HighProventia Server IPS for Microsoft Windows technology, Proventia Network MFS, Proventia-G 1.1 and earlier, Proventia Network IPS, Proventia Desktop, Proventia Server IPS for Linux technology, BlackICE Server Protection, BlackICE PC Protection, RealSecure Network, RealSecure Server Sensor:
This signature detects EMF files containing a filename parameter that may cause a stack overflow within the Microsoft Windows graphic device interface.
High
Proventia Server IPS for Microsoft Windows technology: 2.0.252.2190, Proventia Server IPS for Microsoft Windows technology: 1.0.914.2190, Proventia Network MFS: XPU 28.050, Proventia-G 1.1 and earlier: XPU 28.050, Proventia Network IPS: XPU 28.050, Proventia Desktop: 2190, Proventia Server IPS for Linux technology: 28.050, BlackICE Server Protection: 3.6.cqy, BlackICE PC Protection: 3.6cqy, RealSecure Network: XPU 28.050, RealSecure Server Sensor: XPU 28.050
Microsoft Windows 2000: SP4, Microsoft Windows 2003 Server: x64, Microsoft Windows XP: SP2, Microsoft Windows 2003 Server: SP1, Microsoft Windows XP: x64-Professional, Microsoft Windows 2003 Server: SP1 Itanium, Microsoft Windows Vista, Microsoft Windows 2003 Server: SP2, Microsoft Windows 2003 Server: SP2 Itanium, Microsoft Windows 2003 Server: SP2 x64, Microsoft Windows Vista: x64, Microsoft Windows XP: SP2 x64-Professional, Microsoft Windows Vista: SP1, Microsoft Windows Vista: SP1 x64, Microsoft Windows 2008, Microsoft Windows 2008: x64, Microsoft Windows 2008: Itanium
Unauthorized Access Attempt
Microsoft Windows graphic device interface (GDI) is vulnerable to an stack-based buffer overflow, caused by improper bounds checking of EMF image filename parameters. By persuading a victim to open a specially-crafted EMF file, a remote attacker could overflow a buffer and execute arbitrary code on the system.
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS08-021. See References.
For other distributions:
Apply the appropriate update for your system. See References.
Microsoft Security Bulletin MS08-021
Vulnerabilities in GDI Could Allow Remote Code Execution (948590)
http://www.microsoft.com/technet/security/bulletin/ms08-021.mspx
IBM Internet Security Systems Protection Alert, April 8, 2008
Microsoft GDI Remote Code Execution
http://www.iss.net/threats/290.html
NORTEL BULLETIN ID: 2008008770, Rev 1
Nortel Response to Microsoft Security Bulletin MS08-021
http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=714206
HPSBST02329 SSRT080048 rev.1
HPSBST02329 SSRT080048 rev.1
Storage Management Appliance (SMA), Microsoft Patch Applicability MS08-018 to MS08-025
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c01433452
NORTEL BULLETIN ID: 2008008788, Rev 1
Centrex IP Client Manager (CICM) response to Microsoft April security bulletin
http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=716807
ISS X-Force
Microsoft Windows GDI EMF filename parameter buffer overflow
http://www.iss.net/security_center/static/41472.php
CVE
CVE-2008-1087
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1087