HOME > ADVISORIES


   ADVISORIES

CERT-In Advisory CIAD-2007-17
Multiple Vulnerabilities in Microsoft Windows GDI

Original issue date: April 04, 2007
Updated on: April 11, 2007

Severity Rating: High

Systems Affected

  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Datacenter Server
  • Microsoft Windows 2000 Professional
  • Microsoft Windows 2000 Server
  • Microsoft Windows Server 2003 Datacenter Edition
  • Microsoft Windows Server 2003 Enterprise Edition
  • Microsoft Windows Server 2003 Standard Edition
  • Microsoft Windows Server 2003 Web Edition
  • Microsoft Windows Storage Server 2003
  • Microsoft Windows Vista
  • Microsoft Windows XP Home Edition
  • Microsoft Windows XP Professional

Overview

Multiple vulnerabilities have been reported in Microsoft Windows that could be exploited by an attacker for malicious purposes i.e. privilege elevation, Denial of Service, compromise of system.

Description

The Microsoft Windows graphics device interface (GDI) enables applications to use graphics and formatted text on both the video display and the printer.

The Windows Metafile ( WMF) image format is a 16-bit metafile format that can contain both vector information and bitmap information.

The Enhanced Metafile (EMF) image format is a 32-bit format that can contain both vector information and bitmap information.  

1. GDI Local Elevation of Privilege Vulnerability (CVE-2006-5758 )  

This privilege elevation vulnerability is caused due to an error in handling memory reserved for the windows kernel by windows Graphics Rendering Engine while processing “.wmf” and “.emf" files.

The attacker could exploit this vulnerability by logging on the system. Executing a program as a regular user allows an attacker to take complete control of the system.  

2. WMF Denial of Service Vulnerability ( CVE-2007-1211 )

This denial of service vulnerability is caused due to an invalid memory reference while reading a data value.

An attacker could exploit this vulnerability creating specially crafted “.wmf” file and by persuading a user to open the file. Successful exploitation of the vulnerability causes the system to stop responding.  

3. EMF Elevation of Privilege Vulnerability ( CVE-2007-1212 )

The vulnerability is caused due to an unchecked buffer in Windows GDI while rendering Enhanced Metafile (EMF) image format files.

The attacker could exploit this vulnerability by logging on the system. Executing a program as a regular user allows an attacker to take complete control of the system.

4. GDI Invalid Window Size Elevation of Privilege Vulnerability (CVE-2006-5586)

This privilege elevation vulnerability is caused due to processing of invalid application window sizes.

The attacker could exploit this vulnerability by logging on the system. Executing a specially crafted application could create a series of layered windows that passes an invalid parameter. This allows an attacker to take complete control of the system.

5. Windows Animated Cursor Remote Code Execution Vulnerability ( CVE-2007-0038 )

The vulnerability is caused due insufficient format validation prior to rendering cursors(.cur files), animated cursors (.ani files) and icons (.ico files).

For the details about the vulnerability please refer to CERT-In Vulnerability Note CERT-In Vulnerability Note CIVN-2007-39  

6. GDI Incorrect Parameter Local Elevation of Privilege Vulnerability (CVE-2007-1215)

This privilege elevation vulnerability is caused due to an error in GDI while processing color related parameters.

The attacker could exploit this vulnerability by logging on the system and Executing a specially designed program. This allows an attacker to take complete control of the system.

7. Font Rasterizer Local Elevation of Privilege Vulnerability ( CVE-2007-1213)

The TrueType Font Rasterizer generates character bitmaps for screens and printers, otherwise known as raster devices.

The vulnerability is caused due to a call to an uninitialized function pointer while processing defective or modified fonts.

The attacker could exploit this vulnerability by creating a specially crafted font. Rendering the specially crafted font by TrueType Font Rasterizer allows an attacker to take complete control of the system.

Solution

Apply appropriate patches as mentioned in Microsoft Security Bulletin MS07-017

References

Microsoft
http://www.microsoft.com/technet/security/bulletin/ms07-017.mspx

Secunia
http://secunia.com/advisories/22668/

CVE Name
CVE-2006-5758
CVE-2007-1211
CVE-2007-1212
CVE-2006-5586
 CVE-2007-0038
 CVE-2007-1215
CVE-2007-1213

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003