MS-ISAC ADVISORY NUMBER:
2007-018

DATE(S) ISSUED:
8/14/2007

SUBJECT:
New Vulnerability in GDI Could Allow for Remote Code Execution

A new vulnerability has been discovered in the components of Microsoft Windows that render images for the user. This vulnerability can be exploited if a user opens an email attachment containing a malicious image file. This vulnerability may affect any program that render images and successful exploitation may result in the attacker taking complete control of the affected system.

SYSTEMS AFFECTED:

  • Microsoft Windows 2000 Service Pack 4
  • Microsoft Windows XP Service Pack 2
  • Microsoft Windows XP Professional x64 Edition
  • Windows Server 2003 Service Pack 1
  • Windows Server 2003 x64 Edition
  • Windows Server 2003 Service Pack 1 for Itanium-based Systems

RISK:

Government:

  • Large and medium government entities: High
  • Small government entities: High

Businesses:

  • Large and medium business entities: High
  • Small business entities: High

Home users: High

DESCRIPTION:
Microsoft Windows Graphic Rendering Engine fails to properly handle specially crafted image files. The Microsoft Windows graphic device interface (GDI) enables various applications to access devices that render images for the user on desktop displays and printers. GDI is installed by default on all Microsoft Windows Operating systems. This vulnerability may affect other programs installed on the local machine that use GDI, and could become possible attack vectors.

Exploitation of this vulnerability occurs when a user opens a maliciously crafted image file. Microsoft has confirmed that this vulnerability can be exploited if the user opens a malicious email attachment. Upon successful exploitation, the attacker could run arbitrary code in the context of the locally logged-in user. This could also allow the attacker to install programs, add, view or delete user data, or create new accounts on the system to attack the machine at a later date.

At this time there is no known publicly available exploit code or malicious files.

RECOMMENDATIONS:
We recommend the following actions be taken:

  • Apply the appropriate patches to vulnerable systems as soon as possible, after appropriate testing.
  • Run all software as a non-privileged user (one without administrative privilege) to diminish the effects of a successful attack.
  • Do not open email attachments from un-trusted sources.

REFERENCES:

Microsoft:
 http://www.Microsoft.com/technet/security/bulletin/ms07-046.mspx(New Window)

CVE:
 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3034(New Window)

SecurityFocus:
 http://www.securityfocus.com/bid/25302(New Window)

US-CERT
 http://www.kb.cert.org/vuls/id/640136(New Window)


This cyber advisory was issued by the Multi-State Information Sharing and Analysis Center (MS-ISAC) and was intended for government entities. The information may or may not be applicable to the general public and accordingly, the MS-ISAC does not warrant its use for any specific purposes.