製品・ソフトウェアに関する情報

JVN脆弱性詳細

Microsoft Visual Studio の ATL におけるオブジェクトのインスタンス化処理に関する任意のコードを実行される脆弱性

Title	Microsoft Visual Studio の ATL におけるオブジェクトのインスタンス化処理に関する任意のコードを実行される脆弱性
Summary	Microsoft Visual Studio の Active Template Library (ATL) には、データストリームからオブジェクトのインスタンス化処理に不備があるため、任意のコードを実行される脆弱性が存在します。
Possible impacts	巧妙に細工された HTML ドキュメントにより、任意のコードを実行される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	July 28, 2009, midnight
Registration Date	Aug. 31, 2009, 4:39 p.m.
Last Update	Jan. 14, 2011, 2:32 p.m.

CVSS2.0 : 危険
Score	9.3
Vector	AV:N/AC:M/Au:N/C:C/I:C/A:C

Affected System

サン・マイクロシステムズ

JDK 5.0 Update 20 未満

JDK 6 Update 15 未満

JRE 1.4.2_22 未満

JRE 5.0 Update 20 未満

JRE 6 Update 15 未満

SDK 1.4.2_22 未満

マイクロソフト

Microsoft Internet Explorer 5.01

Microsoft Internet Explorer 6

Microsoft Outlook 2002

Microsoft Outlook 2003

Microsoft Outlook 2007

Microsoft Visio 2002 Viewer

Microsoft Visio 2003 Viewer

Microsoft Visio Viewer 2007

Microsoft Visual C++ 2005 再頒布可能パッケージ

Microsoft Visual C++ 2008 再頒布可能パッケージ

Microsoft Visual Studio .NET 2003

Microsoft Visual Studio 2005

Microsoft Visual Studio 2005 64-bit Hosted Visual C++ Tools

Microsoft Visual Studio 2008

Microsoft Windows 2000

Microsoft Windows 7 (x32)

Microsoft Windows 7 (x64)

Microsoft Windows Server 2003

Microsoft Windows Server 2003 (itanium)

Microsoft Windows Server 2003 (x64)

Microsoft Windows Server 2008 (itanium)

Microsoft Windows Server 2008 (x64)

Microsoft Windows Server 2008 (x86)

Microsoft Windows Server 2008 r2(itanium)

Microsoft Windows Server 2008 r2(x64)

Microsoft Windows Vista

Microsoft Windows Vista (x64)

Microsoft Windows XP

Microsoft Windows XP (x64)

Microsoft Windows XP sp3

アドビシステムズ

Adobe Acrobat 9.1.2 およびそれ以前

Adobe AIR 1.5.1 およびそれ以前

Adobe Flash Player 10.0.22.87 およびそれ以前

Adobe Flash Player 9.0.159.0 およびそれ以前

Adobe Reader 9.1.2 およびそれ以前

Adobe Shockwave Player 11.5.0.600 およびそれ以前

日本電気

LaVie シリーズ（発表時期が2009年7月の製品まで）

Mate

VALUESTAR シリーズ

VersaPro シリーズ（発表時期が2010年1月の製品まで）

OpenOffice.org Project

OpenOffice.org 3.2 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2009-2493	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2493
National Vulnerability Database (NVD)
2	CVE-2009-2493	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2493
OpenOffice.org
3	CVE-2009-2493	http://www.openoffice.org/security/cves/CVE-2009-2493.html

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-264	https://jvndb.jvn.jp/ja/cwe/CWE-264.html

