iDefense Security Advisory 08.12.08: Microsoft Windows Color Management Module Heap Buffer Overflow Vulnerability
iDefense Security Advisory 08.12.08
http://labs.idefense.com/intelligence/vulnerabilities/
Aug 12, 2008
I. BACKGROUND
Microsoft Windows Color Management Module provides consistent color
mappings between different devices and applications. It is also used to
transform colors between color spaces. For more information about
Windows Color Management, visit the following URL.
http://www.microsoft.com/whdc/archive/icmwp.mspx
II. DESCRIPTION
Remote exploitation of a heap-based buffer overflow vulnerability in
multiple versions of Microsoft Corp.'s Windows operating system allows
an attacker to execute arbitrary code with the privileges of the
current user.
This vulnerability specifically exists in the InternalOpenColorProfile
function in mscms.dll. When a malformed parameter is supplied, a
heap-based buffer overflow can occur, resulting in an exploitable
condition.
III. ANALYSIS
Exploitation allows an attacker to execute arbitrary code with the
privileges of the current user. Exploitation would require convincing a
targeted user to view a malicious image file either hosted on a Web
server, on local file system or embedded in an-email or Office
documents, or through some form of social engineering.
This vulnerability also can be triggered through e-mail. If the e-mail
client can automatically display images embedded in the e-mail, the
user only needs to open the e-mail to trigger the vulnerability.
Currently an EMF file is used as test attack vector. Outlook and
Outlook Express will automatically display EMF image and trigger the
vulnerability. Lotus Notes and Thunderbird do not display EMF images in
e-mail directly, but the vulnerability still can be triggered when
opening or viewing the EMF attachment.
IV. DETECTION
iDefense has confirmed the existence of this vulnerability in the
following Microsoft products:
Windows 2000 Service Pack 4
Windows XP Service Pack 2
Windows Server 2003 Service Pack 1
Windows Server 2003 Service Pack 2
The following products are not affected:
Windows Vista
Windows Vista Service Pack 1
Windows Server 2008
V. WORKAROUND
In order to prevent exploitation of this vulnerability, turn off
metafile processing by modifying the registry. Under the registry key,
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\GRE_Initialize" create a DWORD entry
"DisableMetaFiles" and set it to 1.
Keep in mind that this only blocks the attack vector through Windows
metafiles. It may be possible to exploit this vulnerability through
other attack vectors.
Note: Modifying the registry does not affect processes that are already
running, so you may need to log off and log on again or restart the
computer after making the change.
Implementing this workaround may cause components relying on metafile
processing, such as printing, to misbehave.
Viewing e-mail in plain text format mitigates e-mail-based attack.
VI. VENDOR RESPONSE
Microsoft has officially addressed this vulnerability with Security
Bulletin MS08-046. For more information, consult their bulletin at the
following URL.
http://www.microsoft.com/technet/security/bulletin/ms08-046.mspx
VII. CVE INFORMATION
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2008-2245 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.
VIII. DISCLOSURE TIMELINE
04/10/2008 Initial vendor notification
04/16/2008 Initial vendor response
08/12/2008 Coordinated public disclosure
IX. CREDIT
This vulnerability was discovered by Jun Mao of iDefense Labs.
Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php
Free tools, research and upcoming events
http://labs.idefense.com/
X. LEGAL NOTICES
Copyright © 2008 iDefense, Inc.
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerservice@xxxxxxxxxxxx for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.