MS09-037: Why we are using CVE's already used in MS09-035

MS09-035 was released July 28 to address vulnerabilities in the Visual Studio Active Template Library (ATL). A related security update, MS09-034, included a defense-in-depth Internet Explorer mitigation to help protect against attacks in vulnerable components. This morning, we released security bulletin MS09-037 to addresses the ATL vulnerabilities in several Windows components.

MS09-037 contains the following CVE’s:

CVE-2008-0015
CVE-2008-0020
CVE-2009-2494
CVE-2009-2493
CVE-2009-0901

Two of these CVE’s, CVE-2009-2493 and CVE-2009-0901 were also listed in MS09-035. You might be wondering, shouldn’t they already be fixed by the previous security update? It’s a little bit tricky to understand so we’ve built a table that we hope will help.

So you can see that MS09-035 and MS09-037 both addressed different aspects of the same vulnerabilities.

The three other CVE’s (CVE-2008-0015, CVE-2008-0020, CVE-2009-2494) describe vulnerabilities present in only Windows private branch of the ATL code. Because MS09-035 was an update for the public ATL headers and libraries released with Visual Studio, these CVE’s addressing vulnerabilities in the Windows private ATL code branch were not listed in bulletin MS09-035. There was no call- to- action related to these three new CVE’s for Visual Studio customers at the time of the MS09-035 security update.

CVE-2008-0015 is a good example of our CVE usage. We used CVE-2008-0015 in MS09-032 to refer to the msvidctl.dll remote code execution vulnerability. When MS09-037 uses CVE-2008-0015 again, it is referencing the same vulnerability that was present in msvidctl.dll. For controls that have the exact same vulnerability and are being addressed by MS09-037, we use the same CVE again (CVE-2008-0015, in this case).

We hope that helps you understand the ATL-related CVE’s.

- Chengyun Chu, MSRC Engineering

*Posting is provided “AS IS” with no warranties, and confers no rights.*