CVE-2009-2493

Name: CVE-2009-2493
Creator: NVD / NIST
Published: 2009-07-29T17:30:01.233+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 8.8/10EPSS 43.39%

Last modified Jun 16, 2026

CVE-2009-2493 is a high-severity vulnerability rated 8.8/10 on the CVSS scale. The Active Template Library (ATL) in Microsoft Visual Studio .NET 2003 SP1, Visual Studio 2005 SP1 and 2008 Gold and SP1, and Visual C++ 2005 SP1 and 2008 Gold and SP1; and Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold and SP2; does not properly restrict use of OleLoadFromStream in instantiating objects from data streams, which allows remote attackers to execute arbitrary code via a crafted HTML document with an ATL (1) component or (2) control, related to ATL headers and bypassing security policies, aka "ATL COM Initialization Vulnerability.". EPSS estimates a 43.39% chance of exploitation in the next 30 days.

Description

The Active Template Library (ATL) in Microsoft Visual Studio .NET 2003 SP1, Visual Studio 2005 SP1 and 2008 Gold and SP1, and Visual C++ 2005 SP1 and 2008 Gold and SP1; and Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold and SP2; does not properly restrict use of OleLoadFromStream in instantiating objects from data streams, which allows remote attackers to execute arbitrary code via a crafted HTML document with an ATL (1) component or (2) control, related to ATL headers and bypassing security policies, aka "ATL COM Initialization Vulnerability."

Metrics

CVSS 3.1

8.8/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Probability

43.39%

98.6th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions	Update
Microsoft	Visual C\+\+	2005	Sp1
Microsoft	Visual C\+\+	2008	—
Microsoft	Windows 2000	All versions	Sp4
Microsoft	Windows 2003 Server	All versions	Sp2
Microsoft	Windows Server 2008	All versions	Sp2
Microsoft	Windows Vista	All versions	Sp1
Microsoft	Windows Xp	All versions	Sp2
Microsoft	Visual Studio	2003	Sp1
Microsoft	Visual Studio	2005	Sp1
Microsoft	Visual Studio	2008	—

References

http://blogs.technet.com/srd/archive/2009/08/11/ms09-037-why-we-are-using-cve-s-already-used-in-ms09-035.aspxBroken Link
http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00002.htmlThird Party Advisory
http://marc.info/?l=bugtraq&m=126592505426855&w=2Third Party Advisory
http://secunia.com/advisories/35967
http://secunia.com/advisories/36187
http://secunia.com/advisories/36374
http://secunia.com/advisories/36746
http://secunia.com/advisories/38568
http://secunia.com/advisories/41818
http://sunsolve.sun.com/search/document.do?assetkey=1-66-264648-1Broken Link
http://sunsolve.sun.com/search/document.do?assetkey=1-66-266108-1Broken Link
http://sunsolve.sun.com/search/document.do?assetkey=1-77-1020775.1-1Broken Link
http://www.adobe.com/support/security/advisories/apsa09-04.htmlPatch, Third Party Advisory
http://www.adobe.com/support/security/bulletins/apsb09-10.htmlThird Party Advisory
http://www.adobe.com/support/security/bulletins/apsb09-11.htmlPatch, Third Party Advisory
http://www.adobe.com/support/security/bulletins/apsb09-13.htmlThird Party Advisory
http://www.novell.com/support/viewContent.do?externalId=7004997&sliceId=1Third Party Advisory
http://www.openoffice.org/security/cves/CVE-2009-2493.htmlThird Party Advisory
http://www.us-cert.gov/cas/techalerts/TA09-195A.htmlThird Party Advisory, US Government Resource
http://www.us-cert.gov/cas/techalerts/TA09-223A.htmlThird Party Advisory, US Government Resource
http://www.us-cert.gov/cas/techalerts/TA09-286A.htmlThird Party Advisory, US Government Resource
http://www.us-cert.gov/cas/techalerts/TA09-342A.htmlThird Party Advisory, US Government Resource
http://www.vupen.com/english/advisories/2009/2034
http://www.vupen.com/english/advisories/2009/2232
http://www.vupen.com/english/advisories/2010/0366
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-035
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-037
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-055
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-060
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-072
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6245
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6304
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6421
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6473
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6621
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6716
http://blogs.technet.com/srd/archive/2009/08/11/ms09-037-why-we-are-using-cve-s-already-used-in-ms09-035.aspxBroken Link
http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00002.htmlThird Party Advisory
http://marc.info/?l=bugtraq&m=126592505426855&w=2Third Party Advisory
http://secunia.com/advisories/35967
http://secunia.com/advisories/36187
http://secunia.com/advisories/36374
http://secunia.com/advisories/36746
http://secunia.com/advisories/38568
http://secunia.com/advisories/41818
http://sunsolve.sun.com/search/document.do?assetkey=1-66-264648-1Broken Link
http://sunsolve.sun.com/search/document.do?assetkey=1-66-266108-1Broken Link
http://sunsolve.sun.com/search/document.do?assetkey=1-77-1020775.1-1Broken Link
http://www.adobe.com/support/security/advisories/apsa09-04.htmlPatch, Third Party Advisory
http://www.adobe.com/support/security/bulletins/apsb09-10.htmlThird Party Advisory
http://www.adobe.com/support/security/bulletins/apsb09-11.htmlPatch, Third Party Advisory
http://www.adobe.com/support/security/bulletins/apsb09-13.htmlThird Party Advisory
http://www.novell.com/support/viewContent.do?externalId=7004997&sliceId=1Third Party Advisory
http://www.openoffice.org/security/cves/CVE-2009-2493.htmlThird Party Advisory
http://www.us-cert.gov/cas/techalerts/TA09-195A.htmlThird Party Advisory, US Government Resource
http://www.us-cert.gov/cas/techalerts/TA09-223A.htmlThird Party Advisory, US Government Resource
http://www.us-cert.gov/cas/techalerts/TA09-286A.htmlThird Party Advisory, US Government Resource
http://www.us-cert.gov/cas/techalerts/TA09-342A.htmlThird Party Advisory, US Government Resource
http://www.vupen.com/english/advisories/2009/2034
http://www.vupen.com/english/advisories/2009/2232
http://www.vupen.com/english/advisories/2010/0366
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-035
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-037
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-055
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-060
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-072
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6245
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6304
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6421
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6473
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6621
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6716

Timeline

Published: Jul 29, 2009
Last Modified: Jun 16, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2009-2493?

How severe is CVE-2009-2493?

CVE-2009-2493 has a CVSS score of 8.8/10 (HIGH severity). The EPSS model estimates a 43.39% probability of exploitation in the next 30 days.

How do I fix CVE-2009-2493?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2009-2493?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST