CVE-2009-0901

Name of the Vulnerable Software and Affected Versions Microsoft Visual Studio .NET versions 2003 SP1 through 2008 Microsoft Visual C++ versions 2005 SP1 through 2008 SP1 Windows versions 2000 SP4 through XP SP3, Server 2003 SP2, Vista Gold through SP2, and Server 2008 Gold through SP2

Description A remote code execution issue exists due to an error in the Active Template Library (ATL) headers, which could allow an attacker to execute arbitrary code via a malformed stream to an ATL component or control. This is related to the ATL not preventing VariantClear calls on an uninitialized VARIANT. The issue could be exploited by a remote, unauthenticated user by constructing a specially crafted Web page, potentially allowing remote code execution on an affected system.

Recommendations For Microsoft Visual Studio .NET versions 2003 SP1 through 2008, update to a version that includes the fix for this issue. For Microsoft Visual C++ versions 2005 SP1 through 2008 SP1, update to a version that includes the fix for this issue. For Windows versions 2000 SP4 through XP SP3, Server 2003 SP2, Vista Gold through SP2, and Server 2008 Gold through SP2, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to components and controls built using Visual Studio ATL until a patch is available.