Technical Description

Multiple vulnerabilities have been identified in Microsoft GDI+, which could be exploited by remote attackers to take complete control of an affected system.

The first issue is caused by a heap overflow error when processing gradient sizes handled by the vector graphics link library, which could be exploited to execute arbitrary code via a malicious web site.

The second vulnerability is caused by a memory corruption error when processing a specially crafted EMF image file, which could be exploited to execute arbitrary code via a malicious image.

The third issue is caused by an error when parsing records in a specially crafted GIF image file, which could be exploited to execute arbitrary code via a malicious web site.

The fourth vulnerability is caused by a buffer overflow error when allocating memory when parsing a specially crafted WMF image file, which could be exploited to execute arbitrary code via a malicious image.

The fifth issue is caused by a buffer overflow error when processing a malformed header in a specially crafted BMP image file, which could be exploited to execute arbitrary code via a malicious web site.

Credits

Vulnerabilities reported by Greg MacManus (VeriSign iDefense Labs), Bing Liu (Fortinet FortiGuard Global Security Research Team), Peter Winter-Smith (NGSSoftware), Ivan Fratric, Zero Day Initiative, and Vulnerability Research Team (Assurent Secure Technologies).

ChangeLog

2008-09-09 : Initial release

Vulnerability Management

Subscribe to VUPEN Security VNS and receive real-time e-mail and SMS alerts when new vulnerabilities, exploits, or patches relevant to your systems and network configurations are available.

Feedback

If you have additional information or corrections for this security advisory please submit them via our contact form or by email to updates@vupen.com.