MS-ISAC ADVISORY NUMBER:
2008-016
DATE(S) ISSUED:
4/9/2008
SUBJECT:
Vulnerability in Microsoft Graphics Device Interface (GDI) Could Allow for Remote Code Execution
OVERVIEW:
A vulnerability has been discovered in the way Microsoft Windows processes certain image files. This vulnerability can be exploited if a user views a malicious web page or opens an email attachment containing an image file specially designed to exploit this vulnerability. This vulnerability may be exploited through other software applications which use the vulnerable Microsoft component. A successful exploit may result in the attacker taking complete control of the affected system.
SYSTEMS AFFECTED:
- Microsoft Windows 2000 Service Pack 4
- Microsoft Windows XP Service Pack 2
- Microsoft Windows XP Professional x64 Edition
- Microsoft Windows XP Professional x64 Edition Service Pack 2
- Windows Server 2003 Service Pack 1
- Windows Server 2003 Service Pack 2
- Windows Server 2003 x64 Edition
- Windows Server 2003 x64 Edition Service Pack 2
- Windows Server 2003 Service Pack 1 for Itanium-based Systems
- Windows Server 2003 Service Pack 2 for Itanium-based Systems
- Windows Vista
- Windows Vista Service Pack 1
- Windows Vista x64 Edition
- Windows Vista x64 Edition Service Pack 1
- Windows Server 2008
RISK:
Government:
Large and medium government entities: High
Small government entities: High
Businesses:
Large and medium business entities: High
Small business entities: High
Home users: High
DESCRIPTION:
Microsoft Windows Graphic Device Interface (GDI) fails to properly handle Windows Metafile (WMF) and Windows Enhanced Metafile (EMF) images files. Microsoft Windows Graphic Device Interface (GDI) enables various applications to access devices that render images for the user. Examples include desktop displays and printers. GDI is installed by default on all Microsoft Windows Operating systems. This vulnerability may utilize other programs installed on the local machine which uses the GDI interface as a possible attack vector.
Exploitation of this vulnerability occurs when a user is enticed to open a maliciously crafted Windows Metafile (WMF) or Windows Enhanced Metafile (EMF) image. Microsoft has confirmed that this vulnerability can be exploited if the user opens an email attachment with a malicious WMF OR EMF image or visits a webpage that contains a malicious file. Upon successful execution, the attacker could run arbitrary code in the context of the locally logged-in user including the installation of programs; add, view or delete user data; or create new accounts on the system.
At this time there is no known publicly available exploit code or malicious files.
RECOMMENDATIONS:
We recommend that the following actions be taken:
- Apply the appropriate patches to vulnerable systems as soon as possible, after appropriate testing.
- Run all software as a non-privileged user (one without administrative privilege) to diminish the effects of a successful attack.
- Do not open email attachments from unknown or un-trusted sources.
- Do not visit un-trusted websites, or follow links provided by unknown or un-trusted sources.
REFERENCES:
Microsoft:
http://www.microsoft.com/technet/security/bulletin/ms08-021.mspx
CVE:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1083
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1087
SecurityFocus:
http://www.securityfocus.com/bid/28570
This cyber advisory was issued by the Multi-State Information Sharing and Analysis Center (MS-ISAC) and was intended for government entities. The information may or may not be applicable to the general public and accordingly, the MS-ISAC does not warrant its use for any specific purposes.
-