漏洞信息详情
Microsoft Visual Studio ATL库COM对象初始化代码执行漏洞
- CNNVD编号:CNNVD-200907-415
- 危害等级: 超危
- CVE编号: CVE-2009-2493
- 漏洞类型: 权限许可和访问控制
- 发布时间: 2009-07-29
- 威胁类型: 远程
- 更新时间: 2009-11-17
- 厂 商: microsoft
- 漏洞来源: Ryan Smith ryan@hu...
漏洞简介
Microsoft Visual Studio是微软公司的开发工具套件系列产品,是一个基本完整的开发工具集,包括了软件整个生命周期中所需要的大部分工具 。
使用Visual Studio的ATL库所编译的组件和控件没有安全地使用OleLoadFromStream,可能允许实例化任意对象,绕过Internet Explorer中Kill Bit等相关安全策略。这个漏洞仅直接影响安装了使用Visual Studio ATL所编译的组件和控件的系统。攻击者可以通过创建特制的网页来利用这个漏洞,当用户查看网页时,该漏洞可能允许远程执行代码 。
漏洞公告
目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
Microsoft Outlook 2007 SP2 0
Microsoft Update for Microsoft Office Outlook 2007 (KB972363)
http://www.microsoft.com/downloads/details.aspx?FamilyId=d39234a3-c62c -44ba-a626-3179a183ca09
Microsoft Windows Server 2008 for 32-bit Systems SP2
Microsoft Cumulative Security Update for ActiveX Killbits for Windows Server 2008 (KB973525)
http://www.microsoft.com/downloads/details.aspx?FamilyID=51eb56fa-8204 -45f3-86d7-6d03a2c8d78d
Microsoft Windows Vista Home Premium SP2
Microsoft Security Update for Windows Vista (KB973768)
http://www.microsoft.com/downloads/details.aspx?familyid=59fefa17-0ad4 -4a62-82be-e6a2b7a0aec3&displaylang=en
Microsoft Outlook 2007 SP1 0
Microsoft Update for Microsoft Office Outlook 2007 (KB972363)
http://www.microsoft.com/downloads/details.aspx?FamilyId=d39234a3-c62c -44ba-a626-3179a183ca09
Microsoft Windows ATL Component 0
Microsoft Security Update for Windows 2000 (KB973507)
http://www.microsoft.com/downloads/details.aspx?familyid=c773149a-f4fc -486a-b718-6b8ff7a36ae2
Microsoft Security Update for Windows Server 2003 (KB973507)
http://www.microsoft.com/downloads/details.aspx?familyid=7d9369b5-0c54 -4c17-bc62-fba0a7b4728c
Microsoft Security Update for Windows Server 2003 for Itanium-based Systems (KB973507)
http://www.microsoft.com/downloads/details.aspx?familyid=ad1791b3-8553 -4433-a9f7-8b4f857665be
Microsoft Security Update for Windows Server 2003 x64 Edition (KB973507)
http://www.microsoft.com/downloads/details.aspx?familyid=90e0e014-ed7e -498a-9f61-18bb09a384b3
Microsoft Security Update for Windows Server 2008 (KB973507)
http://www.microsoft.com/downloads/details.aspx?familyid=ba423491-6c29 -49f2-811b-ac3f9bbc58fc
Microsoft Security Update for Windows Server 2008 for Itanium-based Systems (KB973507)
http://www.microsoft.com/downloads/details.aspx?familyid=e5612bb4-5f37 -4b38-bd2e-f198c413371c
Microsoft Security Update for Windows Server 2008 x64 Edition (KB973507)
http://www.microsoft.com/downloads/details.aspx?familyid=b9311953-889a -415f-a396-250a005e95cd
Microsoft Security Update for Windows Vista (KB973507)
http://www.microsoft.com/downloads/details.aspx?familyid=80de158d-157e -4c21-9154-c1dbd6e57cb3
Microsoft Security Update for Windows Vista for x64-based Systems (KB973507)
http://www.microsoft.com/downloads/details.aspx?familyid=82940d30-6a30 -47ca-b184-2ac96e35c294
Microsoft Security Update for Windows XP (KB973507)
http://www.microsoft.com/downloads/details.aspx?familyid=4b4c6fc5-e8e6 -4d89-a181-e231240468f9
Microsoft Security Update for Windows XP x64 Edition (KB973507)
http://www.microsoft.com/downloads/details.aspx?familyid=2f2b93fc-f977 -4f23-af90-c27f744fad0a
