WelcomeEnterpriseSmall BusinessHome & Home OfficePartnersAbout Symantec

Microsoft Windows LoadImage API Function Integer Overflow Vulnerability

Risk
High

Date Discovered
12-20-2004

Description
Microsoft Windows is reported prone to a remote integer overflow vulnerability. This issue is due to a failure of the application to properly ensure that user-supplied input does not result in the overflowing of integer values. This may result in data being copied past the end of a memory buffer.

It is reported that this issue exists in the 'LoadImage' function of the USER32 library. An attacker can exploit this condition by sending a malformed file to a user. If the user opens this file, the integer overflow condition may be triggered. A successful attack would occur in the context of the vulnerable user and may lead to the attacker gaining unauthorized access to an affected computer.

This vulnerability may be present in applications that import the vulnerable function. At the time of writing, it is not known if third-party applications are affected by this vulnerability.

Symantec AntiVirus Products
Heuristic detections were released on December 24, 2004 to detect possible exploits of this vulnerability. Symantec Antivirus products will detect files which contain code to exploit this vulnerability as Bloodhound.Exploit.19 or Bloodhound.Exploit.20.

Symantec Enterprise Security Manager
Symantec Enterprise Security Managerô posted an update to the OS Patch Policy that detects and reports systems that are not patched against this vulnerability. Click here for the advisory released January 12, 2005.

Symantec Vulnerability Assessment
Symantec Vulnerability Assessment detects and reports this vulnerability. Click here for the advisory released January 13, 2005.

Symantec Network Security 7100
As of December 29, 2004, users of Symantec Network Security 7100 can update to Security Update 7 to detect attempts to exploit this vulnerability. Click here for more information. This update is available via LiveUpdate.

Platforms Affected
Avaya DefinityOne Media Servers
Avaya IP600 Media Servers
Avaya S3400 Message Application Server
Avaya S8100 Media Servers
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Advanced Server SP1
Microsoft Windows 2000 Advanced Server SP2
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Datacenter Server SP1
Microsoft Windows 2000 Datacenter Server SP2
Microsoft Windows 2000 Server
Microsoft Windows 2000 Server SP1
Microsoft Windows 2000 Server SP2
Microsoft Windows 2000 Terminal Services
Microsoft Windows 2000 Terminal Services SP1
Microsoft Windows 2000 Terminal Services SP2

Components Affected
Microsoft Windows 2000 Advanced Server SP4
Microsoft Windows 2000 Advanced Server SP3
Microsoft Windows 2000 Advanced Server SP2
Microsoft Windows 2000 Advanced Server SP1
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server SP4
Microsoft Windows 2000 Datacenter Server SP3
Microsoft Windows 2000 Datacenter Server SP2
Microsoft Windows 2000 Datacenter Server SP1
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Professional SP4
Microsoft Windows 2000 Professional SP3
Microsoft Windows 2000 Professional SP2
Microsoft Windows 2000 Professional SP1
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server SP4
Microsoft Windows 2000 Server SP3
Microsoft Windows 2000 Server SP2
Microsoft Windows 2000 Server SP1
Microsoft Windows 2000 Server
Microsoft Windows NT Enterprise Server 4.0 SP6a
Microsoft Windows NT Enterprise Server 4.0 SP6
Microsoft Windows NT Enterprise Server 4.0 SP5
Microsoft Windows NT Enterprise Server 4.0 SP4
Microsoft Windows NT Enterprise Server 4.0 SP3
Microsoft Windows NT Enterprise Server 4.0 SP2
Microsoft Windows NT Enterprise Server 4.0 SP1
Microsoft Windows NT Enterprise Server 4.0
Microsoft Windows NT Server 4.0 SP6a
Microsoft Windows NT Server 4.0 SP6
Microsoft Windows NT Server 4.0 SP5
Microsoft Windows NT Server 4.0 SP4
Microsoft Windows NT Server 4.0 SP3
Microsoft Windows NT Server 4.0 SP2
Microsoft Windows NT Server 4.0 SP1
Microsoft Windows NT Server 4.0
Microsoft Windows NT Terminal Server 4.0 SP6a
Microsoft Windows NT Terminal Server 4.0 SP6
Microsoft Windows NT Terminal Server 4.0 SP5
Microsoft Windows NT Terminal Server 4.0 SP4
Microsoft Windows NT Terminal Server 4.0 SP3
Microsoft Windows NT Terminal Server 4.0 SP2
Microsoft Windows NT Terminal Server 4.0 SP1
Microsoft Windows NT Terminal Server 4.0
Microsoft Windows NT Workstation 4.0 SP6a
Microsoft Windows NT Workstation 4.0 SP6
Microsoft Windows NT Workstation 4.0 SP5
Microsoft Windows NT Workstation 4.0 SP4
Microsoft Windows NT Workstation 4.0 SP3
Microsoft Windows NT Workstation 4.0 SP2
Microsoft Windows NT Workstation 4.0 SP1
Microsoft Windows NT Workstation 4.0
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Web Edition
Microsoft Windows XP Home SP1
Microsoft Windows XP Home
Microsoft Windows XP Professional SP1
Microsoft Windows XP Professional

