HighIBM Security Server Protection for Windows, BlackICE Server Protection, Proventia Network MFS, Proventia Network IDS, Proventia-G 1.1 and earlier, RealSecure Server Sensor, RealSecure Network, BlackICE PC Protection, Proventia Network IPS, Proventia Desktop, Virtual Server Protection for Vmware, Proventia Server IPS for Linux technology:
This signature detects WMF files containing image components that may overflow a buffer and execute arbitrary code when processed by the Microsoft Windows graphic device interface.
High
IBM Security Server Protection for Windows: 2.1.14.2400, IBM Security Server Protection for Windows: 1.0.914.2330, IBM Security Server Protection for Windows: 2.0.300.2330, BlackICE Server Protection: 3.6.crm, Proventia Network MFS: XPU 28.190, Proventia Network IDS: XPU 28.190, Proventia-G 1.1 and earlier: XPU 28.190, RealSecure Server Sensor: XPU 28.190, RealSecure Network: XPU 28.190, BlackICE PC Protection: 3.6crm, Proventia Network IPS: XPU 28.190, Proventia Desktop: 2330, Virtual Server Protection for Vmware: 1.0, Proventia Server IPS for Linux technology: 28.190
Microsoft Windows 2000: SP4, Microsoft Windows 2003 Server: x64, Microsoft Windows XP: SP2, Microsoft Windows 2003 Server: SP1, Microsoft Windows XP: x64 Professional, Microsoft Windows 2003 Server: SP1 Itanium, Microsoft Windows Vista, Microsoft Windows Server 2003: SP2, Microsoft Windows Server 2003: SP2 Itanium, Microsoft Windows Server 2003: SP2 x64, Microsoft Windows Vista: x64, Microsoft Windows XP: SP2 x64 Professional, HP Storage Management Appliance: 2.1, Microsoft Windows Vista: SP1, Microsoft Windows Vista: SP1 x64, Microsoft Windows Server 2008: Itanium, Microsoft Windows Server 2008: x32, Microsoft Windows Server 2008: x64, Microsoft Windows XP: SP3
Unauthorized Access Attempt
The Microsoft Windows GDI is vulnerable to an integer overflow, caused by improper handling of integer calculations within a WMF image file. By persuading a victim to open a specially-crafted image file, a remote attacker could exploit this vulnerability to overflow a buffer and execute arbitrary code on the system with the privileges of the victim.
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS08-071. See References.
For other distributions:
Apply the appropriate update for your system. See References.
Microsoft Security Bulletin MS08-071
Vulnerabilities in GDI Could Allow Remote Code Execution (956802)
http://www.microsoft.com/technet/security/bulletin/ms08-071.mspx
iDefense PUBLIC ADVISORY: 12.09.08
PUBLIC ADVISORY: 12.09.08
PUBLIC ADVISORY: 12.09.08
Microsoft Windows Graphics Device Interface Integer Overflow Vulnerability
https://labs.idefense.com/verisign/intelligence/2009/vulnerabilities/display.php?id=762
IBM Internet Security Systems Protection Alert December 9, 2008
Microsoft Windows GDI WMF image file integer overflow
http://www.iss.net/threats/314.html
NORTEL BULLETIN ID: 2008009236, Rev 1
Nortel Response to Microsoft Security Bulletin MS08-071
http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=805799
HPSBST02394 SSRT080183 rev.1
Storage Management Appliance (SMA), Microsoft Patch Applicability MS08-070 to MS08-077
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c01632189&jumpid=reg_R1002_USEN
ISS X-Force
Microsoft Windows GDI WMF image file integer overflow
http://www.iss.net/security_center/static/46842.php
CVE
CVE-2008-2249
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2249