Accessibility Options |  Sitemap |  Contact Us
   
 
 
 
HOME space ABOUTCERTIn space KNOWLEDGEBASE space TRAINING space ADVISORIES space VULNOTES space space Facebook space x space insta space youtube space Linkedin
WLine
DigitalIndia
WLine
csk
WLine
Full Member FIRST
Line
Operational Member TFCSIRT
Line
Accredited Member APCERT
Line
Global Research Partner APWG
Line
Associate Partner Charter
Line
CNA
WLine
 Directions by CERT-In under  Section 70B, Information  Technology Act 2000
WLine
 Guidelines on Information  Security Practices for  Government Entities
WLine
 Technical Guidelines on NEW  SOFTWARE BILL OF MATERIALS  (SBOM)
WLine
 Cyber Security GuidelinesNEW  for Smart City Infrastructure
About CERT-in
Line
point point Client's /Citizen's Charter
Line
point point Roles & Functions
Line
point point Advisory Committee
Line
point point Act/Rules/Regulations
Line
point point Internal Complaint Committee         (ICC) 
Line
point point RFC2350 
line
point point Press  
Line
point point Tender 
Line
point point Subscribe Mailing List
Line
point point Contact Us
Line
Line
Reporting
point
 Incident Reporting
point
Line
point
 Vulnerability Reporting
point
Line
point
 Feedback
point
Line
KnowledgeBase
Line
point Point Guidelines
Line
point Point Presentations
Line
point Point White Papers 
Line
point Point Annual Report 
Line
Line
Line
line
Line
line
line
Advisories
Line
VulnerabilityNotes
Line
RelatedLinks
Line
point Point World CERTs
Line
point point Antivirus Resources
line
point point FAQ
line
line
Line
Line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
spacer
Home - Vulnerability NotesPrint
point
CERT-In Vulnerability Note CIVN-2009-0130
Multiple Remote Code Execution Vulnerabilities in Microsoft Graphic Device Interchange GDI+

Original Issue Date:October 15, 2009

Severity Rating: HIGH

Systems Affected

  • Microsoft Windows Server 2008
  • Microsoft Windows Server 2008 for x64 based systems
  • Microsoft Windows Server 2008 for Itanium based systems
  • Microsoft Windows Vista and SP1
  • Microsoft Windows Vista x64 edition and SP1
  • Microsoft Windows XP Professional x64 Edition Service Pack 2
  • Microsoft Windows Server 2003 with SP2 for Itanium-based Systems
  • Microsoft Windows Server 2003 x64 Edition Service Pack 2
  • Microsoft Windows Server 2003 Service Pack 2
  • Microsoft Windows XP SP2 and SP3
  • Microsoft Windows 2000 SP4

Component Affected

  • Microsoft Internet Explorer 6 SP 1, Microsoft .NET Framework 1.1 Microsoft .NET Framework 2.0 SP 1 and SP2 , RSClientPrint ActiveX Control installed on windows 2000 SP4
  • Microsoft Forefront Client Security 1.0 installed on Windows 2000 SP4
  • Microsoft Office XP SP3
  • Microsoft Office 2003 SP3 and SP2
  • Microsoft Office Project 2002 SP1
  • Microsoft Office Visio 2002 SP2
  • Microsoft Office Word Viewer, Microsoft Word Viewer 2003and SP 3, Microsoft Office Excel Viewer 2003 and SP 3
  • Microsoft Office Excel Viewer, PowerPoint Viewer 2007 , SP1 and SP2
  • Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2
  • Microsoft Office Groove 2007 and Microsoft Office Groove 2007 SP 1
  • SQL Server 2000 Reporting Services SP 2
  • SQL Server 2005 SP 2
  • SQL Server 2005 x64 Edition SP 2
  • SQL Server 2005 for Itanium-based Systems SP 2
  • SQL Server 2005 SP 3
  • SQL Server 2005 x64 Edition SP 3
  • SQL Server 2005 for Itanium-based Systems SP 3
  • Microsoft Visual Studio 2005 SP 1
  • Microsoft Visual Studio 2008 and SP1
  • Microsoft Report Viewer 2005 SP 1 Redistributable Package
  • Microsoft Report Viewer 2008 Redistributable Package and SP1
  • Microsoft Visual FoxPro 8.0 SP1 and Sp2
  • Microsoft Platform SDK Redistributable: GDI+

    • Overview

    Multiple remote code execution vulnerabilities have been reported in Microsoft Graphics Device Interchange+ GDI+ .

    An attacker can exploit these vulnerabilities by hosting a webpage or compromised sites with specially crafted components malformed image file, crafted XBAP XAML Browser Application and persuade a user to visit the site by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker's Web site or sending a image/crafted .NET applications/malformed office documents to the user and by convincing the user to open the file.

