-1500d46d0157
http://go.microsoft.com/fwlink/?LinkId=157386
Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2:
https://www.microsoft.com/downloads/details.aspx?FamilyID=51eb56fa-8204-45f3-86d7-6d03a2c8d78d
http://go.microsoft.com/fwlink/?LinkId=157386
Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2:
https://www.microsoft.com/downloads/details.aspx?FamilyID=131b047a-ae93-4a99-83e5-71d5a79e96ea
http://go.microsoft.com/fwlink/?LinkId=157386
Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2:
https://www.microsoft.com/downloads/details.aspx?FamilyID=3d16c5bf-ee5c-4220-9755-5cb92eac2aae
http://go.microsoft.com/fwlink/?LinkId=157386
Windows 7 for 32-bit Systems:
https://www.microsoft.com/downloads/details.aspx?FamilyID=b64bcc14-38a7-45b9-8f85-acc573777506
Windows 7 x64 Edition:
https://www.microsoft.com/downloads/details.aspx?FamilyID=809e29f3-ec68-4a2b-b04e-11759dd16001
Windows Server 2008 R2 for x64-based Systems:
https://www.microsoft.com/downloads/details.aspx?FamilyID=bcd2b944-6852-48f2-820b-cce7d195e391
Windows Server 2008 R2 for Itanium-based Systems:
https://www.microsoft.com/downloads/details.aspx?FamilyID=85e76e55-3766-4ffe-9a18-8655de935b7c
Microsoft Windows 2000 Service Pack 4:
https://www.microsoft.com/downloads/details.aspx?FamilyID=edfea805-9544-4dc0-a52c-d7594205657b
http://go.microsoft.com/fwlink/?LinkId=157386
Windows XP Service Pack 2 and Windows XP Service Pack 3:
https://www.microsoft.com/downloads/details.aspx?FamilyID=171d43d3-669c-4923-b266-e47591833c05
http://go.microsoft.com/fwlink/?LinkId=157386
Windows XP Professional x64 Edition Service Pack 2:
https://www.microsoft.com/downloads/details.aspx?FamilyId=c08623bf-94bc-4c50-8c10-f50fb8448a0b
http://go.microsoft.com/fwlink/?LinkId=157386
Windows Server 2003 Service Pack 2:
https://www.microsoft.com/downloads/details.aspx?FamilyID=f3249c99-82e4-45dc-a254-28e647e822c8
http://go.microsoft.com/fwlink/?LinkId=157386
Windows Server 2003 x64 Edition Service Pack 2:
https://www.microsoft.com/downloads/details.aspx?FamilyID=1ad3f7b3-58d5-4507-ae20-a265e47cee9c
http://go.microsoft.com/fwlink/?LinkId=157386
Windows Server 2003 with SP2 for Itanium-based Systems:
https://www.microsoft.com/downloads/details.aspx?FamilyID=575e75d9-e348-4fbb-9eaa-43240e4d715e
http://go.microsoft.com/fwlink/?LinkId=157386
Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2:
https://www.microsoft.com/downloads/details.aspx?FamilyID=7313c03b-8844-4086-a0cc-43dfdb3ca48c
http://go.microsoft.com/fwlink/?LinkId=157386
Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2:
https://www.microsoft.com/downloads/details.aspx?FamilyID=7216bcb1-ff16-402b-ad1b-1500d46d0157
http://go.microsoft.com/fwlink/?LinkId=157386
Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2:
https://www.microsoft.com/downloads/details.aspx?FamilyID=51eb56fa-8204-45f3-86d7-6d03a2c8d78d
http://go.microsoft.com/fwlink/?LinkId=157386
Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2:
https://www.microsoft.com/downloads/details.aspx?FamilyID=131b047a-ae93-4a99-83e5-71d5a79e96ea
http://go.microsoft.com/fwlink/?LinkId=157386
Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2:
https://www.microsoft.com/downloads/details.aspx?FamilyID=3d16c5bf-ee5c-4220-9755-5cb92eac2aae
http://go.microsoft.com/fwlink/?LinkId=157386
Windows 7 for 32-bit Systems:
https://www.microsoft.com/downloads/details.aspx?FamilyID=b64bcc14-38a7-45b9-8f85-acc573777506
Windows 7 x64 Edition:
https://www.microsoft.com/downloads/details.aspx?FamilyID=809e29f3-ec68-4a2b-b04e-11759dd16001
Windows Server 2008 R2 for x64-based Systems:
https://www.microsoft.com/downloads/details.aspx?FamilyID=bcd2b944-6852-48f2-820b-cce7d195e391
Windows Server 2008 R2 for Itanium-based Systems:
https://www.microsoft.com/downloads/details.aspx?FamilyID=85e76e55-3766-4ffe-9a18-8655de935b7c