Signature Detail

HTTP: Microsoft DirectShow Vulnerable ActiveX Control (ATL)

This signature detects a common ActiveX control that is vulnerable to the Microsoft Active Template Library (ATL) issues announced in MS09-035. If exploited, it can allow the execution of code in the context of the logged in user. Note that this signature is not designed to identify known malicious sites, but simply an alert that a vulnerable and potentially malicious ActiveX control has been accessed. Some Enterprise users may want to use it to block known malicious ActiveX controls, but before doing this, it is recommended the full impact is understood and tested.

Extended Description

Adobe Shockwave Player is prone to a remote code-execution vulnerability because it was compiled against the Microsoft Active Template Library (ATL). Remote attackers can exploit this issue to execute arbitrary code with the privileges of the user running the affected application. Failed exploit attempts will likely result in a denial-of-service condition. This issue is caused by the vulnerabilities described in Microsoft security advisory 973883 and is related to the following BIDs: 35828 Microsoft Visual Studio Active Template Library COM Object Remote Code Execution Vulnerability 35830 Microsoft Visual Studio Active Template Library NULL String Information Disclosure Vulnerability 35832 Microsoft Visual Studio ATL 'VariantClear()' Remote Code Execution Vulnerability

Affected Products

• Adobe Shockwave Player 10
• Adobe Shockwave Player 10.2.0.023
• Adobe Shockwave Player 11.5.0.596
• Adobe Shockwave Player 11.5.0.600

References

• BugTraq: 35845
• CVE: CVE-2009-0901
• URL: http://www.microsoft.com/atl
• URL: http://www.icasi.org/alerts.htm
• URL: http://www.microsoft.com/technet/security/bulletin/ms09-035.mspx