HighProventia Network IPS, Proventia Desktop, RealSecure Network, RealSecure Server Sensor, Proventia Network IDS, Proventia-G 1.1 and earlier, Proventia Network MFS, IBM Security Server Protection for Windows, Virtual Server Protection for Vmware, Proventia Server IPS for Linux technology:
This signature detects EMF files containing specially crafted GDI+ data that may cause an overflow and memory corruption in the Microsoft Windows graphic device interface, possibly leading to remote code execution.
High
Proventia Network IPS: XPU 31.040, Proventia Desktop: 2630, RealSecure Network: XPU 31.040, RealSecure Server Sensor: XPU 31.040, Proventia Network IDS: XPU 31.040, Proventia-G 1.1 and earlier: XPU 31.040, Proventia Network MFS: XPU 31.040, IBM Security Server Protection for Windows: 2.1.14.2630, Virtual Server Protection for Vmware: XPU 31.040, Proventia Server IPS for Linux technology: 31.040
Microsoft Office: XP SP3, Microsoft Windows Server 2003: SP2, Microsoft Windows Server 2003: SP2 Itanium, Microsoft Windows Server 2003: SP2 x64, Microsoft Windows XP: SP2 x64 Professional, Microsoft Windows Vista: SP1, Microsoft Windows Vista: SP1 x64, Microsoft Windows Server 2008: Itanium, Microsoft Windows Server 2008: x32, Microsoft Windows Server 2008: x64, Microsoft Windows XP: SP3, Microsoft Windows Vista: SP2 x64, Microsoft Windows Vista: SP2, Microsoft Windows Server 2008: SP2 x32, Microsoft Windows Server 2008: SP2 x64, Microsoft Windows Server 2008: SP2 Itanium
Unauthorized Access Attempt
Microsoft Windows GDI+ could allow a remote attacker to execute arbitrary code on the system, caused by an integer overflow error. By persuading a victim open a specially-crafted EMF image file, an attacker could exploit this vulnerability to execute arbitrary code on the system with privileges of the victim.
Apply the appropriate patch for your system, as listed in the latest Microsoft Security Bulletin. See References.
— OR —
Use Microsoft Automatic Update if it is supported by your operating system. The original bulletin issued by Microsoft has been superseded.
Microsoft Security Bulletin MS11-029
Vulnerability in GDI+ Could Allow Remote Code Execution (2489979)
http://www.microsoft.com/technet/security/bulletin/ms11-029.mspx
IBM Security Protection Alert
Microsoft Windows GDI+ Image Could Allow Remote Code Execution
http://www.iss.net/threats/422.html
Offensive Security Exploit Database [07-18-2011]
GDI+ CreateDashedPath Integer overflow in gdiplus.dll
http://www.exploit-db.com/exploits/17544/
Microsoft Security Bulletin MS12-034
Combined Security Update for Microsoft Office, Windows, .NET Framework, and Silverlight (2681578)
http://technet.microsoft.com/en-us/security/bulletin/ms12-034
ISS X-Force
Microsoft Windows GDI+ EMF code execution
http://www.iss.net/security_center/static/66427.php
CVE
CVE-2011-0041
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0041