HighIBM Security Server Protection for Windows, Proventia Network IDS, Proventia-G 1.1 and earlier, Proventia Network MFS, BlackICE Server Protection, BlackICE PC Protection, RealSecure Server Sensor, RealSecure Network, Proventia Network IPS, Proventia Desktop, Virtual Server Protection for Vmware, Proventia Server IPS for Linux technology:
This signature detects EMF files containing a filename parameter that may cause a stack overflow within the Microsoft Windows graphic device interface.
High
IBM Security Server Protection for Windows: 2.1.14.2400, IBM Security Server Protection for Windows: 2.0.252.2190, IBM Security Server Protection for Windows: 1.0.914.2190, Proventia Network IDS: XPU 28.050, Proventia-G 1.1 and earlier: XPU 28.050, Proventia Network MFS: XPU 28.050, BlackICE Server Protection: 3.6.cqy, BlackICE PC Protection: 3.6cqy, RealSecure Server Sensor: XPU 28.050, RealSecure Network: XPU 28.050, Proventia Network IPS: XPU 28.050, Proventia Desktop: 2190, Virtual Server Protection for Vmware: 1.0, Proventia Server IPS for Linux technology: 28.050
Microsoft Windows 2000: SP4, Microsoft Windows 2003 Server: x64, Microsoft Windows XP: SP2, Microsoft Windows 2003 Server: SP1, Microsoft Windows XP: x64 Professional, Microsoft Windows 2003 Server: SP1 Itanium, Microsoft Windows Vista, Microsoft Windows Server 2003: SP2, Microsoft Windows Server 2003: SP2 Itanium, Microsoft Windows Server 2003: SP2 x64, Microsoft Windows Vista: x64, Microsoft Windows XP: SP2 x64 Professional, Microsoft Windows Vista: SP1, Microsoft Windows Vista: SP1 x64, Microsoft Windows Server 2008: Itanium, Microsoft Windows Server 2008: x64, Microsoft Windows Server 2008
Unauthorized Access Attempt
Microsoft Windows graphic device interface (GDI) is vulnerable to an stack-based buffer overflow, caused by improper bounds checking of EMF image filename parameters. By persuading a victim to open a specially-crafted EMF file, a remote attacker could overflow a buffer and execute arbitrary code on the system.
Apply the appropriate patch for your system, as listed in the latest Microsoft Security Bulletin. See References.
— OR —
Use Microsoft Automatic Update if it is supported by your operating system. The original bulletin issued by Microsoft has been superseded.
For other distributions:
Apply the appropriate update for your system. See References.
Microsoft Security Bulletin MS08-021
Vulnerabilities in GDI Could Allow Remote Code Execution (948590)
http://www.microsoft.com/technet/security/bulletin/ms08-021.mspx
IBM Internet Security Systems Protection Alert, April 8, 2008
Microsoft GDI Remote Code Execution
http://www.iss.net/threats/290.html
NORTEL BULLETIN ID: 2008008770, Rev 1
Nortel Response to Microsoft Security Bulletin MS08-021
http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=714206
HPSBST02329 SSRT080048 rev.1
HPSBST02329 SSRT080048 rev.1
Storage Management Appliance (SMA), Microsoft Patch Applicability MS08-018 to MS08-025
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c01433452
NORTEL BULLETIN ID: 2008008788, Rev 1
Centrex IP Client Manager (CICM) response to Microsoft April security bulletin
http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=716807
Microsoft Security Bulletin MS08-071
Vulnerabilities in GDI Could Allow Remote Code Execution (956802)
http://www.microsoft.com/technet/security/bulletin/ms08-071.mspx
ISS X-Force
Microsoft Windows GDI EMF filename parameter buffer overflow
http://www.iss.net/security_center/static/41472.php
CVE
CVE-2008-1087
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1087