HighProventia Network IPS, Proventia Desktop, BlackICE PC Protection, RealSecure Server Sensor, RealSecure Network, Proventia-G 1.1 and earlier, Proventia Network MFS, Proventia Network IDS, IBM Security Server Protection for Windows, BlackICE Server Protection, Virtual Server Protection for Vmware, Proventia Server IPS for Linux technology:
This signature detects EMF files containing a filename parameter that may cause a stack overflow within the Microsoft Windows graphic device interface.
High
Proventia Network IPS: XPU 28.050, Proventia Desktop: 2190, BlackICE PC Protection: 3.6cqy, RealSecure Server Sensor: XPU 28.050, RealSecure Network: XPU 28.050, Proventia-G 1.1 and earlier: XPU 28.050, Proventia Network MFS: XPU 28.050, Proventia Network IDS: XPU 28.050, IBM Security Server Protection for Windows: 2.1.14.2400, BlackICE Server Protection: 3.6.cqy, IBM Security Server Protection for Windows: 2.0.252.2190, IBM Security Server Protection for Windows: 1.0.914.2190, Virtual Server Protection for Vmware: 1.0, Proventia Server IPS for Linux technology: 28.050
Microsoft Windows 2000: SP4, Microsoft Windows 2003 Server: x64, Microsoft Windows XP: SP2, Microsoft Windows 2003 Server: SP1, Microsoft Windows XP: x64 Professional, Microsoft Windows 2003 Server: SP1 Itanium, Microsoft Windows Vista, Microsoft Windows Server 2003: SP2, Microsoft Windows Server 2003: SP2 Itanium, Microsoft Windows Server 2003: SP2 x64, Microsoft Windows Vista: x64, Microsoft Windows XP: SP2 x64 Professional, Microsoft Windows Vista: SP1, Microsoft Windows Vista: SP1 x64, Microsoft Windows Server 2008: Itanium, Microsoft Windows Server 2008: x64, Microsoft Windows Server 2008
Unauthorized Access Attempt
Microsoft Windows graphic device interface (GDI) is vulnerable to an stack-based buffer overflow, caused by improper bounds checking of EMF image filename parameters. By persuading a victim to open a specially-crafted EMF file, a remote attacker could overflow a buffer and execute arbitrary code on the system.
Apply the appropriate patch for your system, as listed in the latest Microsoft Security Bulletin. See References.
— OR —
Use Microsoft Automatic Update if it is supported by your operating system. The original bulletin issued by Microsoft has been superseded.
For other distributions:
Apply the appropriate update for your system. See References.
Microsoft Security Bulletin MS08-021
Vulnerabilities in GDI Could Allow Remote Code Execution (948590)
http://www.microsoft.com/technet/security/bulletin/ms08-021.mspx
IBM Internet Security Systems Protection Alert, April 8, 2008
Microsoft GDI Remote Code Execution
http://www.iss.net/threats/290.html
NORTEL BULLETIN ID: 2008008770, Rev 1
Nortel Response to Microsoft Security Bulletin MS08-021
http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=714206
HPSBST02329 SSRT080048 rev.1
HPSBST02329 SSRT080048 rev.1
Storage Management Appliance (SMA), Microsoft Patch Applicability MS08-018 to MS08-025
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c01433452
NORTEL BULLETIN ID: 2008008788, Rev 1
Centrex IP Client Manager (CICM) response to Microsoft April security bulletin
http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=716807
Microsoft Security Bulletin MS08-071
Vulnerabilities in GDI Could Allow Remote Code Execution (956802)
http://www.microsoft.com/technet/security/bulletin/ms08-071.mspx
ISS X-Force
Microsoft Windows GDI EMF filename parameter buffer overflow
http://www.iss.net/security_center/static/41472.php
CVE
CVE-2008-1087
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1087