Recommendations
Deploy network intrusion detection systems to monitor network traffic for malicious activity.
Network intrusion detection systems should be deployed to monitor all network traffic for signs of suspicious or anomalous activities. This may aid in detection of attacks that attempt to exploit latent vulnerabilities, as well as detection of malicious activity that may occur if such attacks are successful.

Do not accept or execute files from untrusted or unknown sources.
To exploit this issue, an attacker must entice a user to open a malicious file. Users should refrain from opening files that originate from untrusted or unknown sources.

Do not follow links provided by unknown or untrusted sources.
An attacker may host a malicious file on a Web site and entice users to follow a link to the site. Users should refrain from following links that originate from questionable or unknown sources.

Implement multiple redundant layers of security.
Memory protection schemes such as non-executable stack and heap configurations and randomly mapped memory segments will complicate exploitation of memory corruption vulnerabilities.

Microsoft has released updates to address this vulnerability on supported platforms.


Microsoft Windows 2000 Advanced Server SP4:

Microsoft Upgrade Security Update for Windows 2000 (KB891711)
http://www.microsoft.com/downloads/details.aspx?familyid=722C6C65-3F6C-4029-8EB7-D4612A785E78&displaylang=en

Microsoft Windows 2000 Advanced Server SP3:
Microsoft Upgrade Security Update for Windows 2000 (KB891711)
http://www.microsoft.com/downloads/details.aspx?familyid=722C6C65-3F6C-4029-8EB7-D4612A785E78&displaylang=en

Microsoft Windows 2000 Advanced Server SP2:
Microsoft Windows 2000 Advanced Server SP1:
Microsoft Windows 2000 Advanced Server :
Microsoft Windows 2000 Datacenter Server SP4:
Microsoft Windows 2000 Datacenter Server SP3:
Microsoft Windows 2000 Datacenter Server SP2:
Microsoft Windows 2000 Datacenter Server SP1:
Microsoft Windows 2000 Datacenter Server :
Microsoft Windows 2000 Professional SP4:
Microsoft Upgrade Security Update for Windows 2000 (KB891711)
http://www.microsoft.com/downloads/details.aspx?familyid=722C6C65-3F6C-4029-8EB7-D4612A785E78&displaylang=en

Microsoft Windows 2000 Professional SP3:
Microsoft Upgrade Security Update for Windows 2000 (KB891711)
http://www.microsoft.com/downloads/details.aspx?familyid=722C6C65-3F6C-4029-8EB7-D4612A785E78&displaylang=en

Microsoft Windows 2000 Professional SP2:
Microsoft Windows 2000 Professional SP1:
Microsoft Windows 2000 Professional :
Microsoft Windows 2000 Server SP4:
Microsoft Upgrade Security Update for Windows 2000 (KB891711)
http://www.microsoft.com/downloads/details.aspx?familyid=722C6C65-3F6C-4029-8EB7-D4612A785E78&displaylang=en

Microsoft Windows 2000 Server SP3:
Microsoft Upgrade Security Update for Windows 2000 (KB891711)
http://www.microsoft.com/downloads/details.aspx?familyid=722C6C65-3F6C-4029-8EB7-D4612A785E78&displaylang=en

Microsoft Windows 2000 Server SP2:
Microsoft Windows 2000 Server SP1:
Microsoft Windows 2000 Server :
Microsoft Windows NT Enterprise Server 4.0 SP6a:
Microsoft Upgrade Security Update for Windows NT Server 4.0 (KB891711)
http://www.microsoft.com/downloads/details.aspx?familyid=4604400A-287E-48CC-91B1-BEE44EEA588C&displaylang=en

