|
|
|
|
| |
Credit:
The information has been provided by iDefense Labs Security Advisories.
The original article can be found at: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=682 and http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=681
|
| |
Microsoft Windows Graphics Rendering Engine Integer Overflow Vulnerability
Remote exploitation of an integer overflow vulnerability in multiple versions of Microsoft Corp.'s Windows operating system could allow an attacker to execute arbitrary code with the privileges of the current user.
The vulnerability occurs when parsing a header structure that describes a bitmap contained in the file. Several values from this header are used in an arithmetic operation that calculates the number of bytes to allocate for a heap buffer. This calculation can overflow, which results in an undersized heap buffer being allocated. This buffer is then overflowed with data from the file.
Analysis:
Exploitation allows an attacker to execute arbitrary code with the privileges of the current user. Exploitation would require convincing a targeted user to visit a malicious URL through some form of social engineering.
This vulnerability can also be triggered through e-mail. If the e-mail client automatically displays images embedded in the e-mail, the user only needs to open the e-mail to trigger the vulnerability.
Vulnerable Systems:
* Windows 2000 SP4
* Windows XP SP2
Immune Systems:
* Windows Server 2003 SP1
* Windows Server 2003 SP2
* Windows Vista
* Windows Vista SP1
Workaround:
Turn off metafile processing by modifying the registry.
Under registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
create a DWORD entry "DisableMetaFiles" and set it to 1.
Note 1: This doesn't affect processes that are already running, so you might need to log off and log in again or restart the computer after making the change.
Note 2: This workaround only blocks the metafile attack vector. Since the vulnerable code is in gdi32.dll, it can possibly be reached through other attack vectors.
Impact of Workaround: components relying on metafile processing might not work properly, such as printing.
Viewing email in plain text format will mitigate email based attacks.
Vendor response:
Microsoft has officially addressed this vulnerability with Security Bulletin MS08-021. For more information, consult their bulletin at the following URL. http://www.microsoft.com/technet/security/bulletin/ms08-021.mspx
CVE Information:
CVE-2008-1083
Microsoft Windows Graphics Rendering Engine Heap Buffer Overflow Vulnerability
Remote exploitation of a heap based buffer overflow vulnerability in multiple versions of Microsoft Corp.'s Windows operating system could allow an attacker to execute arbitrary code with the privileges of the current user.
The vulnerability occurs when parsing a maliciously crafted EMF file. When performing an arithmetic operation that calculates the size of a heap buffer the code incorrectly assumes that the color depth is a fixed size. By specifying a different color depth, it is possible to trigger a heap based buffer overflow.
Analysis:
Exploitation allows an attacker to execute arbitrary code with the privileges of the current user. Exploitation would require convincing a targeted user to visit a malicious URL through some form of social engineering.
This vulnerability can also be triggered through e-mail. If the e-mail client automatically displays images embedded in the e-mail, the user only needs to open the e-mail to trigger the vulnerability.
Vulnerable Systems:
* Windows 2000 Service Pack 4
* Windows XP Service Pack 2
* Windows Server 2003 Service Pack 1
* Windows Server 2003 Service Pack 2
* Windows Vista
Workaround:
Turn off metafile processing by modifying the registry.
Under registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
create a DWORD entry "DisableMetaFiles" and set it to 1.
Note 1: This doesn't affect processes that are already running, so you might need to log off and log in again or restart the computer after making the change.
Note 2: This workaround only blocks the metafile attack vector. Since the vulnerable code is in gdi32.dll, it can possibly be reached through other attack vectors.
Impact of Workaround: components relying on metafile processing might not work properly, such as printing.
Viewing email in plain text format will mitigate email based attacks.
Vendor response:
Microsoft has officially addressed this vulnerability with Security Bulletin MS08-021. For more information, consult their bulletin at the following URL. http://www.microsoft.com/technet/security/bulletin/ms08-021.mspx
CVE Information:
CVE-2008-1083
Disclsoure timeline:
12/17/2007 - Initial vendor notification
12/17/2007 - Initial vendor response
04/08/2008 - Coordinated public disclosure
|
|
|
|
|
