// For flags

CVE-2009-2493

 

Severity Score

9.3
*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

The Active Template Library (ATL) in Microsoft Visual Studio .NET 2003 SP1, Visual Studio 2005 SP1 and 2008 Gold and SP1, and Visual C++ 2005 SP1 and 2008 Gold and SP1; and Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold and SP2; does not properly restrict use of OleLoadFromStream in instantiating objects from data streams, which allows remote attackers to execute arbitrary code via a crafted HTML document with an ATL (1) component or (2) control, related to ATL headers and bypassing security policies, aka "ATL COM Initialization Vulnerability."

La Active Template Library (ATL) en Microsoft Visual Studio .NET 2003 SP1, Visual Studio 2005 SP1 y 2008 Gold y SP1, y Visual C++ 2005 SP1 y 2008 Gold y SP1 no restringe adecuadamente el uso de OleLoadFromStream en la instanciación de objetos desde el flujo de datos, lo que permite a atacantes remotos ejecutar código de su elección a través de un documento HTML manipulado con un (1)control o (2) componente, relacionado con las cabeceras ATL y el evitar las políticas de seguridad. También conocida como "Vulnerabilidad de Inicialización ATL COM".

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
Complete
Integrity
Complete
Availability
Complete
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2009-07-17 CVE Reserved
  • 2009-07-29 CVE Published
  • 2024-08-07 CVE Updated
  • 2024-10-22 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-264: Permissions, Privileges, and Access Controls
CAPEC
References (36)
URL Tag Source
http://blogs.technet.com/srd/archive/2009/08/11/ms09-037-why-we-are-using-cve-s-already-used-in-ms09-035.aspx Broken Link
http://secunia.com/advisories/35967 Third Party Advisory
http://secunia.com/advisories/36187 Third Party Advisory
http://secunia.com/advisories/36374 Third Party Advisory
http://secunia.com/advisories/36746 Third Party Advisory
http://secunia.com/advisories/38568 Third Party Advisory
http://secunia.com/advisories/41818 Third Party Advisory
http://www.adobe.com/support/security/bulletins/apsb09-10.html Third Party Advisory
http://www.adobe.com/support/security/bulletins/apsb09-13.html Third Party Advisory
http://www.novell.com/support/viewContent.do?externalId=7004997&sliceId=1 Third Party Advisory
http://www.openoffice.org/security/cves/CVE-2009-2493.html Third Party Advisory
http://www.us-cert.gov/cas/techalerts/TA09-195A.html Third Party Advisory
http://www.us-cert.gov/cas/techalerts/TA09-223A.html Third Party Advisory
http://www.us-cert.gov/cas/techalerts/TA09-286A.html Third Party Advisory
http://www.us-cert.gov/cas/techalerts/TA09-342A.html Third Party Advisory
http://www.vupen.com/english/advisories/2009/2034 Vdb Entry
http://www.vupen.com/english/advisories/2009/2232 Vdb Entry
http://www.vupen.com/english/advisories/2010/0366 Vdb Entry
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6245 Signature
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6304 Signature
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6421 Signature
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6473 Signature
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6621 Signature
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6716 Signature
URL Date SRC
URL Date SRC
http://www.adobe.com/support/security/advisories/apsa09-04.html 2018-10-12
http://www.adobe.com/support/security/bulletins/apsb09-11.html 2018-10-12
URL Date SRC
http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00002.html 2018-10-12
http://marc.info/?l=bugtraq&m=126592505426855&w=2 2018-10-12
http://sunsolve.sun.com/search/document.do?assetkey=1-66-264648-1 2018-10-12
http://sunsolve.sun.com/search/document.do?assetkey=1-66-266108-1 2018-10-12
http://sunsolve.sun.com/search/document.do?assetkey=1-77-1020775.1-1 2018-10-12
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-035 2018-10-12
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-037 2018-10-12
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-055 2018-10-12
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-060 2018-10-12
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-072 2018-10-12
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Microsoft
Search vendor "Microsoft"
 Visual C\+\+
Search vendor "Microsoft" for product "Visual C\+\+"
 2005
Search vendor "Microsoft" for product "Visual C\+\+" and version "2005"
sp1
Affected
Microsoft
Search vendor "Microsoft"
 Visual C\+\+
Search vendor "Microsoft" for product "Visual C\+\+"
 2008
Search vendor "Microsoft" for product "Visual C\+\+" and version "2008"
-
Affected
Microsoft
Search vendor "Microsoft"
 Visual C\+\+
Search vendor "Microsoft" for product "Visual C\+\+"
 2008
Search vendor "Microsoft" for product "Visual C\+\+" and version "2008"
sp1
Affected
Microsoft
Search vendor "Microsoft"
 Windows 2000
Search vendor "Microsoft" for product "Windows 2000"
*sp4
Affected
Microsoft
Search vendor "Microsoft"
 Windows 2003 Server
Search vendor "Microsoft" for product "Windows 2003 Server"
*sp2
Affected
Microsoft
Search vendor "Microsoft"
 Windows Server 2008
Search vendor "Microsoft" for product "Windows Server 2008"
*sp2
Affected
Microsoft
Search vendor "Microsoft"
 Windows Server 2008
Search vendor "Microsoft" for product "Windows Server 2008"
--
Affected
Microsoft
Search vendor "Microsoft"
 Windows Vista
Search vendor "Microsoft" for product "Windows Vista"
*sp1
Affected
Microsoft
Search vendor "Microsoft"
 Windows Vista
Search vendor "Microsoft" for product "Windows Vista"
*sp2
Affected
Microsoft
Search vendor "Microsoft"
 Windows Vista
Search vendor "Microsoft" for product "Windows Vista"
--
Affected
Microsoft
Search vendor "Microsoft"
 Windows Xp
Search vendor "Microsoft" for product "Windows Xp"
*sp2
Affected
Microsoft
Search vendor "Microsoft"
 Windows Xp
Search vendor "Microsoft" for product "Windows Xp"
*sp3
Affected
Microsoft
Search vendor "Microsoft"
 Visual Studio
Search vendor "Microsoft" for product "Visual Studio"
 2003
Search vendor "Microsoft" for product "Visual Studio" and version "2003"
sp1
Affected
Microsoft
Search vendor "Microsoft"
 Visual Studio
Search vendor "Microsoft" for product "Visual Studio"
 2005
Search vendor "Microsoft" for product "Visual Studio" and version "2005"
sp1
Affected
Microsoft
Search vendor "Microsoft"
 Visual Studio
Search vendor "Microsoft" for product "Visual Studio"
 2008
Search vendor "Microsoft" for product "Visual Studio" and version "2008"
-
Affected
Microsoft
Search vendor "Microsoft"
 Visual Studio
Search vendor "Microsoft" for product "Visual Studio"
 2008
Search vendor "Microsoft" for product "Visual Studio" and version "2008"
sp1
Affected