Microsoft Windows NT Enterprise Server 4.0 SP6:
Microsoft Windows NT Enterprise Server 4.0 SP5:
Microsoft Windows NT Enterprise Server 4.0 SP4:
Microsoft Windows NT Enterprise Server 4.0 SP3:
Microsoft Windows NT Enterprise Server 4.0 SP2:
Microsoft Windows NT Enterprise Server 4.0 SP1:
Microsoft Windows NT Enterprise Server 4.0:
Microsoft Windows NT Server 4.0 SP6a:
Microsoft Upgrade Security Update for Windows NT Server 4.0 (KB891711)
http://www.microsoft.com/downloads/details.aspx?familyid=4604400A-287E-48CC-91B1-BEE44EEA588C&displaylang=en

Microsoft Windows NT Server 4.0 SP6:
Microsoft Windows NT Server 4.0 SP5:
Microsoft Windows NT Server 4.0 SP4:
Microsoft Windows NT Server 4.0 SP3:
Microsoft Windows NT Server 4.0 SP2:
Microsoft Windows NT Server 4.0 SP1:
Microsoft Windows NT Server 4.0:
Microsoft Windows NT Terminal Server 4.0 SP6a:
Microsoft Windows NT Terminal Server 4.0 SP6:
Microsoft Upgrade Security Update for Windows NT 4.0, Terminal Server Edition (KB891711)
http://www.microsoft.com/downloads/details.aspx?familyid=94A0B521-4C39-4D15-AA80-068C30476E6F&displaylang=en

Microsoft Windows NT Terminal Server 4.0 SP5:
Microsoft Windows NT Terminal Server 4.0 SP4:
Microsoft Windows NT Terminal Server 4.0 SP3:
Microsoft Windows NT Terminal Server 4.0 SP2:
Microsoft Windows NT Terminal Server 4.0 SP1:
Microsoft Windows NT Terminal Server 4.0:
Microsoft Windows NT Workstation 4.0 SP6a:
Microsoft Windows NT Workstation 4.0 SP6:
Microsoft Windows NT Workstation 4.0 SP5:
Microsoft Windows NT Workstation 4.0 SP4:
Microsoft Windows NT Workstation 4.0 SP3:
Microsoft Windows NT Workstation 4.0 SP2:
Microsoft Windows NT Workstation 4.0 SP1:
Microsoft Windows NT Workstation 4.0:
Microsoft Windows Server 2003 Datacenter Edition :
Microsoft Upgrade Security Update for Windows Server 2003 (KB891711)
http://www.microsoft.com/downloads/details.aspx?familyid=CBCCADF6-449A-4D74-937D-4087A6E6C1C2&displaylang=en

Microsoft Windows Server 2003 Enterprise Edition :
Microsoft Upgrade Security Update for Windows Server 2003 (KB891711)
http://www.microsoft.com/downloads/details.aspx?familyid=CBCCADF6-449A-4D74-937D-4087A6E6C1C2&displaylang=en

Microsoft Windows Server 2003 Standard Edition :
Microsoft Upgrade Security Update for Windows Server 2003 (KB891711)
http://www.microsoft.com/downloads/details.aspx?familyid=CBCCADF6-449A-4D74-937D-4087A6E6C1C2&displaylang=en

Microsoft Windows Server 2003 Web Edition :
Microsoft Upgrade Security Update for Windows Server 2003 (KB891711)
http://www.microsoft.com/downloads/details.aspx?familyid=CBCCADF6-449A-4D74-937D-4087A6E6C1C2&displaylang=en

Microsoft Windows XP Home SP1:
Microsoft Upgrade Security Update for Windows XP (KB891711)
http://www.microsoft.com/downloads/details.aspx?familyid=8850954D-57D9-4D23-9AA1-1CCF6085A057&displaylang=en

Microsoft Windows XP Home :
Microsoft Windows XP Professional SP1:
Microsoft Upgrade Security Update for Windows XP (KB891711)
http://www.microsoft.com/downloads/details.aspx?familyid=8850954D-57D9-4D23-9AA1-1CCF6085A057&displaylang=en

Microsoft Windows XP Professional :

References

Source: Microsoft Security Bulletin MS05-002
URL: http://www.microsoft.com/technet/security/bulletin/MS05-002.mspx

Source: Technet Security
URL: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/security/default.asp

Credits
Discovery is credited to flashsky fangxing . This vulnerability was also independently discovered by eEye Digital Security.


Copyright © by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from secure@symantec.com.

Disclaimer
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

Symantec, Symantec products, Symantec Security Response, and secure@symantec.com are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.