Microsoft Windows Vista Home Basic SP1
Microsoft Security Update for Windows Vista (KB973768)
http://www.microsoft.com/downloads/details.aspx?familyid=59fefa17-0ad4 -4a62-82be-e6a2b7a0aec3&displaylang=en
Microsoft Windows XP Tablet PC Edition SP2
Microsoft Cumulative Security Update for ActiveX Killbits for Windows XP (KB973525)
http://www.microsoft.com/downloads/details.aspx?FamilyID=171d43d3-669c -4923-b266-e47591833c05
Microsoft Windows XP Media Center Edition SP3
Microsoft Cumulative Security Update for ActiveX Killbits for Windows XP (KB973525)
http://www.microsoft.com/downloads/details.aspx?FamilyID=171d43d3-669c -4923-b266-e47591833c05
Microsoft Security Update for Windows XP (KB973768)
http://www.microsoft.com/downloads/details.aspx?familyid=46aa443c-4e7b -4bd5-8b4e-0068c3dc0e79&displaylang=en
Microsoft Windows CE 6.0
Microsoft Security Update Windows Embedded CE 6.0 (KB974616)
http://www.microsoft.com/downloads/details.aspx?familyid=99d114f8-4d95 -4075-a0f1-45f498f0ade8
Microsoft Windows 7 for 32-bit Systems 0
Microsoft Cumulative Security Update for ActiveX Killbits for Windows 7 (KB973525)
http://www.microsoft.com/downloads/details.aspx?FamilyID=b64bcc14-38a7 -45b9-8f85-acc573777506
Microsoft Windows Server 2003 Web Edition SP2
Microsoft Security Update for ActiveX Killbits for Windows Server 2003 (KB973525)
http://
参考网址
来源: US-CERT
名称: TA09-286A
链接:http://www.us-cert.gov/cas/techalerts/TA09-286A.HTML
来源: US-CERT
名称: TA09-223A
链接:http://www.us-cert.gov/cas/techalerts/TA09-223A.HTML
来源: US-CERT
名称: TA09-195A
链接:http://www.us-cert.gov/cas/techalerts/TA09-195A.HTML
来源: MS
名称: MS09-035
链接:http://www.microsoft.com/technet/security/Bulletin/MS09-035.mspx
来源: www.adobe.com
链接:http://www.adobe.com/support/security/bulletins/apsb09-11.HTML
来源: www.adobe.com
链接:http://www.adobe.com/support/security/advisories/apsa09-04.HTML
来源: VUPEN
名称: ADV-2009-2232
链接:http://www.vupen.com/english/advisories/2009/2232
来源: VUPEN
名称: ADV-2009-2034
链接:http://www.vupen.com/english/advisories/2009/2034
来源: MS
名称: MS09-060
链接:http://www.microsoft.com/technet/security/Bulletin/MS09-060.mspx
来源: MS
名称: MS09-055
链接:http://www.microsoft.com/technet/security/Bulletin/MS09-055.mspx
来源: MS
名称: MS09-037
链接:http://www.microsoft.com/technet/security/Bulletin/MS09-037.mspx
来源: www.adobe.com
链接:http://www.adobe.com/support/security/bulletins/apsb09-13.HTML
来源: www.adobe.com
链接:http://www.adobe.com/support/security/bulletins/apsb09-10.HTML
来源: SUNALERT
名称: 266108
链接:http://sunsolve.sun.com/search/document.do?assetkey=1-66-266108-1
来源: SUNALERT
名称: 264648
链接:http://sunsolve.sun.com/search/document.do?assetkey=1-66-264648-1
来源: SECUNIA
名称: 36374
链接:http://secunia.com/advisories/36374
来源: SECUNIA
名称: 36187
链接:http://secunia.com/advisories/36187
来源: SUSE
名称: SUSE-SA:2009:053
链接:http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00002.HTML
来源: MISC
链接:http://blogs.technet.com/srd/archive/2009/08/11/ms09-037-why-we-are-using-cve-s-already-used-in-ms09-035.aspx
受影响实体
- Microsoft Visual_studio:2008:Sp1
- Microsoft Visual_studio:2008
- Microsoft Visual_studio:2003:Sp1
- Microsoft Visual_studio:2005:Sp1
- Microsoft Windows_vista:Sp2
补丁
暂无
![weinxin](http://zone.ci/zone_ci_images/zone.ci.png)
评论