The Active Template Library (ATL) in Microsoft Visual Studio .NET 2003 SP1, Visual Studio 2005 SP1 and 2008 Gold and SP1, and Visual C++ 2005 SP1 and 2008 Gold and SP1; and Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold and SP2; does not properly restrict use of OleLoadFromStream in instantiating objects from data streams, which allows remote attackers to execute arbitrary code via a crafted HTML document with an ATL (1) component or (2) control, related to ATL headers and bypassing security policies, aka "ATL COM Initialization Vulnerability."

According to the version number obtained by NTLM the remote host has Windows Server 2008 installed. The host may be vulnerable to a number of vulnerabilities including remote unauthenticated code execution.

Specially crafted Flash (SWF) files can cause a buffer overflow in flash-player. Attackers could potentially exploit that to execute arbitrary code. (CVE-2009-1862 / CVE-2009-0901 / CVE-2009-2395 / CVE-2009-2493 / CVE-2009-1863 / CVE-2009-1864 / CVE-2009-1865 / CVE-2009-1866 / CVE-2009-1867 / CVE-2009-1868 / CVE-2009-1869 / CVE-2009-1870)

IBM Java 5 was updated to Service Refresh 11. It fixes lots of bugs and security issues.

The timezone update to 1.6.9s (with the latest Fiji change).

  - A vulnerability in the Java Runtime Environment with     decoding DER encoded data might allow a remote client to     cause the JRE to crash, resulting in a denial of service     condition. (CVE-2009-3876 / CVE-2009-3877)

  - A buffer overflow vulnerability in the Java Runtime     Environment audio system might allow an untrusted applet     or Java Web Start application to escalate privileges.
    For example, an untrusted applet might grant itself     permissions to read and write local files, or run local     applications that are accessible to the user running the     untrusted applet. (CVE-2009-3867)

  - A buffer overflow vulnerability in the Java Runtime     Environment with parsing image files might allow an     untrusted applet or Java Web Start application to     escalate privileges. For example, an untrusted applet     might grant itself permissions to read and write local     files, or run local applications that are accessible to     the user running the untrusted applet. (CVE-2009-3868)

  - An integer overflow vulnerability in the Java Runtime     Environment with reading JPEG files might allow an     untrusted applet or Java Web Start application to     escalate privileges. For example, an untrusted applet     might grant itself permissions to read and write local     files, or run local applications that are accessible to     the user running the untrusted applet. (CVE-2009-3872)

  - A buffer overflow vulnerability in the Java Runtime     Environment with processing JPEG files might allow an     untrusted applet or Java Web Start application to     escalate privileges. For example, an untrusted applet     might grant itself permissions to read and write local     files, or run local applications that are accessible to     the user running the untrusted applet. (CVE-2009-3873)

  - A security vulnerability in the Java Runtime Environment     with verifying HMAC digests might allow authentication     to be bypassed. This action can allow a user to forge a     digital signature that would be accepted as valid.
    Applications that validate HMAC-based digital signatures     might be vulnerable to this type of attack.
    (CVE-2009-3875)

  - A buffer overflow vulnerability in the Java Runtime     Environment with processing image files might allow an     untrusted applet or Java Web Start application to     escalate privileges. For example, an untrusted applet     might grant itself permissions to read and write local     files or run local applications that are accessible to     the user running the untrusted applet. (CVE-2009-3869)

  - A buffer overflow vulnerability in the Java Runtime     Environment with processing image files might allow an     untrusted applet or Java Web Start application to     escalate privileges. For example, an untrusted applet     might grant itself permissions to read and write local     files or run local applications that are accessible to     the user running the untrusted applet. (CVE-2009-3871)

  - An integer overflow vulnerability in the Java Runtime     Environment with processing JPEG images might allow an     untrusted applet or Java Web Start application to     escalate privileges. For example, an untrusted applet     might grant itself permissions to read and write local     files or run local applications that are accessible to     the user running the untrusted applet. (CVE-2009-3874)

  - The Java Runtime Environment includes the Java Web Start     technology that uses the Java Web Start ActiveX control     to launch Java Web Start in Internet Explorer. A     security vulnerability in the Active Template Library     (ATL) in various releases of Microsoft Visual Studio,     which is used by the Java Web Start ActiveX control,     might allow the Java Web Start ActiveX control to be     leveraged to run arbitrary code. This might occur as the     result of a user of the Java Runtime Environment viewing     a specially crafted web page that exploits this     vulnerability. (CVE-2009-2493)

