CVE-2009-2495

Name of the Vulnerable Software and Affected Versions Microsoft Visual Studio .NET versions 2003 SP1 through 2008 SP1 Visual C++ versions 2005 SP1 through 2008 SP1

Description The issue is related to the Active Template Library (ATL) in Microsoft Visual Studio, which does not properly enforce string termination. This allows remote attackers to obtain sensitive information via a crafted HTML document with an ATL component or control that triggers a buffer over-read. The vulnerability could be exploited to disclose information in memory by manipulating a string to read extra data beyond its end. An attacker could run a malicious component or control to disclose information, forward user data to a third party, or access data on affected systems that is accessible to the logged-on user.

Recommendations For Microsoft Visual Studio .NET versions 2003 SP1 through 2008 SP1, consider disabling the use of ATL components and controls until a patch is available. For Visual C++ versions 2005 SP1 through 2008 SP1, restrict access to ATL headers and buffer allocation functions to minimize the risk of exploitation. As a temporary workaround, avoid using ATL components and controls in crafted HTML documents until the issue is resolved.