HighIBM Security Server Protection for Windows, Proventia Network IDS, Proventia Network MFS, Proventia-G 1.1 and earlier, RealSecure Server Sensor, RealSecure Network, Proventia Network IPS, Proventia Desktop, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware:
This signature detects specially crafted EMF image files containing GDI information that may allow an attacker to run arbitrary code in kernel mode and gain system-level access.
High
IBM Security Server Protection for Windows: 1.0.914.2370, IBM Security Server Protection for Windows: 2.0.300.2370, IBM Security Server Protection for Windows: 2.1.14.2400, Proventia Network IDS: XPU 29.030, Proventia Network MFS: XPU 29.030, Proventia-G 1.1 and earlier: XPU 29.030, RealSecure Server Sensor: XPU 29.030, RealSecure Network: XPU 29.030, Proventia Network IPS: XPU 29.030, Proventia Desktop: 2370, Proventia Server IPS for Linux technology: 29.030, Virtual Server Protection for Vmware: 1.0
Microsoft Windows 2000: SP4, Microsoft Windows 2003 Server: x64, Microsoft Windows XP: SP2, Microsoft Windows 2003 Server: Itanium, Microsoft Windows 2003 Server: SP1, Microsoft Windows XP: x64 Professional, Microsoft Windows Vista, Microsoft Windows Server 2003: SP2, Microsoft Windows Server 2003: SP2 Itanium, Microsoft Windows Server 2003: SP2 x64, Microsoft Windows Vista: x64, Microsoft Windows XP: SP2 x64 Professional, Microsoft Windows Vista: SP1, Microsoft Windows Vista: SP1 x64, Microsoft Windows Server 2008: Itanium, Microsoft Windows Server 2008: x32, Microsoft Windows Server 2008: x64, Microsoft Windows XP: SP3
Unauthorized Access Attempt
Microsoft Windows kernel could allow a remote attacker to execute arbitrary code on the system, caused by improper validation of input passed from user mode through the kernel graphics device interface (GDI) component. By persuading a victim to view a malicious EMF or WMF image file, either by hosting the file on a Web site or sending it as an email attachment, an attacker could exploit this vulnerability to corrupt memory and execute arbitrary code on the system.
Apply the appropriate patch for your system, as listed in the latest Microsoft Security Bulletin. See References.
— OR —
Use Microsoft Automatic Update if it is supported by your operating system. The original bulletin issued by Microsoft has been superseded.
Microsoft Security Bulletin MS09-006
Vulnerabilities in Windows Kernel Could Allow Remote Code Execution (KB958690)
http://www.microsoft.com/technet/security/bulletin/ms09-006.mspx
IBM Internet Security Systems Protection Alert, March 10, 2009
Microsoft Windows Kernel GDI Validation Remote Code Execution
http://www.iss.net/threats/321.html
NORTEL BULLETIN ID: 2009009381, Rev 1
Nortel Response to Microsoft Security Bulletin MS09-006 - Vulnerabilities in Windows Kernel
http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&DocumentOID=842987&poid=
Microsoft Security Bulletin MS09-025
Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (968537)
http://www.microsoft.com/technet/security/bulletin/ms09-025.mspx
Microsoft Security Bulletin MS09-065
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (969947)
http://www.microsoft.com/technet/security/bulletin/ms09-065.mspx
Microsoft Security Bulletin MS10-032
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (979559)
http://www.microsoft.com/technet/security/bulletin/ms10-032.mspx
Microsoft Security Bulletin MS10-048
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2160329)
http://www.microsoft.com/technet/security/bulletin/ms10-048.mspx
Microsoft Security Bulletin MS10-073
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957)
http://www.microsoft.com/technet/security/bulletin/ms10-073.mspx
Microsoft Security Bulletin MS10-098
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2436673)
http://www.microsoft.com/technet/security/bulletin/ms10-098.mspx
Microsoft Security Bulletin MS11-012
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2479628)
http://www.microsoft.com/technet/security/bulletin/ms11-012.mspx
Microsoft Security Bulletin MS11-034
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2506223)
http://www.microsoft.com/technet/security/bulletin/ms11-034.mspx
Microsoft Security Bulletin MS11-041