ベンダー情報

No	Name	URL
Adobe Security Bulletin
1	APSA09-04	http://www.adobe.com/support/security/advisories/apsa09-04.html
2	APSB09-10	http://www.adobe.com/support/security/bulletins/apsb09-10.html
3	APSB09-11	http://www.adobe.com/support/security/bulletins/apsb09-11.html
Adobe セキュリティ情報
4	APSA09-04	http://www.adobe.com/jp/support/security/advisories/apsa09-04.html
5	APSB09-10	http://www.adobe.com/jp/support/security/bulletins/apsb09-10.html
6	APSB09-11	http://www.adobe.com/jp/support/security/bulletins/apsb09-11.html
Microsoft Security Advisory
7	973882	http://www.microsoft.com/technet/security/advisory/973882.mspx
Microsoft Security Bulletin
8	MS09-035	http://www.microsoft.com/technet/security/bulletin/MS09-035.mspx
9	MS09-037	http://www.microsoft.com/technet/security/Bulletin/MS09-037.mspx
10	MS09-055	http://www.microsoft.com/technet/security/bulletin/MS09-055.mspx
11	MS09-060	http://www.microsoft.com/technet/security/bulletin/MS09-060.mspx
12	MS09-072	http://www.microsoft.com/technet/security/bulletin/ms09-072.mspx
NEC製品セキュリティ情報
13	NV09-015	http://www.nec.co.jp/security-info/secinfo/nv09-015.html
Sun Alert Notification
14	264648	http://sunsolve.sun.com/search/document.do?assetkey=1-66-264648-1
マイクロソフトセキュリティアドバイザリ
15	973882	http://www.microsoft.com/japan/technet/security/advisory/973882.mspx
マイクロソフトセキュリティ情報
16	MS09-035	http://www.microsoft.com/japan/technet/security/bulletin/ms09-035.mspx
17	MS09-037	http://www.microsoft.com/japan/technet/security/bulletin/ms09-037.mspx
18	MS09-055	http://www.microsoft.com/japan/technet/security/bulletin/ms09-055.mspx
19	MS09-060	http://www.microsoft.com/japan/technet/security/bulletin/ms09-060.mspx
20	MS09-072	http://www.microsoft.com/japan/technet/security/bulletin/ms09-072.mspx
富士通セキュリティ情報
21	TA09-209A	http://software.fujitsu.com/jp/security/vulnerabilities/ta09-209a.html
22	TA09-223A	http://software.fujitsu.com/jp/security/vulnerabilities/ta09-223a.html
23	TA09-286A	http://software.fujitsu.com/jp/security/vulnerabilities/ta09-286a.html
24	TA09-342A	http://software.fujitsu.com/jp/security/vulnerabilities/ta09-342a.html
絵でみるセキュリティ情報
25	MS09-035e	http://www.microsoft.com/japan/security/bulletins/MS09-035e.mspx
26	MS09-037e	http://www.microsoft.com/japan/security/bulletins/MS09-037e.mspx
27	MS09-055e	http://www.microsoft.com/japan/security/bulletins/MS09-055e.mspx
28	MS09-060e	http://www.microsoft.com/japan/security/bulletins/MS09-060e.mspx
29	MS09-072e	http://www.microsoft.com/japan/security/bulletins/MS09-072e.mspx

