¡à °³¿ä
o Ãë¾àÇÑ ATL Çì´õ¸¦ »ç¿ëÇØ ºôµåµÈ ÄÁÆ®·Ñ°ú ÄÄÆ÷³ÍÆ®µé¿¡ ÀÇÇØ ¿ø°ÝÄÚµå½ÇÇà Ãë¾àÁ¡ÀÌ ¹ß»ýÇÒ
°¡´É¼ºÀÌ ÀÖÀ½ [1, 2, 3]
¡Ø Visual Studio ÀÚü´Â Ãë¾àÇÏÁö ¾ÊÀ¸¸ç Ãë¾àÇÑ ATL ¹öÀüÀ» »ç¿ëÇÏ¿© °³¹ßÇÑ °æ¿ì¿¡¸¸
ÇØ´ç Ãë¾àÁ¡ÀÌ Á¸ÀçÇÔ
o °ø°ÝÀڴ Ư¼öÇÏ°Ô Á¶ÀÛµÈ À¥ ÆäÀÌÁö¸¦ ¿µµ·Ï À¯µµÇÏ¿© »ç¿ëÀÚ ±ÇÇÑÀ» ȹµæ °¡´É
o ÇØ´ç Ãë¾àÁ¡À» °ø°ÝÇÏ´Â »ç·Ê[8]°¡ º¸°íµÇ°í ÀÖÀ¸¹Ç·Î, ATL °³¹ßÀÚ´Â ½Å¼ÓÈ÷ º¸¾È
¾÷µ¥ÀÌÆ®¸¦ Àû¿ëÇÏ°í Ãë¾àÇÑ ATLÀ» »ç¿ëÇÑ ÄÄÆ÷³ÍÆ®¿Í ÄÁÆ®·ÑÀ» ÀçºôµåÇÏ¿© ¹èÆ÷ÇØ¾ß ÇÔ
¡Ø ATL(Active Template Library) : COM(Component Object Model) °´Ã¼ ÇÁ·Î±×·¡¹ÖÀ»
´Ü¼øÈÇϱâ À§ÇÑ ÅÛÇø´ ±â¹Ý C++ Ŭ·¡½ºÀÇ ÁýÇÕÀ¸·Î À̸¦ ÀÌ¿ëÇÑ OLE ÀÚµ¿È,
ActiveX ÄÁÆ®·Ñ µîÀÇ °³¹ßÀÌ °¡´ÉÇÔ
¡à ÇØ´ç ½Ã½ºÅÛ
o ¿µÇâ ¹Þ´Â ¼ÒÇÁÆ®¿þ¾î
- Microsoft¿¡¼ Ãâ½ÃµÈ ¸ðµç ¿î¿µÃ¼Á¦ÀÇ ¸ðµç IE ¹öÀü
- Microsoft Visual Studio .NET 2003 SP1
- Microsoft Visual Studio 2005 SP1
- Microsoft Visual Studio 2005 SP1 64-bit Hosted Visual C++ Tools
- Microsoft Visual Studio 2008, SP1
- Microsoft Visual C++ 2005 SP1 Redistributable Package
- Microsoft Visual C++ 2008 Redistributable Package
- Microsoft Visual C++ 2008 SP1 Redistributable Package
¡Ø ATL Versions 7.0, 7.1, 8.0, 9.0
¡à °³¹ßÀÚ¸¦ À§ÇÑ ±Ç°í »çÇ×
o MS09-032, MS09-034, MS09-035 º¸¾È ¾÷µ¥ÀÌÆ® Àû¿ë
- MS09-032[4] : ActiveX Kill-Bit ´©Àû º¸¾È ¾÷µ¥ÀÌÆ®
- MS09-034[2] : À¥±â¹Ý ATL Ãë¾àÁ¡ °ø°ÝÀÇ ¹æ¾î¸¦ À§ÇÑ IE º¸¾È ¾÷µ¥ÀÌÆ®
- MS09-035[3] : ATL Ãë¾àÁ¡ º¸¾È ¾÷µ¥ÀÌÆ®
o Ãë¾àÇÑ ATLÀ» »ç¿ëÇÏ¿© °³¹ßµÈ ÄÄÆ÷³ÍÆ®¿Í ÄÁÆ®·ÑÀÇ ¼Ò½º Äڵ带 °ËÅäÇؼ ¹®Á¦°¡ ÀÖÀ»
°æ¿ì, ¼öÁ¤ÇÏ°í ¾÷µ¥ÀÌÆ® µÈ ATLÀ» »ç¿ëÇÏ¿© Àç ºôµå ÈÄ ¹èÆ÷ÇØ¾ß ÇÔ
- ±âÁ¸ÀÇ ¹®Á¦°¡ ÀÖ´Â ¸ÅÅ©·Î ¹× ÇÔ¼ö¸¦ »õ·Î¿î ¹öÀüÀÇ ¸ÅÅ©·Î ¹× ÇÔ¼ö·Î ´ëü [7]
- °³¹ßÇÑ ActiveX ÄÁÆ®·Ñ¿¡ Ãë¾àÁ¡ÀÌ ÀÖ´ÂÁö Verizon Cybertrust Security¿¡¼ Á¦°øÇÏ´Â
¹«·á ÄÚµå °ËÁõ ¼ºñ½º[9]¸¦ ÀÌ¿ë °¡´ÉÇÔ
¡Ø ÀÚ¼¼ÇÑ ´ëÀÀ °¡À̵å´Â [6, 7]À» ÂüÁ¶
¡à ÀÏ¹Ý »ç¿ëÀÚ¸¦ À§ÇÑ ÇØ°á ¹æ¾È
o MS º¸¾È ¾÷µ¥ÀÌÆ® »çÀÌÆ®[5]¿¡¼ ½Å¼ÓÈ÷ ÃֽŠ¾÷µ¥ÀÌÆ®¸¦ Àû¿ëÇϰųª ÀÚµ¿ ¾÷µ¥ÀÌÆ®¸¦ ¼³Á¤
- Ãë¾àÇÑ ATLÀ» »ç¿ëÇÏ¿© °³¹ßµÈ ÄÄÆ÷³ÍÆ®³ª ÄÁÆ®·ÑÀÌ IE¿¡¼ ¾Ç¿ëµÇÁö ¾Êµµ·Ï MS09-032
¹× MS09-034 º¸¾È ¾÷µ¥ÀÌÆ®¸¦ Àû¿ë