Please also see http://www.ibm.com/developerworks/java/jdk/alerts/

OpenOffice.org Security Team reports :

Fixed in OpenOffice.org 3.2

CVE-2006-4339: Potential vulnerability from 3rd party libxml2 libraries

CVE-2009-0217: Potential vulnerability from 3rd party libxmlsec libraries

CVE-2009-2493: OpenOffice.org 3 for Windows bundles a vulnerable version of MSVC Runtime

CVE-2009-2949: Potential vulnerability related to XPM file processing

CVE-2009-2950: Potential vulnerability related to GIF file processing

CVE-2009-3301/2: Potential vulnerability related to MS-Word document processing

The version of OpenOffice installed on the remote host is earlier than 3.2.  Such versions are potentially affected by several issues : 

  - Signatures may not be handled properly due to a vulnerability in the libxml2 library. (CVE-2006-4339)

  - There is an HMAC truncation authentication bypass vulnerability in the libxmlsec library. (CVE-2009-0217)

  - The application is bundled with a vulnerable version of the Microsoft VC++ runtime. (CVE-2009-2493)

  - Specially crafted XPM files are not processed properly, which could lead to arbitrary code execution. (CVE-2009-2949)

  - Specially crafted GIF files are not processed properly, which could lead to arbitrary code execution. (CVE-2009-2950)

  - Specially crafted Microsoft Word documents are not processed properly, which could lead to arbitrary code execution. (CVE-2009-3301 / CVE-2009-3302)

The version of Sun Microsystems OpenOffice.org installed on the remote host is prior to version 3.2. It is, therefore, affected by several issues :

  - Signatures may not be handled properly due to a     vulnerability in the libxml2 library. (CVE-2006-4339)

  - There is an HMAC truncation authentication bypass     vulnerability in the libxmlsec library. (CVE-2009-0217)

  - The application is bundled with a vulnerable version of     the Microsoft VC++ runtime. (CVE-2009-2493)

  - Specially crafted XPM files are not processed properly,     which could lead to arbitrary code execution.
    (CVE-2009-2949)

  - Specially crafted GIF files are not processed properly,     which could lead to arbitrary code execution.
    (CVE-2009-2950)

  - Specially crafted Microsoft Word documents are not     processed properly, which could lead to arbitrary code     execution. (CVE-2009-3301 / CVE-2009-3302)

IBM Java 5 was updated to Service Refresh 11. It fixes lots of bugs and security issues. It also contains a timezone update for the current Fiji change (timezone 1.6.9s).

The update fixes the following security issues : 

  - A vulnerability in the Java Runtime Environment with     decoding DER encoded data might allow a remote client to     cause the JRE to crash, resulting in a denial of service     condition. (CVE-2009-3876, CVE-2009-3877)

  - A buffer overflow vulnerability in the Java Runtime     Environment audio system might allow an untrusted applet     or Java Web Start application to escalate privileges.
    For example, an untrusted applet might grant itself     permissions to read and write local files, or run local     applications that are accessible to the user running the     untrusted applet. (CVE-2009-3867)

  - A buffer overflow vulnerability in the Java Runtime     Environment with parsing image files might allow an     untrusted applet or Java Web Start application to     escalate privileges. For example, an untrusted applet     might grant itself permissions to read and write local     files, or run local applications that are accessible to     the user running the untrusted applet. (CVE-2009-3868)

  - An integer overflow vulnerability in the Java Runtime     Environment with reading JPEG files might allow an     untrusted applet or Java Web Start application to     escalate privileges. For example, an untrusted applet     might grant itself permissions to read and write local     files, or run local applications that are accessible to     the user running the untrusted applet. (CVE-2009-3872)

  - A buffer overflow vulnerability in the Java Runtime     Environment with processing JPEG files might allow an     untrusted applet or Java Web Start application to     escalate privileges. For example, an untrusted applet     might grant itself permissions to read and write local     files, or run local applications that are accessible to     the user running the untrusted applet. (CVE-2009-3873)

  - A security vulnerability in the Java Runtime Environment     with verifying HMAC digests might allow authentication     to be bypassed. This action can allow a user to forge a     digital signature that would be accepted as valid.
    Applications that validate HMAC-based digital signatures     might be vulnerable to this type of attack.
    (CVE-2009-3875)

