Microsoft Windows Color Management Module Heap Buffer Overflow Vulnerability (MS08-046)
13 Aug. 2008
Summary
Microsoft Windows Color Management Module provides "consistent color mappings between different devices and applications. It is also used to transform colors between color spaces". Remote exploitation of a heap-based buffer overflow vulnerability in multiple versions of Microsoft Corp.'s Windows operating system allows an attacker to execute arbitrary code with the privileges of the current user.
Vulnerable Systems:
* Windows 2000 Service Pack 4
* Windows XP Service Pack 2
* Windows Server 2003 Service Pack 1
* Windows Server 2003 Service Pack 2
Immune Systems:
* Windows Vista
* Windows Vista Service Pack 1
* Windows Server 2008
This vulnerability specifically exists in the InternalOpenColorProfile function in mscms.dll. When a malformed parameter is supplied, a heap-based buffer overflow can occur, resulting in an exploitable condition.
Analysis:
Exploitation allows an attacker to execute arbitrary code with the privileges of the current user. Exploitation would require convincing a targeted user to view a malicious image file either hosted on a Web server, on local file system or embedded in an-email or Office documents, or through some form of social engineering.
This vulnerability also can be triggered through e-mail. If the e-mail client can automatically display images embedded in the e-mail, the user only needs to open the e-mail to trigger the vulnerability. Currently an EMF file is used as test attack vector. Outlook and Outlook Express will automatically display EMF image and trigger the vulnerability. Lotus Notes and Thunderbird do not display EMF images in e-mail directly, but the vulnerability still can be triggered when opening or viewing the EMF attachment.
Workaround:
In order to prevent exploitation of this vulnerability, turn off metafile processing by modifying the registry. Under the registry key, "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize" create a DWORD entry "DisableMetaFiles" and set it to 1.
Keep in mind that this only blocks the attack vector through Windows metafiles. It may be possible to exploit this vulnerability through other attack vectors.
Note: Modifying the registry does not affect processes that are already running, so you may need to log off and log on again or restart the computer after making the change.
Implementing this workaround may cause components relying on metafile processing, such as printing, to misbehave.
Viewing e-mail in plain text format mitigates e-mail-based attack.