- ÀÚµ¿¾÷µ¥ÀÌÆ® ¼³Á¤ ¹æ¹ý: ½ÃÀÛ¡æÁ¦¾îÆǡ溸¾È¼¾ÅÍ¡æÀÚµ¿¾÷µ¥ÀÌÆ®¡æÀÚµ¿(±ÇÀå) ¼±ÅÃ
o »ç¿ëÇÏ°í ÀÖ´Â ¹é½ÅÇÁ·Î±×·¥ÀÇ ÃֽŠ¾÷µ¥ÀÌÆ®¸¦ À¯ÁöÇÏ°í, ½Ç½Ã°£ °¨½Ã±â´ÉÀ» È°¼ºÈ
o ½Å·ÚµÇÁö ¾Ê´Â À¥ »çÀÌÆ®ÀÇ ¹æ¹® ÀÚÁ¦
o Ãâó°¡ ºÒºÐ¸íÇÑ À̸ÞÀÏÀÇ Ã·ºÎÆÄÀÏ ¿¾îº¸±â ÀÚÁ¦
¡à ÂüÁ¶»çÀÌÆ®
[1] MS º¸¾È °øÁö (KB973882)
o ¿µ¹® : http://www.microsoft.com/technet/security/advisory/973882.mspx
o ÇÑ±Û : http://www.microsoft.com/korea/technet/security/advisory/973882.mspx
[2] MS09-034
o ¿µ¹® : http://www.microsoft.com/technet/security/Bulletin/MS09-034.mspx
o ÇÑ±Û : http://www.microsoft.com/korea/technet/security/bulletin/MS09-034.mspx
[3] MS09-035
o ¿µ¹® : http://www.microsoft.com/technet/security/Bulletin/MS09-035.mspx
o ÇÑ±Û : http://www.microsoft.com/korea/technet/security/bulletin/MS09-035.mspx
[4] MS09-032
o ¿µ¹® : http://www.microsoft.com/technet/security/Bulletin/MS09-032.mspx
o ÇÑ±Û : http://www.microsoft.com/korea/technet/security/bulletin/MS09-032.mspx
[5] MS º¸¾È ¾÷µ¥ÀÌÆ®
o http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=ko
[6] ATL º¸¾È ¾÷µ¥ÀÌÆ® ÇØ°á ¹æ¾È Á¤¸® ¹®¼ (¿µ¹®)
o http://www.microsoft.com/security/atl.aspx
[7] ATL °³¹ßÀÚ¸¦ À§ÇÑ ¹®¼ ¹× µ¿¿µ»ó (¿µ¹®)
o http://msdn.microsoft.com/en-us/visualc/ee309358.aspx
o http://blogs.technet.com/srd/archive/2009/07/28/atl-vulnerability-developer-deep-dive.aspx
o http://blogs.msdn.com/sdl/archive/2009/07/28/atl-ms09-035-and-the-sdl.aspx
o http://channel9.msdn.com/posts/Charles/Out-of-Band-Inside-the-ATL-Security-Update/
[8] MS º¸¾È°øÁö ¹× ºñÁ¤±â º¸¾È ¾÷µ¥ÀÌÆ® °³¿ä (¿µ¹®)
o http://blogs.technet.com/srd/archive/2009/07/28/overview-of-the-out-of-band-release.aspx
o http://blogs.technet.com/msrc/archive/2009/07/28/microsoft-security-advisory-973882-microsoft-security-bulletins-ms09-034-and-ms09-035-released.aspx
[9] Verizon Cybertrust Security Á¦°ø Á¤º¸ ¹× ¹«·á ÄÚµå °ËÁõ ¼ºñ½º
o http://securityblog.verizonbusiness.com/2009/07/28/activex-risk/
o http://codetest.verizonbusiness.com/
|
|
|