  - A buffer overflow vulnerability in the Java Runtime     Environment with processing image files might allow an     untrusted applet or Java Web Start application to     escalate privileges. For example, an untrusted applet     might grant itself permissions to read and write local     files or run local applications that are accessible to     the user running the untrusted applet. (CVE-2009-3869)

  - A buffer overflow vulnerability in the Java Runtime     Environment with processing image files might allow an     untrusted applet or Java Web Start application to     escalate privileges. For example, an untrusted applet     might grant itself permissions to read and write local     files or run local applications that are accessible to     the user running the untrusted applet. (CVE-2009-3871)

  - An integer overflow vulnerability in the Java Runtime     Environment with processing JPEG images might allow an     untrusted applet or Java Web Start application to     escalate privileges. For example, an untrusted applet     might grant itself permissions to read and write local     files or run local applications that are accessible to     the user running the untrusted applet. (CVE-2009-3874)

  - The Java Runtime Environment includes the Java Web Start     technology that uses the Java Web Start ActiveX control     to launch Java Web Start in Internet Explorer. A     security vulnerability in the Active Template Library     (ATL) in various releases of Microsoft Visual Studio,     which is used by the Java Web Start ActiveX control,     might allow the Java Web Start ActiveX control to be     leveraged to run arbitrary code. This might occur as the     result of a user of the Java Runtime Environment viewing     a specially crafted web page that exploits this     vulnerability. (CVE-2009-2493)

Please also refer to http://www.ibm.com/developerworks/java/jdk/alerts for more information about this update.

The remote host is missing IE Security Update 976325.

The remote version of IE is affected by several vulnerabilities that may allow an attacker to execute arbitrary code on the remote host.

The IBM Java 6 JRE/SDK was updated to Service Release 6, fixing various bugs and security issues.

The following security issues were fixed :

  - A security vulnerability in the JNLPAppletLauncher might     impact users of the Sun JDK and JRE. Non-current     versions of the JNLPAppletLauncher might be re-purposed     with an untrusted Java applet to write arbitrary files     on the system of the user downloading and running the     untrusted applet. (CVE-2009-2676)

The JNLPAppletLauncher is a general purpose JNLP-based applet launcher class for deploying applets that use extension libraries containing native code.

  - The Java Runtime Environment includes the Java Web Start     technology that uses the Java Web Start ActiveX control     to launch Java Web Start in Internet Explorer. A     security vulnerability in the Active Template Library     (ATL) in various releases of Microsoft Visual Studio,     which is used by the Java Web Start ActiveX control,     might allow the Java Web Start ActiveX control to be     leveraged to run arbitrary code. This might occur as the     result of a user of the Java Runtime Environment viewing     a specially crafted web page that exploits this     vulnerability. (CVE-2009-2493)

  - A vulnerability in the Java Runtime Environment audio     system might allow an untrusted applet or Java Web Start     application to access system properties. (CVE-2009-2670)

  - A vulnerability with verifying HMAC-based XML digital     signatures in the XML Digital Signature implementation     included with the Java Runtime Environment (JRE) might     allow authentication to be bypassed. Applications that     validate HMAC-based XML digital signatures might be     vulnerable to this type of attack. (CVE-2009-0217)

Note: This vulnerability cannot be exploited by an untrusted applet or Java Web Start application.

  - A vulnerability in the Java Runtime Environment with the     SOCKS proxy implementation might allow an untrusted     applet or Java Web Start application to determine the     username of the user running the applet or application.
    (CVE-2009-2671 / CVE-2009-2672)

A second vulnerability in the Java Runtime Environment with the proxy mechanism implementation might allow an untrusted applet or Java Web Start application to obtain browser cookies and leverage those cookies to hijack sessions.

  - A vulnerability in the Java Runtime Environment with the     proxy mechanism implementation might allow an untrusted     applet or Java Web Start application to make     non-authorized socket or URL connections to hosts other     than the origin host. (CVE-2009-2673)

  - An integer overflow vulnerability in the Java Runtime     Environment with processing JPEG images might allow an     untrusted Java Web Start application to escalate     privileges. For example, an untrusted application might     grant itself permissions to read and write local files     or run local applications that are accessible to the     user running the untrusted applet. (CVE-2009-2674)

  - An integer overflow vulnerability in the Java Runtime     Environment with unpacking applets and Java Web Start     applications using the unpack200 JAR unpacking utility     might allow an untrusted applet or application to     escalate privileges. For example, an untrusted applet     might grant itself permissions to read and write local     files or run local applications that are accessible to     the user running the untrusted applet. (CVE-2009-2675)

