Microsoft Windows GDI+ contains a buffer overflow vulnerability in the JPEG parsing component

From: JM Tella Llop [MVP Windows] (jmtella_at_XXXmvps.org)
Date: 11/06/04

Next message: JM Tella Llop [MVP Windows]: "Microsoft Internet Explorer vulnerable to buffer overflow via FRAME and IFRAME elements"
Previous message: JM Tella Llop [MVP Windows]: "Microsoft extends MSN music sales into Europe"
Messages sorted by: [ date ] [ thread ]

Date: Sat, 6 Nov 2004 19:37:42 +0100

Microsoft Windows GDI+ contains a buffer overflow vulnerability in the
JPEG parsing component
Overview
A buffer overflow vulnerability in the Microsoft Windows GDI+ JPEG
parsing component could allow a remote attacker to execute arbitrary
code on a vulnerable system.
I. Description
Microsoft Windows Graphics Device Interface (GDI+) is an application
programming interface (API) that provides programmers the ability to
display information on screens and printers. GDI+ includes the ability
to process JPEG image files. There is a buffer overflow vulnerability
in the way the JPEG parsing component of GDI+ (Gdiplus.dll) handles
malformed JPEG images. By introducing a specially crafted JPEG file to
the vulnerable component, a remote attacker could trigger a buffer
overflow condition.

Microsoft notes that Windows XP, Windows XP Service Pack 1, and
Windows Server 2003 provide the operating system version of the
affected component. For backward compatibility, some third-party
applications may install their own copy of the affected component.
These include Office XP, Visio 2002, Project 2002, Office 2003, Visio
2003, and Project 2003. If any of these applications are installed on
your system, you should apply the patch for these applications. If you
use Windows XP, Windows XP Service Pack 1, or Windows Server 2003, you
must also install the operating system patch.

Please keep in mind, third-party applications, other than those listed
above, may install a copy of the affected component. Any application
that uses the Gdiplus.dll file to process JPEG image files is
vulnerable.
II. Impact
A remote, unauthenticated attacker could potentially execute arbitrary
code on a vulnerable system by introducing a specially crafted JPEG
file. This malicious JPEG image may be introduced to the system via a
malicious web page, HTML email, or an email attachment.
III. Solution
Apply Patch

Apply a patch as described in Microsoft Security Bulletin MS04-028.
Systems Affected
Vendor Status Date Updated
3Com Unknown 16-Sep-2004
Adobe Systems Incorporated Unknown 16-Sep-2004
Aladdin Knowledge Systems Unknown 16-Sep-2004
Alcatel Unknown 16-Sep-2004
America Online Inc. Unknown 16-Sep-2004
Apple Computer Inc. Unknown 16-Sep-2004
AT&T Unknown 16-Sep-2004
Avaya Unknown 16-Sep-2004
Avici Systems Inc. Unknown 16-Sep-2004
Borderware Unknown 16-Sep-2004
Charlotte's Web Networks Unknown 16-Sep-2004
Check Point Unknown 16-Sep-2004
Chiaro Networks Not Vulnerable 16-Sep-2004
Cisco Systems Inc. Unknown 27-Sep-2004
Clavister Not Vulnerable 17-Sep-2004
Command Software Systems Unknown 16-Sep-2004
Computer Associates Unknown 16-Sep-2004
Cray Inc. Unknown 16-Sep-2004
CyberSoft Unknown 16-Sep-2004
D-Link Systems Unknown 16-Sep-2004
Data Connection Unknown 16-Sep-2004
EMC Corporation Unknown 16-Sep-2004
eSoft Unknown 16-Sep-2004
Extreme Networks Not Vulnerable 16-Sep-2004
F-Secure Unknown 16-Sep-2004
F5 Networks Unknown 16-Sep-2004
Finjan Software Not Vulnerable 29-Sep-2004
Fortinet Unknown 16-Sep-2004
Foundry Networks Inc. Not Vulnerable 16-Sep-2004
Fujitsu Unknown 16-Sep-2004
GFI Software Unknown 16-Sep-2004
Global Technology Associates Unknown 16-Sep-2004
Hitachi Unknown 16-Sep-2004
Hyperchip Unknown 16-Sep-2004
IBM Unknown 16-Sep-2004
Intel Unknown 16-Sep-2004
Intoto Not Vulnerable 16-Sep-2004
IP Filter Unknown 16-Sep-2004
Juniper Networks Unknown 16-Sep-2004
Linksys Unknown 16-Sep-2004
Lotus Software Unknown 16-Sep-2004
Lucent Technologies Unknown 16-Sep-2004
Luminous Unknown 16-Sep-2004
Macromedia Inc. Not Vulnerable 30-Sep-2004
MessageLabs Unknown 16-Sep-2004
Microsoft Corporation Vulnerable 14-Sep-2004
Mozilla Unknown 16-Sep-2004
Multi-Tech Systems Inc. Unknown 16-Sep-2004
NEC Corporation Unknown 16-Sep-2004
NETfilter Unknown 16-Sep-2004
Network Appliance Not Vulnerable 27-Sep-2004
NextHop Unknown 16-Sep-2004
Nokia Unknown 16-Sep-2004
Nortel Networks Unknown 16-Sep-2004
Opera Software Not Vulnerable 16-Sep-2004
Oracle Corporation Unknown 16-Sep-2004
Process Software Unknown 16-Sep-2004
Proland Software Unknown 16-Sep-2004
Redback Networks Inc. Unknown 16-Sep-2004
Riverstone Networks Unknown 16-Sep-2004
SCO Unknown 16-Sep-2004
Secure Computing Corporation Unknown 16-Sep-2004
SGI Unknown 16-Sep-2004
Sony Corporation Unknown 16-Sep-2004
Sophos Unknown 16-Sep-2004
Stonesoft Unknown 16-Sep-2004
Symantec Corporation Unknown 16-Sep-2004
Unisys Unknown 16-Sep-2004
WatchGuard Not Vulnerable 16-Sep-2004
Wind River Systems Inc. Unknown 16-Sep-2004
Xerox Unknown 16-Sep-2004
Yahoo Unknown 16-Sep-2004
ZyXEL Unknown 16-Sep-2004
References

