HOME > VULNERABILITY NOTES


   VULNERABILITY NOTE

CERT-In Vulnerability Note CIVN-2008-126
Microsoft Windows Image Color Management System Remote Code Execution Vulnerability

Original Issue Date: August 14, 2008

Severity Rating: High

Systems Affected

  • Microsoft Windows 2000 SP4
  • Microsoft Windows XP SP2 and SP3
  • Microsoft Windows XP Professional x64 edition and SP2
  • Microsoft Windows Server 2003 SP1 and SP2
  • Microsoft Windows Server 2003 x64 edition and SP2
  • Microsoft Windows Server 2003 with SP1 and SP2 for Itanium based systems

Overview

A heap-based buffer overflow vulnerability has been reported in Microsoft windows Image Color Management System (ICMS) that could be exploited by an attacker to execute arbitrary code.

Description

The vulnerability is caused due to a flaw in Microsoft Color Management System ( MCMC ) component of the Image Color Management System ( ICM ). This vulnerability exists in the internalOpenColorProfile function in mscms.dll.

The attacker could exploit this vulnerability by creating specially crafted image file. Successful exploitation corrupts system memory to allow execution of arbitrary code with the privileges of logged on user.

Workarounds

  • Modify registry to turn off metafile processing
  • Read e-mail messages in plain text format

For detailed steps and impact of applying these workarounds refer to Microsoft security Bulletin MS08-046

Solution

Apply appropriate patches as mentioned in Microsoft Security Bulletin MS08-046

Vendor Information

Microsoft
http://www.microsoft.com/technet/security/Bulletin/ MS08-046.mspx

References

iDefence
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=742

Secunia
http://secunia.com/advisories/31385

SecurityFocus
http://www.securityfocus.com/bid/30594

CVE Name
CVE-2008-2245

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003