  - A vulnerability in the Java Runtime Environment (JRE)     with parsing XML data might allow a remote client to     create a denial-of-service condition on the system that     the JRE runs on. (CVE-2009-2625)

One or more ActiveX controls included in Microsoft Outlook or Visio and installed on the remote Windows host was compiled with a version of Microsoft Active Template Library (ATL) that is affected by potentially several vulnerabilities :

  - An issue in the ATL headers could allow an attacker to     force VariantClear to be called on a VARIANT that has     not been correctly initialized and, by supplying a     corrupt stream, to execute arbitrary code.
    (CVE-2009-0901)

  - Unsafe usage of 'OleLoadFromStream' could allow     instantiation of arbitrary objects which can bypass     related security policy, such as kill bits within     Internet Explorer. (CVE-2009-2493)

  - An attacker who is able to run a malicious component or     control built using Visual Studio ATL can, by     manipulating a string with no terminating NULL byte,     read extra data beyond the end of the string and thus     disclose information in memory. (CVE-2009-2495)

Microsoft ActiveX controls that were compiled using the vulnerable Active Template Library described in Microsoft Security Bulletin MS09-035 have remote code execution vulnerabilities.  A remote attacker could exploit them to execute arbitrary code by tricking a user into requesting a maliciously crafted web page.

Specially crafted Flash (SWF) files can cause a buffer overflow in flash-player. Attackers could potentially exploit that to execute arbitrary code (CVE-2009-1862, CVE-2009-0901, CVE-2009-2395, CVE-2009-2493, CVE-2009-1863, CVE-2009-1864, CVE-2009-1865, CVE-2009-1866, CVE-2009-1867, CVE-2009-1868, CVE-2009-1869, CVE-2009-1870).

The remote Windows host contains a version of the Microsoft Active Template Library (ATL), included as part of Visual Studio or Visual C++, that is affected by multiple vulnerabilities :

  - A remote code execution issue affects the Microsoft     Video ActiveX Control due to the a flaw in the function     'CComVariant::ReadFromStream' used in the ATL header,     which fails to properly restrict untrusted data read     from a stream. (CVE-2008-0015)

  - A remote code execution issue exists in the Microsoft     Active Template Library due to an error in the 'Load'     method of the 'IPersistStreamInit' interface, which     could allow calls to 'memcpy' with untrusted data.
    (CVE-2008-0020)

  - An issue in the ATL headers could allow an attacker to     force VariantClear to be called on a VARIANT that has     not been correctly initialized and, by supplying a     corrupt stream, to execute arbitrary code.
    (CVE-2009-0901)

  - Unsafe usage of 'OleLoadFromStream' could allow     instantiation of arbitrary objects which can bypass     related security policy, such as kill bits within     Internet Explorer. (CVE-2009-2493)

  - A bug in the ATL header could allow reading a variant     from a stream and leaving the variant type read with     an invalid variant, which could be leveraged by an     attacker to execute arbitrary code remotely.
    (CVE-2009-2494)

The remote Windows host contains a version of the Microsoft Active Template Library (ATL), included as part of Visual Studio or Visual C++, that is affected by multiple vulnerabilities :

  - On systems with components and controls installed that     were built using Visual Studio ATL, an issue in the ATL     headers could allow an attacker to force VariantClear     to be called on a VARIANT that has not been correctly     initialized and, by supplying a corrupt stream, to     execute arbitrary code. (CVE-2009-0901)

  - On systems with components and controls installed that     were built using Visual Studio ATL, unsafe usage of     OleLoadFromStream could allow instantiation of     arbitrary objects that can bypass related security     policy, such as kill bits within Internet Explorer.
    (CVE-2009-2493)

  - On systems with components and controls installed that     were built using Visual Studio ATL, an issue in the ATL     headers could allow a string to be read without a     terminating NULL character, which could lead to     disclosure of information in memory. (CVE-2009-2495)

The remote Windows host contains a version of Adobe Flash Player that is earlier than 9.0.246.0 / 10.0.32.18. Such versions are reportedly affected by multiple vulnerabilities : 

  - A memory corruption vulnerability that could potentially     lead to code execution. (CVE-2009-1862) 

  - A vulnerability in the Microsoft Active Template Library     (ATL) which could allow an attacker who successfully     exploits the vulnerability to take control of the     affected system. (CVE-2009-0901, CVE-2009-2395,     CVE-2009-2493) 