その他

No	Name	URL
IPA 緊急対策情報
1	20090803-adobe	http://www.ipa.go.jp/security/ciadr/vul/20090803-adobe.html
2	20090812-ms09-037	http://www.ipa.go.jp/security/ciadr/vul/20090812-ms09-037.html
3	20091209-ms09-072	http://www.ipa.go.jp/security/ciadr/vul/20091209-ms09-072.html
JPCERT 緊急報告
4	JPCERT-AT-2009-0014	https://www.jpcert.or.jp/at/2009/at090014.txt
5	JPCERT-AT-2009-0015	https://www.jpcert.or.jp/at/2009/at090015.txt
6	JPCERT-AT-2009-0017	https://www.jpcert.or.jp/at/2009/at090017.txt
7	JPCERT-AT-2009-0020	https://www.jpcert.or.jp/at/2009/at090020.txt
JVN
8	JVNTA09-209A	http://jvn.jp/cert/JVNTA09-209A/
9	JVNTA09-223A	http://jvn.jp/cert/JVNTA09-223A/
10	JVNTA09-286A	http://jvn.jp/cert/JVNTA09-286A/
JVN Status Tracking Notes
11	JVNTR-2009-19	http://jvn.jp/tr/JVNTR-2009-19
12	JVNTR-2009-21	http://jvn.jp/tr/JVNTR-2009-21
13	JVNTR-2009-23	http://jvn.jp/tr/JVNTR-2009-23/
14	JVNTR-2009-27	http://jvn.jp/tr/JVNTR-2009-27/index.html
Secunia Advisory
15	SA35967	http://secunia.com/advisories/35967
16	SA36187	http://secunia.com/advisories/36187
17	SA36997	http://secunia.com/advisories/36997/
18	SA37005	http://secunia.com/advisories/37005/
US-CERT Cyber Security Alerts
19	SA09-209A	http://www.us-cert.gov/cas/alerts/SA09-209A.html
20	SA09-223A	http://www.us-cert.gov/cas/alerts/SA09-223A.html
21	SA09-286A	http://www.us-cert.gov/cas/alerts/SA09-286A.html
22	SA09-342A	http://www.us-cert.gov/cas/alerts/SA09-342A.html
US-CERT Technical Cyber Security Alert
23	TA09-209A	http://www.us-cert.gov/cas/techalerts/TA09-209A.html
24	TA09-223A	http://www.us-cert.gov/cas/techalerts/TA09-223A.html
25	TA09-286A	http://www.us-cert.gov/cas/techalerts/TA09-286A.html
26	TA09-342A	http://www.us-cert.gov/cas/techalerts/TA09-342A.html
US-CERT Vulnerability Note
27	VU#456745	http://www.kb.cert.org/vuls/id/456745
VUPEN Security
28	VUPEN/ADV-2009-2034	http://www.vupen.com/english/advisories/2009/2034
29	VUPEN/ADV-2009-2065	http://www.vupen.com/english/advisories/2009/2065
30	VUPEN/ADV-2009-2086	http://www.vupen.com/english/advisories/2009/2086
31	VUPEN/ADV-2009-2232	http://www.vupen.com/english/advisories/2009/2232
32	VUPEN/ADV-2009-2890	http://www.vupen.com/english/advisories/2009/2890
33	VUPEN/ADV-2009-2895	http://www.vupen.com/english/advisories/2009/2895
警察庁 @police
34	マイクロソフト社のセキュリティ修正プログラムについて(MS09-034,035)	http://www.npa.go.jp/cyberpolice/#topics
35	マイクロソフト社のセキュリティ修正プログラムについて(MS09-036,037,038,039,040,041,042,043,044)	http://www.npa.go.jp/cyberpolice/#topics
36	マイクロソフト社のセキュリティ修正プログラムについて(MS09-050,051,052,053,054,055,056,057,058,059,060,061,062)	http://www.npa.go.jp/cyberpolice/#topics
37	マイクロソフト社のセキュリティ修正プログラムについて(MS09-069,070,071,072,073,074)	http://www.npa.go.jp/cyberpolice/#topics

Change Log

No	Changed Details	Date of change
0	[2009年08月31日] 掲載 [2009年10月30日] 影響を受けるシステム：マイクロソフト (MS09-055) の情報を追加影響を受けるシステム：マイクロソフト (MS09-060) の情報を追加ベンダ情報：マイクロソフト (MS09-055) を追加ベンダ情報：マイクロソフト (MS09-060) を追加 [2010年01月19日] 影響を受けるシステム：マイクロソフト (MS09-072) の情報を追加ベンダ情報：マイクロソフト (MS09-072) を追加 [2010年02月26日] 影響を受けるシステム：OpenOffice.org (CVE-2009-2493) の情報を追加ベンダ情報：OpenOffice.org (CVE-2009-2493) を追加 [2011年01月14日] 影響を受けるシステム：日本電気 (NV09-015) の情報を追加ベンダ情報：日本電気 (NV09-015) を追加	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2009-2493

Summary	The Active Template Library (ATL) in Microsoft Visual Studio .NET 2003 SP1, Visual Studio 2005 SP1 and 2008 Gold and SP1, and Visual C++ 2005 SP1 and 2008 Gold and SP1; and Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold and SP2; does not properly restrict use of OleLoadFromStream in instantiating objects from data streams, which allows remote attackers to execute arbitrary code via a crafted HTML document with an ATL (1) component or (2) control, related to ATL headers and bypassing security policies, aka "ATL COM Initialization Vulnerability."
Publication Date	July 30, 2009, 2:30 a.m.
Registration Date	Jan. 29, 2021, 1:20 p.m.
Last Update	Oct. 13, 2018, 6:51 a.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:microsoft:visual_c\+\+:2005:sp1::::::
cpe:2.3:a:microsoft:visual_c\+\+:2008:::::::*
cpe:2.3:a:microsoft:visual_c\+\+:2008:sp1::::::

Configuration2	or higher	or less	more than	less than
cpe:2.3:o:microsoft:windows_2000::sp4::::::*
cpe:2.3:o:microsoft:windows_2003_server::sp2::::::*
cpe:2.3:o:microsoft:windows_server_2008::sp2::::::*
cpe:2.3:o:microsoft:windows_server_2008:-:::::::*
cpe:2.3:o:microsoft:windows_vista::sp1::::::*
cpe:2.3:o:microsoft:windows_vista::sp2::::::*
cpe:2.3:o:microsoft:windows_vista:-:::::::*
cpe:2.3:o:microsoft:windows_xp::sp2::::::*
cpe:2.3:o:microsoft:windows_xp::sp3::::::*

