Adobe has released Reader 9.1.3 and Acrobat 9.1.3 to address a vulnerability. By convincing a user to open a PDF document embedded with a specially crafted SWF file, an attacker may be able to execute arbitrary code.

US-CERT encourages users and administrators to review Adobe security bulletin APSB09-10 and apply any necessary updates to help mitigate the risks. Additional information regarding this vulnerability can be found in US-CERT Technical Cyber Security Alert TA09-204A.

Cisco has released a security advisory to address multiple vulnerabilities in IOS Software. Exploitation of these vulnerabilities may allow an attacker to cause a denial-of-service condition when handling specific Border Gateway Protocol (BGP) updates. The advisory indicates that these vulnerabilities affect only Cisco IOS
Software with support for four-octet AS number space and BGP routing
configured.

US-CERT encourages users and administrators to review Cisco Security Advisory cisco-sa-20090729-bgp and apply any necessary updates to help mitigate the risks.

Adobe has released Shockwave Player 11.5.1.601 because previous versions used a vulnerable version of the Microsoft Active Template Library (ATL). Additionally, Adobe has released Flash Player 10.0.22.87 and 9.0.246.0 to address the ATL issue and additional vulnerabilities in Flash Player. Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code.

US-CERT encourages users and administrators to review Adobe security bulletins APSB09-11 and APSB09-10 and apply any necessary updates to help mitigate the risks. Additional information can be found in the Adobe PSIRT blog and in Adobe security advisory APSA09-04.

The Internet Systems Consortium (ISC) has released BIND versions 9.4.3-P3, 9.5.1-P3, and 9.6.1-P1 to address a vulnerability. By sending a specially crafted dynamic update packet to an affected BIND 9 server, a remote, unauthenticated attacker may be able to cause a denial-of-service condition.

US-CERT encourages users and administrators to review the Internet Systems Consortium advisory and apply any necessary updates to help mitigate the risks. Additional information can be found in the Vulnerability Notes Database.

Original release date: July 28, 2009

Last revised: --

Source: US-CERT

Systems Affected

• Microsoft Windows and Windows Server
• Microsoft Internet Explorer
• Microsoft Visual Studio and C++ Redistributable Package
• ActiveX controls from multiple vendors

Overview

Microsoft has released out-of-band updates to address critical vulnerabilities in Microsoft Internet Explorer running on most supported versions of Windows. The updates also help mitigate attacks against ActiveX controls developed with vulnerable versions of the Microsoft Active Template Library (ATL).

I. Description

Microsoft has released updates for critical vulnerabilities in Internet Explorer. The updates also include mitigations for attacks against vulnerable ActiveX controls that were created using vulnerable versions of the Active Template Library (ATL).

Vulnerabilities present in the ATL can cause vulnerabilities in the resulting ActiveX controls and COM components. For example, the ATL typographical error described in this Security Development Lifecycle blog post caused the Microsoft Video ActiveX control stack buffer overflow (VU#180513, CVE-2008-0015).

Any ActiveX control or COM component that was created with a vulnerable version of the ATL may be vulnerable. For example, Adobe and Cisco are affected.

II. Impact

By convincing a user to view a specially crafted HTML document (e.g., a Web page, HTML email message, or HTML attachment), an attacker may be able to execute arbitrary code.

III. Solution

System Administrators

To address the vulnerabilities in Internet Explorer and mitigate attacks against vulnerable ATL-based ActiveX controls, apply the updates described in Microsoft Security Bulletin MS09-034. Further details about the ATL mitigations are available in a Microsoft Security Research & Defense blog post.

Administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS).

Developers

To stop creating vulnerable controls, update the ATL as described in Microsoft Security Bulletin MS09-035. To address vulnerabilities in existing controls, recompile the controls using the updated ATL. Further discussion about the ATL vulnerabilities can be found in the Security Development Lifecycle blog.

IV. References

• Vulnerability Note VU#456745 - <http://www.kb.cert.org/vuls/id/456745>
• Vulnerability Note VU#180513 - <http://www.kb.cert.org/vuls/id/180513>
• Vulnerabilities in Microsoft Active Template Library (ATL) Could Allow Remote Code Execution - <http://www.microsoft.com/technet/security/advisory/973882.mspx>
• Microsoft Security Bulletin MS09-34 - <http://www.microsoft.com/technet/security/bulletin/ms09-034.mspx>
• Microsoft Security Bulletin MS09-35 - <http://www.microsoft.com/technet/security/bulletin/ms09-035.mspx>
• Protect Your Computer: Active Template Library, Security Updates - <http://www.microsoft.com/security/atl.aspx>
• Microsoft Security Advisory 973882, Microsoft Security Bulletins MS09-034 and MS09-035 Released - <http://blogs.technet.com/msrc/archive/2009/07/28/microsoft-security-advisory-973882-microsoft-security-bulletins-ms09-034-and-ms09-035-released.aspx>
• Black Hat USA Spotlight: ATL Killbit Bypass - <http://blogs.technet.com/bluehat/archive/2009/07/27/black-hat-usa-atl-killbit-bypass.aspx>
• ATL - <http://msdn.microsoft.com/en-us/library/3ax346b7(VS.71).aspx>
• ATL, MS09-035 and the SDL - <http://blogs.msdn.com/sdl/archive/2009/07/28/atl-ms09-035-and-the-sdl.aspx>
• Internet Explorer Mitigations for ATL Data Stream Vulnerabilities - <http://blogs.technet.com/srd/archive/2009/07/28/internet-explorer-mitigations-for-atl-data-stream-vulnerabilities.aspx>
• Microsoft Windows Server Update Services - <http://technet.microsoft.com/en-us/wsus/default.aspx>
• Impact of Microsoft ATL vulnerability on Adobe Products - <http://blogs.adobe.com/psirt/2009/07/impact_of_microsoft_atl_vulner.html>
• Cisco Security Advisory: Active Template Library (ATL) Vulnerability - <http://www.cisco.com/warp/public/707/cisco-sa-20090728-activex.shtml>
• CVE-2008-0015 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0015>

---

Feedback can be directed to US-CERT.

---

Produced 2009 by US-CERT, a government organization. Terms of use

Revision History

July 28, 2009: Initial release