  - A privilege escalation vulnerability that could     potentially lead to code execution. (CVE-2009-1863)

  - A heap overflow vulnerability that could potentially     lead to code execution. (CVE-2009-1864) 

  - A NULL pointer vulnerability that could potentially     lead to code execution. (CVE-2009-1865) 

  - A stack overflow vulnerability that could potentially     lead to code execution. (CVE-2009-1866) 

  - A clickjacking vulnerability that could allow an     attacker to lure a web browser user into unknowingly     clicking on a link or dialog. (CVE-2009-1867 

  - A URL parsing heap overflow vulnerability that could     potentially lead to code execution. (CVE-2009-1868)

  - An integer overflow vulnerability that could potentially     lead to code execution. (CVE-2009-1869) 

  - A local sandbox vulnerability that could potentially     lead to information disclosure when SWFs are saved to     the hard drive. CVE-2009-1870)

The remote Windows host contains a version of Adobe's Shockwave Player that is earlier than 11.5.0.601. Such versions were compiled against a version of Microsoft's Active Template Library (ATL) that contained a vulnerability. If an attacker can trick a user of the affected software into opening such a file, this issue could be leveraged to execute arbitrary code with the privileges of that user.

ID	Name	Product	Family	Severity
108811	Windows Server 2008 Critical RCE Vulnerabilities (uncredentialed) (PCI/DSS)	Nessus	Windows	critical
51731	SuSE 10 Security Update : flash-player (ZYPP Patch Number 6386)	Nessus	SuSE Local Security Checks	high
49863	SuSE 10 Security Update : IBM Java 1.5.0 (ZYPP Patch Number 6741)	Nessus	SuSE Local Security Checks	high
44922	FreeBSD : openoffice.org -- multiple vulnerabilities (c97d7a37-2233-11df-96dd-001b2134ef46)	Nessus	FreeBSD Local Security Checks	high
5339	OpenOffice < 3.2 Multiple Vulnerabilities	Nessus Network Monitor	Generic	medium
44597	Sun OpenOffice.org < 3.2 Multiple Vulnerabilities	Nessus	Windows	high
43822	SuSE 10 Security Update : IBM Java 1.5.0 (ZYPP Patch Number 6740)	Nessus	SuSE Local Security Checks	high
43599	SuSE9 Security Update : IBM Java 1.5.0 (YOU Patch Number 12564)	Nessus	SuSE Local Security Checks	high
43064	MS09-072: Cumulative Security Update for Internet Explorer (976325)	Nessus	Windows : Microsoft Bulletins	high
42396	SuSE 11 Security Update : IBM Java 1.6.0 (SAT Patch Number 1497)	Nessus	SuSE Local Security Checks	critical
42116	MS09-060: Vulnerabilities in Microsoft Active Template Library (ATL) ActiveX Controls for Microsoft Office Could Allow Remote Code Execution (973965)	Nessus	Windows : Microsoft Bulletins	high
42111	MS09-055: Cumulative Security Update of ActiveX Kill Bits (973525)	Nessus	Windows : Microsoft Bulletins	medium
42001	openSUSE 10 Security Update : flash-player (flash-player-6387)	Nessus	SuSE Local Security Checks	high
41392	SuSE 11 Security Update : flash-player (SAT Patch Number 1149)	Nessus	SuSE Local Security Checks	high
40556	MS09-037: Vulnerabilities in Microsoft Active Template Library (ATL) Could Allow Remote Code Execution (973908)	Nessus	Windows : Microsoft Bulletins	high
40489	openSUSE Security Update : flash-player (flash-player-1148)	Nessus	SuSE Local Security Checks	high
40488	openSUSE Security Update : flash-player (flash-player-1148)	Nessus	SuSE Local Security Checks	high
40435	MS09-035: Vulnerabilities in Visual Studio Active Template Library Could Allow Remote Code Execution (969706)	Nessus	Windows : Microsoft Bulletins	high
40434	Flash Player < 9.0.246.0 / 10.0.32.18 Multiple Vulnerabilities (APSB09-10)	Nessus	Windows	high
40421	Shockwave Player < 11.5.0.601 Multiple Vulnerabilities (APSB09-11)	Nessus	Windows	high

Detections

Analytics

CVE-2009-2493

high

Tenable Plugins

critical

high

high

high

medium

high

high

high

high

critical

high

medium

high

high

high

high

high

high

high

high