FixVibe
覆盖FixVibemedium

Information Disclosure in Microsoft Visual Studio ATL (CVE-2009-2495)

CVE-2009-2495 is an information-disclosure issue in Microsoft ATL-built components and controls. FixVibe covers it with MS09-035 repo scan evidence for legacy Visual C++ ATL build metadata, reported as source/build advisory context rather than exploit confirmation.

CVE-2009-2495CWE-200CWE-126

Vulnerability Overview

CVE-2009-2495 is the ATL Null String information-disclosure issue in Microsoft's MS09-035 Active Template Library advisory family. NVD describes affected Microsoft Visual Studio and Visual C++ ATL versions where string termination handling can allow a buffer over-read in ATL-built components or controls [S1]. Microsoft notes that Visual Studio itself is not directly vulnerable; the relevant exposure is software built with affected ATL headers and shipped as components or controls [S2][S3].

Attacker Impact

If an ATL-built component or control was compiled with affected headers and is reachable under the advisory conditions, a malicious document or web page may be able to disclose memory from the affected process [S1][S2]. A source-code match should drive build-toolchain and deployed-binary review before anyone treats it as confirmed production exposure.

Covered by FixVibe

FixVibe covers this issue through the existing Microsoft ATL MS09-035 repository scan. In authorized GitHub repo scans, FixVibe can flag legacy Visual C++ ATL build metadata paired with ATL source usage and report the result as a version-based source/build advisory.

FixVibe verifies repository source and build metadata only. It does not inspect build machines, prove the ATL hotfix is missing, compile or run the code, analyze deployed binaries, instantiate ActiveX controls, send malformed streams, probe for memory disclosure, or claim code-execution or information-disclosure confirmation.

Remediation

Apply the Microsoft MS09-035 ATL security update to every build environment that can produce the affected project, or migrate the project to a supported Visual C++ toolset with patched ATL headers [S2]. Rebuild every ATL-built COM object, ActiveX control, DLL, installer, and application artifact from clean sources, then redistribute the rebuilt binaries through the normal release channel.

Verify patch inventory, build logs, binary provenance, and deployed artifact metadata before closing the issue. Rerun the FixVibe GitHub repo scan after the repository and build metadata reflect the patched toolchain.

Information Disclosure in Microsoft Visual Studio ATL (CVE-2009-2495) — FixVibe research · FixVibe