CVE-2009-2493

Name of the Vulnerable Software and Affected Versions Microsoft Visual Studio .NET versions 2003 SP1 through 2008 SP1 Microsoft Visual C++ versions 2005 SP1 through 2008 SP1 Windows versions prior to Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold and SP2

Description A remote code execution issue exists due to the improper restriction of OleLoadFromStream in instantiating objects from data streams. This allows remote attackers to execute arbitrary code via a crafted HTML document with an ATL component or control. The vulnerability is related to ATL headers and bypassing security policies. An attacker could exploit this by constructing a specially crafted Web page, potentially gaining the same user rights as the logged on user.

Recommendations For Microsoft Visual Studio .NET versions 2003 SP1 through 2008 SP1, update to a version that is not affected by this issue. For Microsoft Visual C++ versions 2005 SP1 through 2008 SP1, update to a version that is not affected by this issue. For Windows versions prior to Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold and SP2, update to a version that is not affected by this issue. As a temporary workaround, consider restricting access to ActiveX controls built with vulnerable Microsoft Active Template Library (ATL) headers until a patch is available.