|
|
|
|
| |
Credit:
The information has been provided by iDefense Labs Security Advisories.
The original article can be found at: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=762
|
| |
Vulnerable Systems:
* gdi32.dll file version 5.1.2600.3316, as included in fully patched Windows XP Service Pack 2 as of May 2008
This vulnerability exists in the way GDI handles integer math. An integer overflow could occur while calculating the a buffer length, which results in an undersized heap buffer being allocated. This buffer is then overflowed with data from the input image file.
Analysis:
Exploitation allows an attacker to execute arbitrary code with the privileges of the current user. Exploitation would require convincing a targeted user to view a specially crafted image file. An attacker could host this file on a Web server, attach the file to an e-mail or embedded the file in an Office document.
This vulnerability also can be triggered through e-mail. If the e-mail client can automatically display images embedded in the e-mail, the user only needs to open the e-mail to trigger the vulnerability. Currently an EMF file is used as a test attack vector. Outlook and Outlook Express will automatically display EMF images and trigger the vulnerability. Lotus Notes and Thunderbird do not display EMF images in e-mail directly, but the vulnerability still can be triggered when opening or viewing the EMF attachment.
Workaround:
Turning off metafile processing by modifying the registry mitigates this threat. Under registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize create a DWORD entry "DisableMetaFiles" and set it to 1.
Note 1: This does not affect processes that are already running, so you might need to log off and log on again or restart the computer after making the change. Note 2: It only blocks one attack vector through Windows metafile. It is possibly to exploit this vulnerability through other attack vectors.
Impact of Workaround: components relying on metafile processing might not work properly, such as printing.
Viewing e-mail in plain text format mitigates e-mail-based attack.
Vendor response:
"The vulnerability could allow remote code execution if a user opens a specially crafted WMF image file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts."
Microsoft Corp. has released a patch which addresses this issue. For more information, consult their advisory at the following URL.
http://www.microsoft.com/technet/security/Bulletin/ms08-071.mspx
CVE Information:
CVE-2008-2249
Disclosure timeline:
05/21/2008 - Initial Vendor Notification
05/21/2008 - Initial Vendor Reply
09/05/2008 - Additional Information Provided to Vendor
10/14/2008 - Additional Vendor Feedback
12/09/2008 - Coordinated Public Disclosure
|
|
|
|
|
