Microsoft Windows GDI+ Remote Code Execution

Notification Type: IBM Internet Security Systems Protection Alert
Notification Date: September 09, 2008
Notification Version: 1.0
   
Name: Microsoft Windows GDI+ Remote Code Execution
Public disclosure/
In the wild date:		 September 09, 2008
Aliases: MS08-052
CVE: CVE-2007-5348, CVE-2008-3012, CVE-2008-3013, CVE-2008-3014, CVE-2008-3015
Description:

The Microsoft Windows GDI+ API (Gdiplus.dll) is vulnerable to multiple buffer overflows that could result in remote code execution.

 

ISS Coverage
Product Content Version
Proventia Network IDS
Proventia Network IPS
Proventia Network MFS
Proventia Server (Linux)
RealSecure Network
RealSecure Server Sensor		 28.140
Proventia Desktop
Proventia Server IPS (Windows)		 2280
Propagation Techniques ISS Protection Available

remote exploit

JavaScript_Shellcode_Detected1
JavaScript_NOOP_Sled1
JavaScript_Unescape_Regex1 2
JavaScript_Large_Unescape1 2
JavaScript_Unescape_Obfuscation1
Image_EMF_GDI_Code_Execution
Image_GIF_GDI_Parsing2
Image_WMF_Polygon_Overflow
Image_BMP_Win_GDI_Bo

various

1 Exploits for these types of vulnerabilities typically leverage shellcode or obfuscation in the attack
2 Not blocked in the default policy.

Detailed Description
Business Impact:

In addition to affecting versions of Microsoft Office, Microsoft SQL Server, and other applications, these vulnerabilities affect most of the currently supported versions of the Microsoft Windows operating system, including Microsoft Vista.

Exploiting this vulnerability requires a user to open an image file or click a link to a malicious website that either displays the image or has other specially-crafted web content that affects the GDI+ component.  Delivery mechanisms for these types of attacks are most often attachments or links in spam and iFrames or other "advertising" links that are planted or purchased on non-malicious web sites.  Successful exploitation provides the attacker with the privileges of the end user, which could allow complete control over the endpoint.

CVSS Base Score: 9.3
  Access Vector: Network
Access Complexity: Medium
Authentication: None
Confidentiality Impact: Complete
Integrity Impact: Complete
Availability Impact: Complete
Adjusted Temporal Score: 6.9
  Exploitability: Unproven
Remediation Level: Official-Fix
Report Confidence: Confirmed
Affected Products: For a full list of affected versions, see references below.
Technical Description:

The Microsoft Windows GDI+ (Gdiplus.dll) is vulnerable to multiple buffer overflows.  One vulnerability is related to improper handling of gradient sizes and could be exploited through a malicious web page.  The other vulnerabilities are related to the handling of graphic files (EMF, GIF, WMF, and BMP) and occur when a user opens a specially-crafted file or views the file on the web using Internet Explorer.  Successful exploitation allows the attacker to execute arbitrary code on the system with the privileges of the victim.

Remediation:

Patches are available for this issue. See References for details.

References
XFDB: http://xforce.iss.net/xforce/xfdb/44710
http://xforce.iss.net/xforce/xfdb/44711
http://xforce.iss.net/xforce/xfdb/44713
http://xforce.iss.net/xforce/xfdb/44714
http://xforce.iss.net/xforce/xfdb/44715
Microsoft: http://www.microsoft.com/technet/security/bulletin/ms08-052.mspx

Revision History
1.0 Initial publication.


About IBM Internet Security Systems
IBM Internet Security Systems is the trusted security advisor to thousands of the world's leading businesses and governments, providing pre-emptive protection for networks, desktops and servers. An established leader in security since 1994, the IBM Proventia® integrated security platform is designed to automatically protect against both known and unknown threats, helping to keep networks up and running and shielding customers from online attacks before they impact business assets. IBM Internet Security Systems products and services are based on the proactive security intelligence of its X-Force® research and development team – the unequivocal world authority in vulnerability and threat research. The Internet Security Systems product line is also complemented by comprehensive Managed Security Services and Professional Security Services. For more information, visit the Internet Security Systems Web site at www.iss.net or call 800-776-2362.