Date Discovered September 14, 2004
Description Microsoft (Graphics Device Interface) GDI+ JPEG handler is reported prone to an integer underflow vulnerability when handling JPEG format images. This issue presents itself due to a lack of sufficient sanity checks performed on certain JPEG data before this data employed as a bounds value for a memory copy operation.
A specially crafted JPEG image may trigger this vulnerability and result in the execution of arbitrary attacker-supplied code. Code execution would occur in the context of the user who is running the vulnerable software.
**Update: This issue is similar in nature to BID 1503, discovered by Solar Designer.
** An exploit that opens a command shell on the local vulnerable system as soon as the image is viewed has been released. Symantec has confirmed that this exploit code is functional. It is important to note that this exploit could potentially be modified to execute other code on the system. Administrators should remain vigilant and patch all vulnerable systems.
- Avaya DefinityOne Media Servers
- Avaya IP600 Media Servers
- Avaya S3400 Message Application Server
- Avaya S8100 Media Servers
- Business Objects Crystal Enterprise 10.0.0
- Business Objects Crystal Enterprise 9.0.0
- Business Objects Crystal Reports 10.0.0
- Business Objects Crystal Reports 9.0.0
- Microsoft .NET Framework 1.0 SP2
- Microsoft .NET Framework 1.1
- Microsoft .NET Framework SDK 1.0
- Microsoft .NET Framework SDK 1.0 SP1
- Microsoft .NET Framework SDK 1.0 SP2
- Microsoft Digital Image Pro 7.0
- Microsoft Digital Image Pro 9.0
- Microsoft Digital Image Suite 9.0
- Microsoft Excel 2002
- Microsoft Excel 2002 SP1
- Microsoft Excel 2002 SP2
- Microsoft Excel 2002 SP3
- Microsoft Excel 2003
- Microsoft FrontPage 2002
- Microsoft FrontPage 2002 SP1
- Microsoft FrontPage 2002 SP3
- Microsoft FrontPage 2003
- Microsoft Greetings 2002
- Microsoft InfoPath 2003
- Microsoft Internet Explorer 6.0 SP1
- Microsoft MSN Messenger Service 9.0
- Microsoft Office 2003
- Microsoft Office 2003 SP1
- Microsoft Office XP
- Microsoft Office XP SP1
- Microsoft Office XP SP2
- Microsoft Office XP SP3
- Microsoft OneNote 2003
- Microsoft Outlook 2002
- Microsoft Outlook 2002 SP1
- Microsoft Outlook 2002 SP2
- Microsoft Outlook 2002 SP3
- Microsoft Outlook 2003
- Microsoft Picture It! 2002
- Microsoft Picture It! 7.0
- Microsoft Picture It! 9.0
- Microsoft Picture It! Library
- Microsoft Platform SDK Redistributable: GDI+
- Microsoft PowerPoint 2002
- Microsoft PowerPoint 2002 SP1
- Microsoft PowerPoint 2002 SP2
- Microsoft PowerPoint 2002 SP3
- Microsoft PowerPoint 2003
- Microsoft Producer for Microsoft Office PowerPoint
- Microsoft Project 2002
- Microsoft Project 2002 SP1
- Microsoft Project 2003
- Microsoft Publisher 2002
- Microsoft Publisher 2002 SP3
- Microsoft Publisher 2003
- Microsoft Visio 2002
- Microsoft Visio 2002 Professional SP2
- Microsoft Visio 2002 SP1
- Microsoft Visio 2002 SP2
- Microsoft Visio 2002 Standard SP2
- Microsoft Visio 2003
- Microsoft Visio 2003 Professional
- Microsoft Visio 2003 Standard
- Microsoft Visual Basic .NET Standard 2002
- Microsoft Visual Basic .NET Standard 2003
- Microsoft Visual C# .NET Standard 2002
- Microsoft Visual C# .NET Standard 2003
- Microsoft Visual C++ .NET Standard 2002
- Microsoft Visual C++ .NET Standard 2003
- Microsoft Visual FoxPro 8.0
- Microsoft Visual FoxPro Runtime Library 8.0
- Microsoft Visual J# .NET Standard 2003
- Microsoft Visual Studio .NET 2002
- Microsoft Visual Studio .NET 2003
- Microsoft Windows Messenger 5.0
- Microsoft Windows Server 2003 Datacenter Edition
- Microsoft Windows Server 2003 Datacenter Edition Itanium
- Microsoft Windows Server 2003 Enterprise Edition
- Microsoft Windows Server 2003 Enterprise Edition Itanium
- Microsoft Windows Server 2003 Standard Edition
