Microsoft Windows ActiveX Controls ATL OleLoadFromStream access control
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 6.6 | $0-$5k | 0.00 |
A vulnerability was found in Microsoft Windows (Operating System) (the affected version unknown). It has been rated as very critical. This issue affects the function OleLoadFromStream of the component ActiveX Controls ATL. The manipulation with an unknown input leads to a access control vulnerability. Using CWE to declare the problem leads to CWE-264. Impacted is confidentiality, integrity, and availability. The summary by CVE is:
The Active Template Library (ATL) in Microsoft Visual Studio .NET 2003 SP1, Visual Studio 2005 SP1 and 2008 Gold and SP1, and Visual C++ 2005 SP1 and 2008 Gold and SP1; and Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold and SP2; does not properly restrict use of OleLoadFromStream in instantiating objects from data streams, which allows remote attackers to execute arbitrary code via a crafted HTML document with an ATL (1) component or (2) control, related to ATL headers and bypassing security policies, aka "ATL COM Initialization Vulnerability."
The weakness was shared 10/13/2009 by Ryan Smith (iDefense) with Microsoft as MS09-055 as confirmed bulletin (Technet). The advisory is shared at microsoft.com. The identification of this vulnerability is CVE-2009-2493 since 07/17/2009. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. Technical details are known, but no exploit is available. The price for an exploit might be around USD $0-$5k at the moment (estimation calculated on 03/17/2021). MITRE ATT&CK project uses the attack technique T1068 for this issue.
It is declared as proof-of-concept. We expect the 0-day to have been worth approximately $25k-$100k. The vulnerability scanner Nessus provides a plugin with the ID 43822 (SuSE 10 Security Update : IBM Java 1.5.0 (ZYPP Patch Number 6740)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family SuSE Local Security Checks and running in the context l. The commercial vulnerability scanner Qualys is able to test this issue with plugin 116529 (Adobe Acrobat and Reader Remote Code Execution Vulnerabilities (APSA09-03 and APSB09-10)).
Upgrading eliminates this vulnerability. Applying the patch MS09-055 is able to eliminate this problem. The bugfix is ready for download at microsoft.com. The best possible mitigation is suggested to be upgrading to the latest version. A possible mitigation has been published immediately after the disclosure of the vulnerability. Furthermore it is possible to detect and prevent this kind of attack with TippingPoint and the filter 8317.
The vulnerability is also documented in the databases at X-Force (52047) and Tenable (43822). The entries 49229, 49228, 49227 and 49226 are related to this item.
Product
Type
Vendor
Name
License
CPE 2.3
CPE 2.2
CVSSv4
VulDB CVSS-B Score: 🔍VulDB CVSS-BT Score: 🔍
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 7.3VulDB Meta Temp Score: 6.6
VulDB Base Score: 7.3
VulDB Temp Score: 6.6
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| unlock | unlock | unlock | unlock | unlock | unlock |
| unlock | unlock | unlock | unlock | unlock | unlock |
| unlock | unlock | unlock | unlock | unlock | unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Access controlCWE: CWE-264
CAPEC: 🔍
ATT&CK: 🔍
Local: No
Remote: Yes
Availability: 🔍
Status: Proof-of-Concept
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | unlock | unlock | unlock | unlock |
|---|---|---|---|---|
| Today | unlock | unlock | unlock | unlock |
Nessus ID: 43822
Nessus Name: SuSE 10 Security Update : IBM Java 1.5.0 (ZYPP Patch Number 6740)
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
Nessus Context: 🔍
Nessus Port: 🔍
OpenVAS ID: 67053
OpenVAS Name: FreeBSD Ports: openoffice.org
OpenVAS File: 🔍
OpenVAS Family: 🔍
Qualys ID: 🔍
Qualys Name: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
Reaction Time: 🔍
0-Day Time: 🔍
Exposure Time: 🔍
Patch: MS09-055
TippingPoint: 🔍
McAfee IPS: 🔍
McAfee IPS Version: 🔍
PaloAlto IPS: 🔍
Timeline
07/17/2009 🔍07/28/2009 🔍
07/28/2009 🔍
07/28/2009 🔍
07/29/2009 🔍
10/13/2009 🔍
10/13/2009 🔍
10/13/2009 🔍
10/19/2009 🔍
12/09/2009 🔍
01/08/2010 🔍
03/17/2021 🔍
Sources
Vendor: microsoft.comProduct: microsoft.com
Advisory: MS09-055
Researcher: Ryan Smith (iDefense)
Organization: Microsoft
Status: Confirmed
Confirmation: 🔍
CVE: CVE-2009-2493 (🔍)
OVAL: 🔍
IAVM: 🔍
X-Force: 52047
Vulnerability Center: 24325 - [MS09-035] Microsoft Visual Studio and Visual C++ ATL COM Initialization Vulnerability, Critical
SecurityFocus: 35828 - Microsoft Visual Studio Active Template Library COM Object Remote Code Execution Vulnerability
Secunia: 36997 - Microsoft Windows ActiveX Controls ATL "OleLoadFromStream()" Vulnerability, Extremely Critical
OSVDB: 56698 - Microsoft Visual Studio Active Template Library (ATL) Data Stream Object Instantiation Remote Code Execution
Vupen: ADV-2009-2034
See also: 🔍
Entry
Created: 10/19/2009 12:39Updated: 03/17/2021 15:30
Changes: 10/19/2009 12:39 (95), 09/05/2019 13:37 (11), 03/17/2021 15:30 (3)
Complete: 🔍
No comments yet. Languages: en.
Please log in to comment.