Microsoft Windows GDI+ Gradient Fill Heap Overflow Vulnerability
11 Sep. 2008
Summary
The GDI+ library, or "GdiPlus.dll", "provides access to a number of graphics methods, via a class-based API. Vector Markup Language (VML) is a component of the Extensible Markup Language (XML) that specifies vector images (e.g., rectangles and ovals) using the GDI+ API". Remote exploitation of an integer overflow vulnerability in multiple versions of Microsoft Corp.'s GDI+ could allow an attacker to execute arbitrary code within the context of the local user.
Vulnerable Systems:
* Internet Explorer 7
* Internet Explorer 6
* VGX.DLL version 7.00.6000.20628
* VGX.DLL version 7.00.6000.16386
* VGX.DLL version 6.00.2900.3051
* VGX.DLL version 6.00.2900.2997
The vulnerability specifically exists in the memory allocation performed by the GDI+ library. Certain malformed gradient fill input can cause the application to corrupt the heap, potentially allowing arbitrary code execution.
Analysis:
Exploitation of this vulnerability may allow an attacker to execute arbitrary code in the context of the current user. To exploit this vulnerability, the attacker would need to convince a targeted user to render a document with an application that utilizes the vulnerable GDI+ functions. This could be accomplished by persuading the user to follow a link, view a document, or read an e-mail message.
Workaround:
In order to prevent exploitation of this vulnerability, unregister or deny access to vgx.dll and/or gdiplus.dll. Note that doing so will prevent proper rendering of documents that rely on the affected component.
