Alert GCSA-09062 - MS09-035 Vulnerabilita' in Visual Studio Active
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
******************************************************************
Alert ID : GCSA-09062
Data : 29 luglio 2009
Titolo : MS09-035 Vulnerabilita' in Visual Studio Active Template Library (969706)
******************************************************************
:: Descrizione del problema
Questo aggiornamento di sicurezza risolve alcune vulnerabilita'
presenti nella versione pubblica della Microsoft Active Template
Library (ATL) inclusa in Visual Studio.
Questo aggiornamento e' pensato in maniera specifica per gli
sviluppatori di componenti e controlli che utilizzano ATL.
Le vulnerabilita' rilevate potrebbero consentire ad un aggressore
remoto l'esecuzione di codice arbitrario.
:: Software interessato
Visual Studio .NET 2003 SP1
Visual Studio 2005 SP1
Visual Studio 2005 SP1 64-bit Hosted Visual C++ Tools
Visual Studio 2008
Visual Studio 2008 SP1
Visual C++ 2005 SP1 Redistributable Package
Visual C++ 2008 Redistributable Package
Visual C++ 2008 SP1 Redistributable Package
:: Impatto
Esecuzione di codice arbitrario
Security Bypass
:: Soluzioni
Installare manualmente la patch elencata nel bollettino Microsoft,
oppure utilizzare uno degli strumenti di aggiornamento come:
Aggiornamenti Automatici, Windows Update, Microsoft Update,
Windows Server Update Services.
:: Riferimenti
Microsoft Security Bulletin
http://www.microsoft.com/technet/security/bulletin/MS09-035.mspx
Microsoft Knowledge Base
http://support.microsoft.com/kb/969706
Microsoft Update
https://update.microsoft.com/microsoftupdate/
Microsoft Security Advisory (973882)
http://www.microsoft.com/technet/security/advisory/973882.mspx
Microsoft Blogs
http://blogs.technet.com/msrc/archive/2009/07/28/microsoft-security-advisory-973882-microsoft-security-bulletins-ms09-034-and-ms09-035-released.aspx
http://blogs.technet.com/srd/archive/2009/07/28/overview-of-the-out-of-band-release.aspx
http://blogs.technet.com/bluehat/archive/2009/07/27/black-hat-usa-atl-killbit-bypass.aspx
http://blogs.msdn.com/sdl/archive/2009/07/28/atl-ms09-035-and-the-sdl.aspx
Mitre's CVE ID
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0901
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2493
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2495
Vupen Security
http://www.vupen.com/english/advisories/2009/2034
Adobe PSIRT
http://blogs.adobe.com/psirt/2009/07/impact_of_microsoft_atl_vulner.html
Cisco Security Advisory
http://www.cisco.com/warp/public/707/cisco-sa-20090728-activex.shtml
Securityfocus Bugtraq ID
http://www.securityfocus.com/bid/35832
http://www.securityfocus.com/bid/35828
http://www.securityfocus.com/bid/35830
US-CERT
http://www.us-cert.gov/cas/techalerts/TA09-209A.html
http://www.kb.cert.org/vuls/id/456745
http://www.kb.cert.org/vuls/id/180513
ISC SANS Diary
http://isc.sans.org/diary.html?storyid=6874
-----BEGIN PGP SIGNATURE-----
iQCVAwUBSnAnmPOB+SpikaiRAQINcQP9G/WiVCWtPwVKwXMbcEUb92TXBZUez96n
PuzG0J0fbz5lagZj9jg4U32zE6Fv8qT5iY+Ff936ACORREsUXfqcNerurZf9zTmi
0mPvdMQh0UlOwQHmkWCYVx5DSi9Xr3g2rBrbfDdZNuwylHA+S88r8Vc3AoVdouPm
Ib1bmKPAtPw=
=zLjR
-----END PGP SIGNATURE-----
Hash: SHA1
******************************************************************
Alert ID : GCSA-09062
Data : 29 luglio 2009
Titolo : MS09-035 Vulnerabilita' in Visual Studio Active Template Library (969706)
******************************************************************
:: Descrizione del problema
Questo aggiornamento di sicurezza risolve alcune vulnerabilita'
presenti nella versione pubblica della Microsoft Active Template
Library (ATL) inclusa in Visual Studio.
Questo aggiornamento e' pensato in maniera specifica per gli
sviluppatori di componenti e controlli che utilizzano ATL.
Le vulnerabilita' rilevate potrebbero consentire ad un aggressore
remoto l'esecuzione di codice arbitrario.
:: Software interessato
Visual Studio .NET 2003 SP1
Visual Studio 2005 SP1
Visual Studio 2005 SP1 64-bit Hosted Visual C++ Tools
Visual Studio 2008
Visual Studio 2008 SP1
Visual C++ 2005 SP1 Redistributable Package
Visual C++ 2008 Redistributable Package
Visual C++ 2008 SP1 Redistributable Package
:: Impatto
Esecuzione di codice arbitrario
Security Bypass
:: Soluzioni
Installare manualmente la patch elencata nel bollettino Microsoft,
oppure utilizzare uno degli strumenti di aggiornamento come:
Aggiornamenti Automatici, Windows Update, Microsoft Update,
Windows Server Update Services.
:: Riferimenti
Microsoft Security Bulletin
http://www.microsoft.com/technet/security/bulletin/MS09-035.mspx
Microsoft Knowledge Base
http://support.microsoft.com/kb/969706
Microsoft Update
https://update.microsoft.com/microsoftupdate/
Microsoft Security Advisory (973882)
http://www.microsoft.com/technet/security/advisory/973882.mspx
Microsoft Blogs
http://blogs.technet.com/msrc/archive/2009/07/28/microsoft-security-advisory-973882-microsoft-security-bulletins-ms09-034-and-ms09-035-released.aspx
http://blogs.technet.com/srd/archive/2009/07/28/overview-of-the-out-of-band-release.aspx
http://blogs.technet.com/bluehat/archive/2009/07/27/black-hat-usa-atl-killbit-bypass.aspx
http://blogs.msdn.com/sdl/archive/2009/07/28/atl-ms09-035-and-the-sdl.aspx
Mitre's CVE ID
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0901
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2493
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2495
Vupen Security
http://www.vupen.com/english/advisories/2009/2034
Adobe PSIRT
http://blogs.adobe.com/psirt/2009/07/impact_of_microsoft_atl_vulner.html
Cisco Security Advisory
http://www.cisco.com/warp/public/707/cisco-sa-20090728-activex.shtml
Securityfocus Bugtraq ID
http://www.securityfocus.com/bid/35832
http://www.securityfocus.com/bid/35828
http://www.securityfocus.com/bid/35830
US-CERT
http://www.us-cert.gov/cas/techalerts/TA09-209A.html
http://www.kb.cert.org/vuls/id/456745
http://www.kb.cert.org/vuls/id/180513
ISC SANS Diary
http://isc.sans.org/diary.html?storyid=6874
-----BEGIN PGP SIGNATURE-----
iQCVAwUBSnAnmPOB+SpikaiRAQINcQP9G/WiVCWtPwVKwXMbcEUb92TXBZUez96n
PuzG0J0fbz5lagZj9jg4U32zE6Fv8qT5iY+Ff936ACORREsUXfqcNerurZf9zTmi
0mPvdMQh0UlOwQHmkWCYVx5DSi9Xr3g2rBrbfDdZNuwylHA+S88r8Vc3AoVdouPm
Ib1bmKPAtPw=
=zLjR
-----END PGP SIGNATURE-----