Assurent VR - Microsoft Windows Graphics Rendering Engine WMF Parsing Buffer Overflow

[VR-Subscription-noreply () assurent com]

Microsoft Windows Graphics Rendering Engine WMF Parsing Buffer Overflow

Assurent ID: FSC20080909-12

1. Affected Software

  Digital Image Suite 2006
  Forefront Client Security 1.0
  Microsoft Office 2003 SP2, SP3
  Microsoft Office PowerPoint Viewer 2003
  Microsoft Windows XP prior to SP3
  Microsoft Windows Vista
  Microsoft Windows Server 2003
  Microsoft Windows Server 2008
  Microsoft Works 8

Reference: http://www.microsoft.com/

2. Vulnerability Summary

A vulnerability has been discovered in the Graphics Rendering Engine (GRE) component of Microsoft Windows. Specifically 
this vulnerability is exposed by the Microsoft Windows GDI+ subsystem. The vulnerability is created by an error in 
parsing certain Windows Metafile (WMF) files, a standard image file format used by many commonly-used software 
applications.

3. Vulnerability Analysis

A remote attacker may exploit the vulnerability by sending a malicious WMF file to the target system and enticing the 
target user to view or preview it. A successful code execution attempt will result in arbitrary code to be executed 
within the security privileges of the currently logged in user. An unsuccessful attack attempt will result in abnormal 
termination of the program used for opening the malicious file. 

Applications affected by this vulnerability include Windows Explorer, Internet Explorer, Microsoft Paint, Windows 
Picture and Fax Viewer, and various Microsoft Office products. Note that the vulnerable file may be embedded inside 
other formats in the form of OLE objects, allowing the malicious file to appear as RTF files, Microsoft Office 
documents, or other formats.

4. Vulnerability Detection

Assurent has confirmed the vulnerability in:

  Digital Image Suite 2006
  Forefront Client Security 1
  Microsoft Office 2003 SP2, SP3
  Microsoft Office PowerPoint Viewer 2003
  Microsoft Windows XP prior to SP3
  Microsoft Windows Vista
  Microsoft Windows Server 2003
  Microsoft Windows Server 2008
  Microsoft Works 8

5. Workaround

Apply the vendor patch, remove file associations to WMF files to avoid opening them, disable thumbnail previews while 
browsing files, or block the downloading of WMF resources from untrusted networks.

6. Vendor Response

Microsoft has released a bulletin addressing this vulnerability. 

Reference: http://www.microsoft.com/technet/security/Bulletin/MS08-052.mspx

7. Disclosure Timeline

  2007-03-20 Reported to vendor
  2007-03-22 Initial vendor response
  2008-09-09 Coordinated public disclosure

8. Credits

Vulnerability Research Team, Assurent Secure Technologies, a TELUS company

9. References

  CVE: CVE-2008-3014
  Vendor: MS08-052

10. About Assurent VRS

Assurent's Vulnerability Research Service (VRS) for security product vendors, and Threat Protection Programs (TPP) for 
MSPs and enterprise security teams, help to eliminate the significant costs incurred by security product vendors, MSPs, 
and enterprise security teams in responding to and managing critical new security vulnerabilities and other threats 
including worm & virus outbreaks and other malware. The VRS and TPP services are real-time feeds providing subscribers 
with detailed analysis of the top security vulnerabilities, focused on the specific needs of each group of customers. 

http://www.assurent.com/index.php?id=17

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/