- Microsoft Windows Server 2003 Web Edition
- Microsoft Windows XP 64-bit Edition
- Microsoft Windows XP 64-bit Edition SP1
- Microsoft Windows XP 64-bit Edition Version 2003
- Microsoft Windows XP Home
- Microsoft Windows XP Home SP1
- Microsoft Windows XP Professional
- Microsoft Windows XP Professional SP1
- Microsoft Word 2002
- Microsoft Word 2002 SP1
- Microsoft Word 2002 SP2
- Microsoft Word 2002 SP3
- Microsoft Word 2003
Do not accept or execute files from untrusted or unknown sources. A remote attacker will need to present a JPEG file to a victim user in order to exploit this vulnerability. Avoid accepting or opening files that originate from a user of questionable integrity.
Do not follow links provided by unknown or untrusted sources. A remote attacker may exploit this vulnerability through a remote Web site. Avoid following links that originate from a user of questionable integrity.
Run all software as a nonprivileged user with minimal access rights. Run all applications with the minimum amount of privileges required to function adequately. This action can limit the impact of a successful attack.
Do not open email messages from unknown or untrusted individuals.
A remote attacker may exploit this vulnerability through email. Avoid accepting or opening unsolicited emails that originate from a user of questionable integrity.
Microsoft has released a security bulletin MS04-028 and fixes to address this issue in affected products. Additionally, the vendor reports that this issue is addressed in Microsoft Office 2003 Service Pack 1 for Office 2003, Microsoft Visio 2003 Service Pack 1 for Visio 2003 and Microsoft Project 2003 Service Pack 1 for Project 2003.
The vendor also reports that customers that have installed MSN 9, and have chosen to install Picture It! Express version 9 and Picture It! Library, should install the Picture It! version 9 update.
Customers are advised to access the referenced advisory for further information pertaining to obtaining and applying appropriate updates.
Avaya has released an advisory that acknowledges this vulnerability for
Avaya products. Customers are advised to apply the appropriate fix for Microsoft Internet Explorer to the affected Avaya Platforms. Please see the referenced Avaya advisory at the following location for further details:
Microsoft has released a revision to their original advisory. Microsoft Office XP service pack 2 has been reported vulnerable to this issue. The update released for Office XP service pack 3 will patch this issue.
Business Objects has issued fixes for Crystal Reports 9 and 10 and Crystal Enterprise 9 and 10.
Microsoft has updated bulletin MS04-028 to include new fixes for Visual FoxPro 8.0, Visual FoxPro 8.0 Runtime Library, .NET Framework 1.0 Service Pack 2, and .NET Framework 1.1. Additionally, Windows Messenger 5.1 has been released containing a fixed version of the vulnerable library.
Symantec products such as Norton SystemWorks, Norton Password Manager, and Symantec Norton Internet Security Professional do include the affected library but are not prone to this vulnerability since the library is not used to process JPEG images. Nonetheless, updated versions of the library may be obtained through LiveUpdate. Further details may be found in the attached "Symantec Completes Update of Microsoft's Graphic Device Interface Component" advisory.
Credits This issue was discovered by Cassidy Macfarlane and later independently rediscovered by Nick Debaggis. The issue is similar in nature to BID 1503, discovered by Solar Designer.
Copyright © Symantec Corporation.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from firstname.lastname@example.org
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Symantec, Symantec products, Symantec Security Response, and email@example.com
are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.