HighProventia Desktop, Proventia Network IPS, IBM Security Server Protection for Windows, BlackICE Server Protection, Proventia Network MFS, Proventia Network IDS, Proventia-G 1.1 and earlier, BlackICE PC Protection, RealSecure Network, RealSecure Server Sensor, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware:
This signature detects an HTML or JavaScript with malicious data that could cause a buffer overflow and lead to remote code execution.
High
Proventia Desktop: 2310, Proventia Network IPS: XPU 28.170, IBM Security Server Protection for Windows: 2.0.300.2310, IBM Security Server Protection for Windows: 1.0.914.2310, BlackICE Server Protection: 3.6.crk, Proventia Network MFS: XPU 28.170, IBM Security Server Protection for Windows: 2.1.14.2400, Proventia Network IDS: XPU 28.170, Proventia-G 1.1 and earlier: XPU 28.170, BlackICE PC Protection: 3.6crk, RealSecure Network: XPU 28.170, RealSecure Server Sensor: XPU 28.170, Proventia Server IPS for Linux technology: 28.170, Virtual Server Protection for Vmware: 1.0
Microsoft Windows 2000: SP4, Microsoft Windows XP: SP2, Microsoft Windows XP: 2005 Media Center, Microsoft Windows Vista, Microsoft Windows Server 2003: SP2, Microsoft Windows Server 2003: SP2 Itanium, Microsoft Windows Server 2003: SP2 x64, Microsoft Windows Vista: x64, Microsoft Windows XP: SP2 x64 Professional, Microsoft Windows Vista: SP1, Microsoft Windows Vista: SP1 x64, Microsoft Windows XP: SP3 x64 Professional, Microsoft Windows Server 2008: Itanium, Microsoft Windows Server 2008: x32, Microsoft Windows XP: SP3, Microsoft Windows Vista: SP2 x64, Microsoft Windows Vista: SP2, Microsoft Windows Server 2008: SP2 x32, Microsoft Windows Server 2008: SP2 Itanium
Unauthorized Access Attempt
Microsoft Windows Active Template Library (ATL) could allow a remote attacker to execute arbitrary code on the system, caused by an error in the Load() method of the IPersistStreamInit interface. By persuading a victim to visit a specially-crafted Web page containing a call to memcopy with untrusted data, and attacker could exploit this vulnerability to execute arbitrary code with privileges of the victim.
Apply the appropriate patch for your system, as listed in the latest Microsoft Security Bulletin. See References.
— OR —
Use Microsoft Automatic Update if it is supported by your operating system. The original bulletin issued by Microsoft has been superseded.
Microsoft Security Bulletin MS09-037
Vulnerabilities in Microsoft Active Template Library (ATL) Could Allow Remote Code Execution. (973908)
http://www.microsoft.com/technet/security/bulletin/ms09-037.mspx
Microsoft Security Bulletin MS10-030
Vulnerability in Outlook Express and Windows Mail Could Allow Remote Code Execution (978542)
http://www.microsoft.com/technet/security/bulletin/ms10-030.mspx
ISS X-Force
Microsoft Windows ATL Load() code execution
http://www.iss.net/security_center/static/44625.php
CVE
CVE-2008-0020
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0020