HTTP: Microsoft DirectShow Vulnerable ActiveX Control (ATL)

This signature detects a common ActiveX control that is vulnerable to the Microsoft Active Template Library (ATL) issues announced in MS09-035. If exploited, it can allow the execution of code in the context of the logged in user. Note that this signature is not designed to identify known malicious sites, but simply an alert that a vulnerable and potentially malicious ActiveX control has been accessed. Some Enterprise users may want to use it to block known malicious ActiveX controls, but before doing this, it is recommended the full impact is understood and tested.

Extended Description

Adobe Shockwave Player is prone to a remote code-execution vulnerability because it was compiled against the Microsoft Active Template Library (ATL). Remote attackers can exploit this issue to execute arbitrary code with the privileges of the user running the affected application. Failed exploit attempts will likely result in a denial-of-service condition. This issue is caused by the vulnerabilities described in Microsoft security advisory 973883 and is related to the following BIDs: 35828 Microsoft Visual Studio Active Template Library COM Object Remote Code Execution Vulnerability 35830 Microsoft Visual Studio Active Template Library NULL String Information Disclosure Vulnerability 35832 Microsoft Visual Studio ATL 'VariantClear()' Remote Code Execution Vulnerability

Affected Products

Adobe shockwave_player

References

BugTraq: 35845

CVE: CVE-2009-0901

URL: http://www.microsoft.com/atl http://www.icasi.org/alerts.htm http://www.microsoft.com/technet/security/bulletin/ms09-035.mspx

Short Name

HTTP:STC:ATL:DIRECTSHOW

Severity

Major

Recommended

False

Recommended Action

Drop

HTTP: Microsoft DirectShow Vulnerable ActiveX Control (ATL)

Extended Description

Affected Products

References

Found a potential security threat?