HTTP GDI EMF Remote Code Exec

Description

This signature detects attempts to exploit a remote code execution vulnerability that exists in the Graphics Rendering Engine because of the way that it handles Enhanced Metafile (EMF) images.

Additional Information

A remote code execution vulnerability exists in the way that GDI handles filename parameters in EMF files. The vulnerability could allow remote code execution if a user opens a specially crafted EMF image file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts.

To view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2008-1087.

Affected

• Microsoft Windows 2000 SP4
• Windows XP SP2
• Windows XP Professional x64 Edition
• Windows XP Professional x64 Edition SP2
• Windows Server 2003 SP1
• Windows Server 2003 SP2
• Windows Server 2003 x64 Edition
• Windows 2003 Server x64 Edition SP2
• Windows Server 2003 with SP1 for Itanium-based Systems
• Windows Server 2003 with SP2 for Itanium based Systems
• Windows Vista and Windows Vista SP1
• Windows Vista x64 Edition
• Windows Vista x64 Edition SP1
• Windows Vista for Itanium-based systems
• Windows Vista for Itanium-based systems SP1
• Windows Server 2008

Response

Download and install all patches from Microsoft regarding this vulnerability.

Possible False Positives

There are no known false positives associated with this signature.