Microsoft ATL/MFC ActiveX Type Confusion Vulnerability
31 Aug. 2009
Summary
Remote exploitation of a type confusion vulnerability in Microsoft Corp.'s ATL/MFC ActiveX code as included in various vendors' ActiveX controls, could allow an attacker to execute arbitrary code within Internet Explorer (IE). Microsoft's Component Object Model (COM) was designed to allow interoperability between disjointed software components. It is a standardized interface solution to the programming dilemmas involved in object oriented programming, distributed transactions, and inter-language communications. Microsoft's Active Template Library (ATL) is a set of C++ templates that simplify developing COM objects.
Vulnerable Systems:
* Microsoft ATL/MFC version 3.0
One aspect of COM is a process called initialization. This process allows a program to load and store a COM object within various containers, such as OLE compound storage files and raw streams.
Depending upon certain characteristics of an OLE component designed with certain versions of the Microsoft ATL, it is possible to cause an object to use a variant of type VT_BSTR as a different object. In certain circumstances, an encoded BSTR can cause ATL code to set the COM type without checking to see if the type was successfully coerced. Upon return, the BSTR is treated as an object leading to an attacker being able to specify an address to call.
Exploitation of this vulnerability will result in the execution of arbitrary code. Attack vectors include Internet Explorer, WordPad, Microsoft Office, and any other program that loads arbitrary persistence data.
Disclosure Timeline:
12/05/2008 Initial Contact
07/29/2009 Material presented at BlackHat USA
08/11/2009 Public disclosure via MS09-037
-------------------------------------------------------------------------------------------------------------------------------
Insider's report: What is behind malware growth and how this knowledge will help you avoid the threat.
+
