ISS Coverage |
| Product |
Content Version |
Proventia Network IDS
Proventia Network IPS
Proventia Network MFS
Proventia Server (Linux)
RealSecure Network
RealSecure Server Sensor |
28.010 |
Proventia Desktop
Proventia Server IPS (Windows) |
2140 |
|
| Propagation Techniques |
ISS Protection |
Available |
|
remote exploit |
RIFF_Codec_Overflow |
Jan 08, 2008 |
|
|
|
Detailed Description |
| Business Impact: |
This codec is a component of Microsoft Media Player, found in all modern Microsoft operating systems, including Microsoft Windows Vista. Compromise of machines using affected versions of this codec may lead to exposure of confidential information, loss of productivity, and further compromise. An attacker may need to entice a user to perform an operation to trigger this vulnerability. These operations include: visiting a web page, browsing either a local or remote directory containing the malicious file, causing an application using an embedded version of Microsoft Media Player to play or preview the file, and opening a specially crafted Microsoft Office or media file. Successful exploitation grants an attacker the privileges of the user performing the action. |
| CVSS |
Base Score: |
9.3 |
| |
Access Vector: |
Network |
| Access Complexity: |
Medium |
| Authentication: |
None |
| Confidentiality Impact: |
Complete |
| Integrity Impact: |
Complete |
| Availability Impact: |
Complete |
|
|
| Adjusted Temporal Score: |
6.9 |
| |
Exploitability: |
Unproven |
| Remediation Level: |
Official-Fix |
| Report Confidence: |
Confirmed |
| Affected Products: |
For a full list of affected versions, see references below. |
| Technical Description: |
These vulnerabilities are invoked when specially-crafted MJPEG data is encountered in either an AVI or ASF data file (and possibly others). Specifically, an output buffer is allocated based on the reported size and width of the image as specified by the MJPEG stream format block. This format block is read straight from the media file and is lightly checked for validity. The JPEG stream is then interpreted by the codec including the JPEG headers. These JPEG headers can indicate a completely different size and width than that indicated in the format block, and this second set of values from the JPEG header is used to determine how much data is actually read in to the allocated buffer. Thus, by making the values in the JPEG header larger than those indicated in the format block, a heap overflow can be triggered.
In addition, scan lines from the JPEG image are read into the buffer in reverse. If the pointer into the allocated buffer decrements below the beginning of the buffer, this condition is detected, and the rest of the JPEG scanlines are read into a stack buffer. Since the stack buffer is a fixed size and the scan line can be arbitrarily larger, a stack overflow can also be triggered. |
| Remediation: |
Patches are available for this issue. See References for details. |
|
References |
|
|
Revision History |
|
|
|
* According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall IBM be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
About IBM Security Systems
IBM Security Systems include an extensive portfolio of hardware, software solutions, professional and managed services offerings covering the spectrum of IT and business security risks: people and identity, data and information, application and process, network, server and endpoint and physical infrastructure, empowering clients to innovate and operate their businesses on the most secure infrastructure platforms. Through world-class solutions that address risk across the enterprise, IBM helps organizations build a strong security posture that helps reduce costs, improve service, and manage risk. IBM X-Force(R) Research and Development is one of the most renowned commercial security research and development groups in the world. For more information on how to address today's biggest risks, please visit us at ibm.com/security.
|
