The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Microsoft Windows Graphics Rendering Engine Multiple Vulnerabilities
(MS08-021)
------------------------------------------------------------------------
SUMMARY
Microsoft Windows
<http://msdn2.microsoft.com/en-us/library/ms536795(VS.85).aspx> graphics
device interface (GDI) is "the core library used to display graphics and
text on the Windows operating system. It is the standard interface through
which applications access the graphics rendering engine". Multiple
vulnerabilities have been discovered in Microsoft's GDI engine, these
vulnerabilities allow an attacker to cause the engine to execute arbitrary
code by overflow and internal heap buffer or by causing an integer
corruption.
DETAILS
Microsoft Windows Graphics Rendering Engine Integer Overflow Vulnerability
Remote exploitation of an integer overflow vulnerability in multiple
versions of Microsoft Corp.'s Windows operating system could allow an
attacker to execute arbitrary code with the privileges of the current
user.
The vulnerability occurs when parsing a header structure that describes a
bitmap contained in the file. Several values from this header are used in
an arithmetic operation that calculates the number of bytes to allocate
for a heap buffer. This calculation can overflow, which results in an
undersized heap buffer being allocated. This buffer is then overflowed
with data from the file.
Analysis:
Exploitation allows an attacker to execute arbitrary code with the
privileges of the current user. Exploitation would require convincing a
targeted user to visit a malicious URL through some form of social
engineering.
This vulnerability can also be triggered through e-mail. If the e-mail
client automatically displays images embedded in the e-mail, the user only
needs to open the e-mail to trigger the vulnerability.
Vulnerable Systems:
* Windows 2000 SP4
* Windows XP SP2
Immune Systems:
* Windows Server 2003 SP1
* Windows Server 2003 SP2
* Windows Vista
* Windows Vista SP1
Workaround:
Turn off metafile processing by modifying the registry.
Under registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\GRE_Initialize
create a DWORD entry "DisableMetaFiles" and set it to 1.
Note 1: This doesn't affect processes that are already running, so you
might need to log off and log in again or restart the computer after
making the change.
Note 2: This workaround only blocks the metafile attack vector. Since the
vulnerable code is in gdi32.dll, it can possibly be reached through other
attack vectors.
Impact of Workaround: components relying on metafile processing might not
work properly, such as printing.
Viewing email in plain text format will mitigate email based attacks.
Vendor response:
Microsoft has officially addressed this vulnerability with Security
Bulletin MS08-021. For more information, consult their bulletin at the
following URL.
<http://www.microsoft.com/technet/security/bulletin/ms08-021.mspx>
http://www.microsoft.com/technet/security/bulletin/ms08-021.mspx
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1083>
CVE-2008-1083
Microsoft Windows Graphics Rendering Engine Heap Buffer Overflow
Vulnerability
Remote exploitation of a heap based buffer overflow vulnerability in
multiple versions of Microsoft Corp.'s Windows operating system could
allow an attacker to execute arbitrary code with the privileges of the
current user.
The vulnerability occurs when parsing a maliciously crafted EMF file. When
performing an arithmetic operation that calculates the size of a heap
buffer the code incorrectly assumes that the color depth is a fixed size.
By specifying a different color depth, it is possible to trigger a heap
based buffer overflow.
Analysis:
Exploitation allows an attacker to execute arbitrary code with the
privileges of the current user. Exploitation would require convincing a
targeted user to visit a malicious URL through some form of social
engineering.
This vulnerability can also be triggered through e-mail. If the e-mail
client automatically displays images embedded in the e-mail, the user only
needs to open the e-mail to trigger the vulnerability.
Vulnerable Systems:
* Windows 2000 Service Pack 4
* Windows XP Service Pack 2
* Windows Server 2003 Service Pack 1
* Windows Server 2003 Service Pack 2
* Windows Vista
Workaround:
Turn off metafile processing by modifying the registry.
Under registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\GRE_Initialize
create a DWORD entry "DisableMetaFiles" and set it to 1.
Note 1: This doesn't affect processes that are already running, so you
might need to log off and log in again or restart the computer after
making the change.
Note 2: This workaround only blocks the metafile attack vector. Since the
vulnerable code is in gdi32.dll, it can possibly be reached through other
attack vectors.
Impact of Workaround: components relying on metafile processing might not
work properly, such as printing.
Viewing email in plain text format will mitigate email based attacks.
Vendor response:
Microsoft has officially addressed this vulnerability with Security
Bulletin MS08-021. For more information, consult their bulletin at the
following URL.
<http://www.microsoft.com/technet/security/bulletin/ms08-021.mspx>
http://www.microsoft.com/technet/security/bulletin/ms08-021.mspx
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1083>
CVE-2008-1083
Disclsoure timeline:
12/17/2007 - Initial vendor notification
12/17/2007 - Initial vendor response
04/08/2008 - Coordinated public disclosure
ADDITIONAL INFORMATION
The information has been provided by
<mailto:idlabs-advisories@idefense.com> iDefense Labs Security Advisories.
The original article can be found at:
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=682>
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=682
and
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=681>
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=681
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