http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx
http://support.microsoft.com/default.aspx?scid=kb;EN-US;873374
http://msdn.microsoft.com/library/en-us/gdicpp/GDIPlus/GDIPlus.asp
http://secunia.com/advisories/12528/
Credit

This vulnerability was reported by Microsoft. In turn, Microsoft
credits Nick DeBaggis for discovering this vulnerability.

This document was written by Damon Morda and Jason A. Rafail, and is
based on information provided by Microsoft.
Other Information
Date Public 09/14/2004
Date First Published 09/14/2004 04:04:10 PM
Date Last Updated 09/30/2004
CERT Advisory
CVE Name CAN-2004-0200
Metric 33.75
Document Revision 25

-- 
Jose Manuel Tella Llop
MVP - Windows
jmtella@XXXcompuserve.com (quitar XXX)
http://www.multingles.net/jmt.htm
Este mensaje se proporciona "como está" sin garantías de ninguna
clase, y no
otorga ningún derecho.
This posting is provided "AS IS" with no warranties, and confers no
rights.
You assume all risk for your use.

Next message: JM Tella Llop [MVP Windows]: "Microsoft Internet Explorer vulnerable to buffer overflow via FRAME and IFRAME elements"
Previous message: JM Tella Llop [MVP Windows]: "Microsoft extends MSN music sales into Europe"
Messages sorted by: [ date ] [ thread ]

Relevant Pages

SecurityFocus Microsoft Newsletter #176
... MICROSOFT VULNERABILITY SUMMARY ... Microsoft Windows XP HCP URI Handler Arbitrary Command Execu... ... PHPNuke Category Parameter SQL Injection Vulnerability ... Microsoft Baseline Security Analyzer Vulnerability Identific... ...
(Focus-Microsoft)
SecurityFocus Microsoft Newsletter #83
... MICROSOFT VULNERABILITY SUMMARY ... Microsoft IIS CodeBrws.ASP Source Code Disclosure Vulnerability ... Microsoft Internet Explorer History List Script Injection ... Microsoft Windows 2000 Lanman Denial of Service Vulnerability ...
(Focus-Microsoft)
SecurityFocus Microsoft Newsletter #242
... MICROSOFT VULNERABILITY SUMMARY ... PostNuke Blocks Module Directory Traversal Vulnerability ... Groove Networks Groove Virtual Office COM Object Security By... ... The Microsoft Windows IPV6 TCP/IP stack is prone to a "loopback" condition initiated by sending a TCP packet with the "SYN" flag set and the source address and port spoofed to equal the destination source and port. ...
(Focus-Microsoft)
SecurityFocus Microsoft Newsletter #44
... Subject: SecurityFocus Microsoft Newsletter #44 ... MS Visual Studio RAD Support Buffer Overflow Vulnerability ... Microsoft Windows 2000 SMTP Improper Authentication Vulnerability ... Microsoft Windows 2000 Telnet Multiple Sessions DoS Vulnerability ...
(Focus-Microsoft)
SecurityFocus Microsoft Newsletter #77
... MICROSOFT VULNERABILITY SUMMARY ... Novell GroupWise Web Root Disclosure Vulnerability ... Microsoft Windows NT Security Policy Bypass Vulnerability ... CVS Server Global Variable Denial Of Service Vulnerability ...
(Focus-Microsoft)