Configuration3	or higher	or less	more than	less than
cpe:2.3:a:microsoft:visual_studio:2003:sp1::::::
cpe:2.3:a:microsoft:visual_studio:2005:sp1::::::
cpe:2.3:a:microsoft:visual_studio:2008:::::::*
cpe:2.3:a:microsoft:visual_studio:2008:sp1::::::

Related information, measures and tools

No	URL	refsource	タグ
1	http://blogs.technet.com/srd/archive/2009/08/11/ms09-037-why-we-are-using-cve-s-already-used-in-ms09-035.aspx	MISC	Broken Link
2	http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00002.html	SUSE	Third Party Advisory
3	http://marc.info/?l=bugtraq&m=126592505426855&w=2	HP	Third Party Advisory
4	http://secunia.com/advisories/35967	SECUNIA
5	http://secunia.com/advisories/36187	SECUNIA
6	http://secunia.com/advisories/36374	SECUNIA
7	http://secunia.com/advisories/36746	SECUNIA
8	http://secunia.com/advisories/38568	SECUNIA
9	http://secunia.com/advisories/41818	SECUNIA
10	http://sunsolve.sun.com/search/document.do?assetkey=1-66-264648-1	SUNALERT	Broken Link
11	http://sunsolve.sun.com/search/document.do?assetkey=1-66-266108-1	SUNALERT	Broken Link
12	http://sunsolve.sun.com/search/document.do?assetkey=1-77-1020775.1-1	SUNALERT	Broken Link
13	http://www.adobe.com/support/security/advisories/apsa09-04.html	CONFIRM	Patch Third Party Advisory
14	http://www.adobe.com/support/security/bulletins/apsb09-10.html	CONFIRM	Third Party Advisory
15	http://www.adobe.com/support/security/bulletins/apsb09-11.html	CONFIRM	Patch Third Party Advisory
16	http://www.adobe.com/support/security/bulletins/apsb09-13.html	CONFIRM	Third Party Advisory
17	http://www.novell.com/support/viewContent.do?externalId=7004997&sliceId=1	CONFIRM	Third Party Advisory
18	http://www.openoffice.org/security/cves/CVE-2009-2493.html	CONFIRM	Third Party Advisory
19	http://www.us-cert.gov/cas/techalerts/TA09-195A.html	CERT	Third Party Advisory US Government Resource
20	http://www.us-cert.gov/cas/techalerts/TA09-223A.html	CERT	Third Party Advisory US Government Resource
21	http://www.us-cert.gov/cas/techalerts/TA09-286A.html	CERT	Third Party Advisory US Government Resource
22	http://www.us-cert.gov/cas/techalerts/TA09-342A.html	CERT	Third Party Advisory US Government Resource
23	http://www.vupen.com/english/advisories/2009/2034	VUPEN
24	http://www.vupen.com/english/advisories/2009/2232	VUPEN
25	http://www.vupen.com/english/advisories/2010/0366	VUPEN
26	https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-035	MS
27	https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-037	MS
28	https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-055	MS
29	https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-060	MS
30	https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-072	MS
31	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6245	OVAL
32	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6304	OVAL
33	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6421	OVAL
34	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6473	OVAL
35	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6621	OVAL
36	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6716	OVAL

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-264	認可・権限・アクセス制御	https://cwe.mitre.org/data/definitions/264.html

Configuration2	or higher	or less	more than	less than
cpe:2.3:o:microsoft:windows_2000::sp4::::::*
cpe:2.3:o:microsoft:windows_2003_server::sp2::::::*
cpe:2.3:o:microsoft:windows_server_2008::sp2::::::*
cpe:2.3:o:microsoft:windows_server_2008:-:::::::*
cpe:2.3:o:microsoft:windows_vista::sp1::::::*
cpe:2.3:o:microsoft:windows_vista::sp2::::::*
cpe:2.3:o:microsoft:windows_vista:-:::::::*
cpe:2.3:o:microsoft:windows_xp::sp2::::::*
cpe:2.3:o:microsoft:windows_xp::sp3::::::*