    If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system.

    Description

    1. Windows Meta File WMF Processing Integer Overflow Vulnerability ( CVE-2009-2500   )

    The vulnerability is due to insufficient boundary checking on data used in memory operations by the vector graphics link library . The processing of overly large user-supplied input within WMF files could trigger an integer overflow leads to memory corruption.

    2. PNG image Processing Heap Overflow Vulnerability ( CVE-2009-2501   )

    The vulnerability is due to insufficient boundary checking when processing PNG files by the GDI+ s vector graphics library.

    3. TIFF Image Processing BitsPerSample Tag Buffer Overflow Vulnerability ( CVE-2009-2502   )

    The vulnerability is due to memory allocation errors when processing Tagged Image File Format TIFF s images. The GDI+ component fails to properly restrict the length of input contained within processed images before using that input within memory operations which leads a buffer overflow.



    4. TIFF Memory Corruption Vulnerability ( CVE-2009-2503   )

    The vulnerability is due to improper memory operations when processing input from TIFF files.  The GDI+ component fails to restrict the size of input before use in memory allocation.  When processing a malformed graphic control extension leads to a buffer overflow and subsequently corrupt memory.

    5. .NET framework PropertyItem API Vulnerability ( CVE-2009-2504   )

    The vulnerability is due to certain GDI+ APIs that are accessible from .NET Framework applications .

    6. Office BMP Integer Image Processing Overflow Vulnerability ( CVE-2009-2518   )

    The vulnerability is due to errors in processing office documents containing malformed BMP image files

    7. Microsft Office drawing format shape Memory Corruption Vulnerability ( CVE-2009-2528   )

    The vulnerability is due to the parsing of msofbtOPT office drawing record type provides defaults value for shape properties. .

    8. PNG Image Processing Integer Overflow Vulnerability ( CVE-2009-3126   )

    The vulnerability is due to incorrect memory calculations performed after the processing of a PNG image.

    Workaround

    • Disable XAML Browser Applications in Internet Explorer
    • Disable partially trusted .NET applications
  • Disable metafile processing.
  • Restrict access to gdiplus.dll component .
  • Unregister vgx.dll library .
  • Prevent RSClientPrint from running in Internet Explorer.
  • Read e-mails in plain text.
  • Users are advised not to open media files/office files from suspicious or unrecognized sources.

    • Solution

    Apply appropriate updates as mentioned in the Microsoft Security Bulletin MS09-062

    Vendor Information

    Microsoft
    http://www.microsoft.com/technet/security/Bulletin/MS09-062.mspx

    References

    Microsoft
    http://www.microsoft.com/technet/security/Bulletin/MS09-062.mspx
    http://msdn.microsoft.com/en-us/library/aa970060.aspx
    http://blogs.technet.com/srd/archive/2009/10/12/new-attack-surface-reduction-feature-in-gdi.aspx
    http://msdn.microsoft.com/en-us/library/c5tk9z76.aspx
    http://msdn.microsoft.com/en-us/library/ms159195.aspx

    CISCO
    http://tools.cisco.com/security/center/viewAlert.x?alertId=19132
    http://tools.cisco.com/security/center/viewAlert.x?alertId=19131
    http://tools.cisco.com/security/center/viewAlert.x?alertId=19130
    http://tools.cisco.com/security/center/viewAlert.x?alertId=19125
    http://tools.cisco.com/security/center/viewAlert.x?alertId=19126
    http://tools.cisco.com/security/center/viewAlert.x?alertId=19127
    http://tools.cisco.com/security/center/viewAlert.x?alertId=19128
    http://tools.cisco.com/security/center/viewAlert.x?alertId=19129

    Zero Day Initiative
    http://www.zerodayinitiative.com/advisories/ZDI-09-072/

    Verisign IDefense Labs
    http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=829

    CVE Name
    CVE-2009-2500
    CVE-2009-2501
    CVE-2009-2502
    CVE-2009-2503
    CVE-2009-2504
    CVE-2009-2518
    CVE-2009-2528
    CVE-2009-3126

    Disclaimer

    The information provided herein is on "as is" basis, without warranty of any kind.

    Contact Information

    Email: info@cert-in.org.in
    Phone: +91-11-2436857

    Postal address

    Indian Computer Emergency Response Team (CERT-In)
    Ministry of Electronics and Information Technology
    Government of India
    Electronics Niketan
    6, CGO Complex, Lodhi Road,
    New Delhi - 110 003
    India

     
    Indian Computer Emergency Response Team - CERT-In, Ministry of Electronics and Information Technology, Government of India.
    Website Policies |  Terms of Use |  Help Last Updated On May 02, 2025