Summary
This host is missing a critical security update according to Microsoft Bulletin MS09-060.
Impact
Successful exploitation could allow remote attackers to execute arbitrary code with SYSTEM privileges, and can cause Denial of Service.
Impact Level: System/Application
Solution
Run Windows Update and update the listed hotfixes or download and update mentioned hotfixes in the advisory from the below link, http://technet.microsoft.com/en-us/security/bulletin/ms09-060
Insight
Multiple flaws are due to
- Error in the Microsoft Active Template Library (ATL) within the ATL headers that handle instantiation of an object from data streams.
- Error in the ATL headers, which could allow a string to be read with no ending NULL bytes, which could allow an attacker to manipulate a string to read extra data beyond the end of the string and thus disclose information in memory.
- Error in the Microsoft Active Template Library (ATL) headers, which could allow attackers to call 'VariantClear()' on a variant that has not been correctly initialized, leading to arbitrary code execution.
Affected
Microsoft Office Outlook 2002/2003/2007
Microsoft Office Visio Viewer 2007
References
Severity
Classification
-
CVE CVE-2009-0901, CVE-2009-2493, CVE-2009-2495 -
CVSS Base Score: 9.3
AV:N/AC:M/Au:N/C:C/I:C/A:C
Related Vulnerabilities
- Cumulative Security Update for Internet Explorer (928090)
- Microsoft Data Analyzer ActiveX Control Vulnerability (978262)
- ADODB.Stream object from Internet Explorer (KB870669)
- Microsoft DirectShow Remote Code Execution Vulnerability (2845187)
- Microsoft IE Developer Tools WMITools and Windows Messenger ActiveX Control Vulnerability (2508272)