Vulnerability in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2525694)
http://www.microsoft.com/technet/security/bulletin/ms11-041.mspx
Microsoft Security Bulletin MS11-054
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2555917)
http://www.microsoft.com/technet/security/bulletin/ms11-054.mspx
Microsoft Security Bulletin MS11-054
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2555917)
http://www.microsoft.com/technet/security/bulletin/ms11-054.mspx
Microsoft Security Bulletin MS11-077
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2567053)
http://www.microsoft.com/technet/security/bulletin/ms11-077.mspx
Microsoft Security Bulletin MS11-077
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2567053)
http://www.microsoft.com/technet/security/bulletin/ms11-077.mspx
Microsoft Security Bulletin MS11-084
Vulnerability in Windows Kernel-Mode Drivers Could Allow Denial of Service (2617657)
http://www.microsoft.com/technet/security/bulletin/ms11-084.mspx
Microsoft Security Bulletin MS11-084
Vulnerability in Windows Kernel-Mode Drivers Could Allow Denial of Service (2617657)
http://www.microsoft.com/technet/security/bulletin/ms11-084.mspx
Microsoft Security Bulletin MS11-087
Vulnerability in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2639417)
http://technet.microsoft.com/en-us/security/bulletin/MS11-087
Microsoft Security Bulletin MS11-087
Vulnerability in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2639417)
http://technet.microsoft.com/en-us/security/bulletin/MS11-087
Microsoft Security Bulletin MS11-087
Vulnerability in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2639417)
http://technet.microsoft.com/en-us/security/bulletin/MS11-087
Microsoft Security Bulletin MS11-087
Vulnerability in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2639417)
http://technet.microsoft.com/en-us/security/bulletin/MS11-087
Microsoft Security Bulletin MS12-008
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2660465)
http://technet.microsoft.com/en-us/security/bulletin/ms12-008
Microsoft Security Bulletin MS12-008
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2660465)
http://technet.microsoft.com/en-us/security/bulletin/ms12-008
Microsoft Security Bulletin MS12-008
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2660465)
http://technet.microsoft.com/en-us/security/bulletin/ms12-008
Microsoft Security Bulletin MS12-008
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2660465)
http://technet.microsoft.com/en-us/security/bulletin/ms12-008
Microsoft Security Bulletin MS12-018
Vulnerability in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2641653)
http://technet.microsoft.com/en-us/security/bulletin/ms12-018
Microsoft Security Bulletin MS12-018
Vulnerability in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2641653)
http://technet.microsoft.com/en-us/security/bulletin/ms12-018
Microsoft Security Bulletin MS12-018
Vulnerability in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2641653)
http://technet.microsoft.com/en-us/security/bulletin/ms12-018
Microsoft Security Bulletin MS12-018
Vulnerability in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2641653)
http://technet.microsoft.com/en-us/security/bulletin/ms12-018
Microsoft Security Bulletin MS12-034
Combined Security Update for Microsoft Office, Windows, .NET Framework, and Silverlight (2681578)
http://technet.microsoft.com/en-us/security/bulletin/ms12-034
Microsoft Security Bulletin MS12-034
Combined Security Update for Microsoft Office, Windows, .NET Framework, and Silverlight (2681578)
http://technet.microsoft.com/en-us/security/bulletin/ms12-034
Microsoft Security Bulletin MS12-034
Combined Security Update for Microsoft Office, Windows, .NET Framework, and Silverlight (2681578)
http://technet.microsoft.com/en-us/security/bulletin/ms12-034
Microsoft Security Bulletin MS12-034
Combined Security Update for Microsoft Office, Windows, .NET Framework, and Silverlight (2681578)
http://technet.microsoft.com/en-us/security/bulletin/ms12-034
ISS X-Force
Microsoft Windows kernel GDI validation code execution
http://www.iss.net/security_center/static/48298.php
CVE
CVE-2009-0081
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0081