HighProventia Desktop, Proventia Network IPS, RealSecure Network, RealSecure Server Sensor, BlackICE PC Protection, BlackICE Server Protection, Proventia Network MFS, Proventia-G 1.1 and earlier, Proventia Network IDS, IBM Security Server Protection for Windows, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware:
This signature detects EMF or WMF files containing header information that may cause a heap-based overflow within the Microsoft Windows graphic device interface.
High
Proventia Desktop: 2190, Proventia Network IPS: XPU 28.050, RealSecure Network: XPU 28.050, RealSecure Server Sensor: XPU 28.050, BlackICE PC Protection: 3.6cqy, BlackICE Server Protection: 3.6.cqy, Proventia Network MFS: XPU 28.050, Proventia-G 1.1 and earlier: XPU 28.050, Proventia Network IDS: XPU 28.050, IBM Security Server Protection for Windows: 1.0.914.2190, IBM Security Server Protection for Windows: 2.0.252.2190, IBM Security Server Protection for Windows: 2.1.14.2400, Proventia Server IPS for Linux technology: 28.050, Virtual Server Protection for Vmware: 1.0
Microsoft Windows 2000: SP4, Microsoft Windows 2003 Server: x64, Microsoft Windows XP: SP2, Microsoft Windows 2003 Server: SP1, Microsoft Windows XP: x64 Professional, Microsoft Windows 2003 Server: SP1 Itanium, Microsoft Windows Vista, Microsoft Windows Server 2003: SP2, Microsoft Windows Server 2003: SP2 Itanium, Microsoft Windows Server 2003: SP2 x64, Microsoft Windows Vista: x64, Microsoft Windows XP: SP2 x64 Professional, Microsoft Windows Vista: SP1, Microsoft Windows Vista: SP1 x64, Microsoft Windows Server 2008: Itanium, Microsoft Windows Server 2008: x64, Microsoft Windows Server 2008
Unauthorized Access Attempt
Microsoft Windows graphic device interface (GDI) is vulnerable to an heap-based buffer overflow, caused by improper bounds checking of EMF and WMF image file headers. By persuading a victim to open a specially-crafted EMF or WMF file, a remote attacker could overflow a buffer and execute arbitrary code on the system.
Apply the appropriate patch for your system, as listed in the latest Microsoft Security Bulletin. See References.
— OR —
Use Microsoft Automatic Update if it is supported by your operating system. The original bulletin issued by Microsoft has been superseded.
For other distributions:
Apply the appropriate update for your system. See References.
Microsoft Security Bulletin MS08-021
Vulnerabilities in GDI Could Allow Remote Code Execution (948590)
http://www.microsoft.com/technet/security/bulletin/ms08-021.mspx
ZDI-08-020
Microsoft GDI WMF Parsing Heap Overflow Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-08-020/
IBM Internet Security Systems Protection Alert, April 8, 2008
Microsoft GDI Remote Code Execution
http://www.iss.net/threats/290.html
iDefense Labs PUBLIC ADVISORY: 04.08.08
Microsoft Windows Graphics Rendering Engine Heap Buffer Overflow Vulnerability
https://labs.idefense.com/verisign/intelligence/2009/vulnerabilities/display.php?id=682
iDefense Labs PUBLIC ADVISORY: 04.08.08
Microsoft Windows Graphics Rendering Engine Integer Overflow Vulnerability
https://labs.idefense.com/verisign/intelligence/2009/vulnerabilities/display.php?id=681
NORTEL BULLETIN ID: 2008008770, Rev 1
Nortel Response to Microsoft Security Bulletin MS08-021
http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=714206
HPSBST02329 SSRT080048 rev.1
HPSBST02329 SSRT080048 rev.1
Storage Management Appliance (SMA), Microsoft Patch Applicability MS08-018 to MS08-025
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c01433452
NORTEL BULLETIN ID: 2008008788, Rev 1
Centrex IP Client Manager (CICM) response to Microsoft April security bulletin
http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=716807
Microsoft Security Bulletin MS08-071
Vulnerabilities in GDI Could Allow Remote Code Execution (956802)
http://www.microsoft.com/technet/security/bulletin/ms08-071.mspx
ISS X-Force
Microsoft Windows GDI EMF and WMF header buffer overflow
http://www.iss.net/security_center/static/41471.php
CVE
CVE-2008-1083
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1083