Severity: High
9 September, 2008
Summary:
§ These vulnerabilities affect: Recent versions of Windows and many other Microsoft products (see “Exposure” section for full details)
§ How an attacker exploits them: By enticing your users into viewing malicious images or graphical content, including content hosted on a malicious Web site
§ Impact: Remote attacker can execute code, potentially gaining complete control of your computers
§ What to do: Install the appropriate Microsoft patches immediately
Severity: High
9 September, 2008
Summary:
§ These vulnerabilities affect: Recent versions of Windows and many other Microsoft products (see “Exposure” section for full details)
§ How an attacker exploits them: By enticing your users into viewing malicious images or graphical content, including content hosted on a malicious Web site
§ Impact: Remote attacker can execute code, potentially gaining complete control of your computers
§ What to do: Install the appropriate Microsoft patches immediately
Exposure:
Today, Microsoft released a security bulletin describing five vulnerabilities that affect the Graphical Device Interface (GDI+), one of the core Windows subsystems responsible for outputting graphical objects to your monitor or printer. Since it’s such an essential subsystem, the GDI+ component resides in many other Microsoft products as well. For that reason, these vulnerabilities also affect the following products to some extent:
§ Internet Explorer
§ Office
§ Visio
§ Works
§ .NET Framework
§ Digital Image Suite
§ SQL Server
§ Visual Studio
§ Report Viewer
§ Visual FoxPro
§ Forefront Client Security
While the five vulnerabilities differ technically, they all involve flaws in the way GDI+ handles different types of images or graphic objects, and all have the same result. By tricking one of your users into viewing a specially crafted image, or malicious web site containing booby-trapped graphical content, an attacker could exploit any of these flaws to execute code on that user’s computer, with the user’s privileges. If your users have local administrator privileges, an attacker could leverage these flaws to gain complete control of their Windows machines.
The primary difference of note between these flaws has to do with which graphic files the attacker can use to exploit them. The potentially dangerous images and graphic objects that could trigger these flaws include:
§ BMP images (.bmp)
§ GIF images (.gif)
§ EMF images (.emf)
§ WMF images (.wmf)
§ VML graphical objects
These flaws pose a very serious risk and affect quite a menagerie of Microsoft software. You should apply the patches immediately.
Solution Path:
Microsoft has released patches for Windows, and many other products, which correct all of these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately.
§ Windows
§ 2000
§ XP
§ XP x64
§ Vista
§ Office
§ XP
§ 2003
§ 2007
§ Office related software
§ Works 8
§ SQL Server
§ SQL Server 2000 (all versions) [QFE ]
§ SQL Server 2005 (all versions) [ GDR / QFE ]
Note: For the differences between GDR and QFE releases, see this Microsoft blog post
§ Developer Tools
§ Visual Studio
§ 2002
§ 2003
§ 2005
§ 2008
§ Report Viewer
§ 2005
§ 2008
§ Visual FoxPro (when installed on Windows 2000)
§ 8.0
§ Microsoft Platform SDK Redistributable: GDI+
§ Security Software
§ Forefront Client Security 1.0
For All WatchGuard Users:
WatchGuard Firebox administrators can configure the HTTP and SMTP proxies to block the affected image files. However, this would significantly hinder your users’ Web browsing experience. Therefore, the patches above are your best solution.
Status:
Microsoft has released patches correcting these issues.
References:
§ Microsoft Security Bulletin MS08-052