Microsoft GDI+ WMF File Integer Overflow Vulnerability

Overview

» IDS/IPS Signatures

Security Sites

iPolicy Networks Security Advisory


Date Discovered:	10/13/2009
Severity:	High
Operating Systems Affected:	Microsoft Windows 2000 SP4 Microsoft Windows XP SP2 Microsoft Windows XP SP3 Microsoft Windows XP Professional x64 SP2
Application Affected:	Microsoft Internet Explorer
Type:	Remote
Identifiers:	CVE-2009-2500

Synopsis

Microsoft Windows GDI+ is prone to a integer overflow which leads to a heap overflow vulnerability, specifically, a value is read from a WMF file then used as a counter in a memcpy() operation with a heap-allocated buffer as the destination.

Recommended Actions

Update the patches as guided by vendor at :
http://www.microsoft.com/technet/security/bulletin/ms09-062.mspx

Threat Analysis

This vulnerability exists in the way that GDI+ allocates buffer size when handling WMF image files. The vulnerability could allow integer overflow if a user opens a specially crafted WMF image file or browses to a Web site that contains specially crafted content.

This vulnerability is caused by GDI+ improperly validating and restricting buffer lengths passed to the heap.

An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs, view, change, delete data, or create new accounts with full user rights.

References

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2500

Write-up by: Aditya Chaturvedi