|
|
>> Microsoft GDI+ Multiple Code Execution Vulnerabilities (MS08-052)
|
Multiple vulnerabilities have been identified in Microsoft GDI+, which could be exploited by remote attackers to take complete control of an affected system.
The first issue is caused by a heap overflow error when processing gradient sizes handled by the vector graphics link library, which could be exploited to execute arbitrary code via a malicious web site.
The second vulnerability is caused by a memory corruption error when processing a specially crafted EMF image file, which could be exploited to execute arbitrary code via a malicious image.
The third issue is caused by an error when parsing records in a specially crafted GIF image file, which could be exploited to execute arbitrary code via a malicious web site.
The fourth vulnerability is caused by a buffer overflow error when allocating memory when parsing a specially crafted WMF image file, which could be exploited to execute arbitrary code via a malicious image.
The fifth issue is caused by a buffer overflow error when processing a malformed header in a specially crafted BMP image file, which could be exploited to execute arbitrary code via a malicious web site.
Affected Products
Microsoft Windows 2000 Service Pack 4
Microsoft Windows XP Service Pack 2
Microsoft Windows XP Service Pack 3
Microsoft Windows XP Professional x64 Edition
Microsoft Windows XP Professional x64 Edition Service Pack 2
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 Service Pack 2
Microsoft Windows Server 2003 x64 Edition
Microsoft Windows Server 2003 x64 Edition Service Pack 2
Microsoft Windows Server 2003 SP1 (Itanium)
Microsoft Windows Server 2003 SP2 (Itanium)
Microsoft Windows Vista
Microsoft Windows Vista Service Pack 1
Microsoft Windows Vista x64 Edition
Microsoft Windows Vista x64 Edition Service Pack 1
Microsoft Windows Server 2008 (32-bit)
Microsoft Windows Server 2008 (x64)
Microsoft Windows Server 2008 (Itanium)
Microsoft Internet Explorer 6 Service Pack 1
Microsoft .NET Framework 1.0 Service Pack 3
Microsoft .NET Framework 1.1 Service Pack 1
Microsoft .NET Framework 2.0
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Office XP Service Pack 3
Microsoft Office 2003 Service Pack 2
Microsoft Office 2003 Service Pack 3
2007 Microsoft Office System
2007 Microsoft Office System Service Pack 1
Microsoft Visio 2002 Service Pack 2
Microsoft Office PowerPoint Viewer 2003
Microsoft Works 8
Microsoft Digital Image Suite 2006
SQL Server 2000 Reporting Services Service Pack 2
SQL Server 2005 Service Pack 2
SQL Server 2005 x64 Edition Service Pack 2
SQL Server 2005 for Itanium-based Systems Service Pack 2
Microsoft Visual Studio .NET 2002 Service Pack 1
Microsoft Visual Studio .NET 2003 Service Pack 1
Microsoft Visual Studio 2005 Service Pack 1
Microsoft Visual Studio 2008
Microsoft Report Viewer 2005 Service Pack 1 Redistributable Package
Microsoft Report Viewer 2008 Redistributable Package
Microsoft Visual FoxPro 8.0 Service Pack 1 (on Windows 2000 SP4)
Microsoft Visual FoxPro 9.0 Service Pack 1 (on Windows 2000 SP4)
Microsoft Visual FoxPro 9.0 Service Pack 2 (on Windows 2000 SP4)
Microsoft Platform SDK Redistributable: GDI+
Solution
Apply patches :
http://www.microsoft.com/technet/security/Bulletin/MS08-052.mspx
References
http://www.vupen.com/english/advisories/2008/2520
http://www.microsoft.com/technet/security/Bulletin/MS08-052.mspx
Credits
Vulnerabilities reported by Greg MacManus (VeriSign iDefense Labs), Bing Liu (Fortinet FortiGuard Global Security Research Team), Peter Winter-Smith (NGSSoftware), Ivan Fratric, Zero Day Initiative, and Vulnerability Research Team (Assurent Secure Technologies).
ChangeLog
2008-09-09 : Initial release
Vulnerability Management
Subscribe to VUPEN VNS and receive real-time alerts when new advisories or patches relevant to your systems and network configurations are available.
Feedback
If you have additional information or corrections for this security advisory please submit them via our contact form. | |
|
