Multiple vulnerabilities have been identified in Microsoft Windows, which could be exploited by attackers to compromise a vulnerable system. These issues are caused by memory corruption errors in the Microsoft Active Template Library (ATL) when processing certain data and streams, which could be exploited by attackers to crash an affected application or execute arbitrary code by tricking a user into visiting a specially crafted web page.

Affected Products

Microsoft Windows 2000 Service Pack 4
Microsoft Windows XP Service Pack 2
Microsoft Windows XP Service Pack 3
Microsoft Windows XP Professional x64 Edition Service Pack 2
Microsoft Windows Server 2003 Service Pack 2
Microsoft Windows Server 2003 x64 Edition Service Pack 2
Microsoft Windows Server 2003 SP2 (Itanium)
Microsoft Windows Vista
Microsoft Windows Vista Service Pack 1
Microsoft Windows Vista Service Pack 2
Microsoft Windows Vista x64 Edition
Microsoft Windows Vista x64 Edition Service Pack 1
Microsoft Windows Vista x64 Edition Service Pack 2
Microsoft Windows Server 2008 (32-bit)
Microsoft Windows Server 2008 (32-bit) Service Pack 2
Microsoft Windows Server 2008 (x64)
Microsoft Windows Server 2008 (x64) Service Pack 2
Microsoft Windows Server 2008 (Itanium)
Microsoft Windows Server 2008 (Itanium) Service Pack 2

Microsoft Outlook Express 5.x
Microsoft Outlook Express 6.x
Microsoft Windows Media Player 9
Microsoft Windows Media Player 10
Microsoft Windows Media Player 11

Solution

Apply patches :
http://www.microsoft.com/technet/security/Bulletin/MS09-037.mspx

References

http://www.vupen.com/english/advisories/2009/2232
http://www.microsoft.com/technet/security/Bulletin/MS09-037.mspx

Credits

Vulnerabilities reported by Ryan Smith, Alex Wheeler, Robert Freeman, David Dewey (IBM ISS X-Force) and VeriSign iDefense Labs.

Changelog

2009-08-11 : Initial release*

Feedback

If you have additional information or corrections for this security advisory please submit them via our contact form.