HighBlackICE Server Protection, BlackICE PC Protection, RealSecure Server Sensor, RealSecure Network, Proventia-G 1.1 and earlier, Proventia Desktop, Proventia Network IPS, Proventia Server IPS for Linux technology, Proventia Network MFS, Proventia Server IPS for Microsoft Windows technology:
This signature detects EMF or WMF files containing header information that may cause a heap-based overflow within the Microsoft Windows graphic device interface.
High
BlackICE Server Protection: 3.6.cqy, BlackICE PC Protection: 3.6cqy, RealSecure Server Sensor: XPU 28.050, RealSecure Network: XPU 28.050, Proventia-G 1.1 and earlier: XPU 28.050, Proventia Desktop: 2190, Proventia Network IPS: XPU 28.050, Proventia Server IPS for Linux technology: 28.050, Proventia Network MFS: XPU 28.050, Proventia Server IPS for Microsoft Windows technology: 2.0.252.2190, Proventia Server IPS for Microsoft Windows technology: 1.0.914.2190
Microsoft Windows Vista: SP1, Microsoft Windows 2008: Itanium, Microsoft Windows Vista: SP1 x64, Microsoft Windows 2008, Microsoft Windows 2008: x64, Microsoft Windows 2003 Server: SP2 x64, Microsoft Windows 2003 Server: SP2 Itanium, Microsoft Windows 2003 Server: SP2, Microsoft Windows XP: SP2 x64-Professional, Microsoft Windows Vista: x64, Microsoft Windows Vista, Microsoft Windows XP: x64-Professional, Microsoft Windows 2003 Server: SP1, Microsoft Windows 2003 Server: SP1 Itanium, Microsoft Windows XP: SP2, Microsoft Windows 2003 Server: x64, Microsoft Windows 2000: SP4
Unauthorized Access Attempt
Microsoft Windows graphic device interface (GDI) is vulnerable to an heap-based buffer overflow, caused by improper bounds checking of EMF and WMF image file headers. By persuading a victim to open a specially-crafted EMF or WMF file, a remote attacker could overflow a buffer and execute arbitrary code on the system.
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS08-021. See References.
For other distributions:
Apply the appropriate update for your system. See References.
Microsoft Security Bulletin MS08-021
Vulnerabilities in GDI Could Allow Remote Code Execution (948590)
http://www.microsoft.com/technet/security/bulletin/ms08-021.mspx
ZDI-08-020
Microsoft GDI WMF Parsing Heap Overflow Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-08-020/
IBM Internet Security Systems Protection Alert, April 8, 2008
Microsoft GDI Remote Code Execution
http://www.iss.net/threats/290.html
iDefense Labs PUBLIC ADVISORY: 04.08.08
Microsoft Windows Graphics Rendering Engine Heap Buffer Overflow Vulnerability
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=682
iDefense Labs PUBLIC ADVISORY: 04.08.08
Microsoft Windows Graphics Rendering Engine Integer Overflow Vulnerability
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=681
NORTEL BULLETIN ID: 2008008770, Rev 1
Nortel Response to Microsoft Security Bulletin MS08-021
http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=714206
HPSBST02329 SSRT080048 rev.1
HPSBST02329 SSRT080048 rev.1
Storage Management Appliance (SMA), Microsoft Patch Applicability MS08-018 to MS08-025
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c01433452
NORTEL BULLETIN ID: 2008008788, Rev 1
Centrex IP Client Manager (CICM) response to Microsoft April security bulletin
http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=716807
ISS X-Force
Microsoft Windows GDI EMF and WMF header buffer overflow
http://www.iss.net/security_center/static/41471.php
CVE
CVE-2008-1083
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1083