MS09-060
Threat LevelDamageDistribution

Effects 

MS09-060 is not categorized as virus, worm, Trojan or backdoor. It is a group of critical vulnerabilities in Active Template Library (ATL) Controls for Office, which allows arbitrary code to be remotely executed and information to be disclosed.

The affected components are:

• Outlook 2007 on Office 2007.
• Outlook 2003 on Office 2003.
• Outlook 2002 on Office XP.
• Visio Viewer 2007/2003/2002.

The addressed vulnerabilities are:

• ATL Unintialized Object vulnerability: this remote code execution vulnerability is due to an issue in the ATL headers that could allow an attacking user to call VariantClear() on a variant that has not been correctly initialized.
• ATL COM Initialization vulnerability: this remote code execution vulnerability is due to issues in the ATL headers that handle instantiation of an object from data streams.
  
  If exploited successfully, MS09-060 allows hackers to gain remote control of the affected computer with the same privileges as the logged on user.
• ATL Null String vulnerability: an information disclosure vulnerability that occurs due to an issue in the ATL headers that could allow a string to be read with no ending NULL bytes.
  
  If exploited successfully, it could allow an attacking user to access any data available to the logged on user.

All these vulnerabilities are usually exploited by creating a specially crafted web page and enticing users to access it. The link to the website can be distributed using several methods, such as email, instant messaging programs, etc.

If you have any of the vulnerable Office components, it is recommended to download and apply the security patch for this vulnerability. Click here to access the web page for downloading the patch.