FixVibe
Covered by FixVibehigh

Microsoft ATL COM Initialization Advisory (CVE-2009-2493)

Microsoft ATL components and controls built with affected ATL headers can be exposed to CVE-2009-2493 under COM initialization conditions. FixVibe now treats this as covered by its repo source/build advisory for legacy Visual C++ ATL projects, without claiming build-machine patch state, deployed ActiveX or COM exposure, or live code-execution proof.

CVE-2009-2493CWE-264CWE-94

CVE-2009-2493 in Microsoft ATL is an advisory about components and controls built with affected ATL headers, not proof that Visual Studio itself is exploitable on every host. Microsoft describes the issue as unsafe ATL handling around object initialization from data streams, including OleLoadFromStream behavior that can bypass related security policy when an affected component is loaded [S1][S2].

Attacker Impact

If a vulnerable ATL-built component or control is installed and reachable under the advisory conditions, a crafted web page or document can lead to code execution in the user context [S1][S3]. The practical risk depends on which component was built, whether it shipped, how users load it, and whether the build environment had the MS09-035 ATL update.

Covered by FixVibe

FixVibe covers this through its Microsoft ATL repo source/build advisory check. During an authorized GitHub repo scan, FixVibe can report legacy Visual C++ ATL project metadata paired with ATL source usage associated with the MS09-035 advisory family, now including CVE-2009-2493.

The finding is version-based source/build advisory evidence. It does not prove the installed ATL hotfix level on the build machine, compiled binary provenance, deployed COM or ActiveX exposure, IPersistPropertyBag or OleLoadFromStream behavior in a running component, memory disclosure, or remote code execution.

Remediation

Apply the Microsoft MS09-035 ATL update to every build environment that can produce the affected project, or migrate the project to a supported Visual C++ toolset with patched ATL headers [S2]. Rebuild and redistribute every ATL-built COM object, ActiveX control, DLL, installer, or application artifact from clean sources. Verify build logs, patch inventory, binary provenance, and deployed artifact metadata before closing the finding. Keep verification to normal build and regression checks; do not use malformed streams, browser exploit pages, ActiveX payloads, information-disclosure probes, or code-execution reproduction.

Microsoft ATL COM Initialization Advisory (CVE-2009-2493) β€” FixVibe research Β· FixVibe