kayodeok's Weblog

Tuesday 14 September 2004

MS Security Bulletins - 14 September

Two MS Security Bulletins issued today.

Microsoft Security Bulletin MS04-027

Vulnerability in WordPerfect Converter Could Allow Code Execution

A vulnerability exists in various Microsoft Office products, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to a boundary error within the WordPerfect Converter and can be exploited to cause a buffer overflow if a user opens a malicious document.

References:

• Technical: Vulnerability in WordPerfect Converter Could Allow Code Execution (884933)
• Knowledgebase: MS04-027: Vulnerability in WordPerfect converter could allow code execution
• Secunia: Microsoft Office WordPerfect Converter Buffer Overflow Vulnerability

Microsoft Security Bulletin MS04-028

Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution

A vulnerability exists in multiple Microsoft products, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to a boundary error within the GDI+ JPEG Parsing component (Gdiplus.dll). This can be exploited to cause a buffer overflow by tricking a user into viewing a specially crafted JPEG image with any application using the vulnerable component for JPEG image processing.

Successful exploitation allows execution of arbitrary code with the privileges of the user. However, users whose accounts are configured to have fewer privileges on the system would be at less risk than users who operate with administrative privileges.

References:

• Technical: Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution (833987)
• Knowledgebase: MS04-028: Buffer overrun in JPEG processing (GDI+) could allow code execution
• Secunia: Microsoft Multiple Products JPEG Processing Buffer Overflow Vulnerability

Related Tools

• Microsoft Baseline Security Analyzer (MBSA)
• Software Update Services (SUS)
• Windows Update
• Microsoft Security Tools

Related Reading

• Description of the Microsoft GDI+ Detection Tool: September 14, 2004
• How to create and use a batch file to silently install multiple GDI+ security updates
• How to Update Your Computer with the JPEG Processing (GDI+) Security Update
• Microsoft Security Development Center: All About GDI+
• Microsoft Security Development Center: GDI+ 1.0 Security Update Overview
• FullDisclosure[1]: Microsoft GDIPlus.DLL JPEG Parsing Engine Buffer Overflow
• FullDisclosure[2]: Microsoft GDIPlus.DLL JPEG Parsing Engine Buffer Overflow
• JPEG Processing BOF Proof Of Concept
• Exploit for Microsoft JPEG Flaw Is Published
• MS04-028 Proof of Concept Rumors; Beyond Patching
• Securiteam: Buffer Overrun in JPEG Processing (GDI+) Allows Code Execution (MS04-028)
• Securiteam: Microsoft GDIPlus.DLL JPEG Parsing Engine Buffer Overflow (Detailed Analysis of MS04-028)
• Securiteam: Buffer Overrun in JPEG Processing Proof Of Concept (MS04-028)
• A Developer's View of the GDI+ Security Vulnerability
• MPSB04-07 - Macromedia Products Not Affected by Microsoft JPEG/GDIPlus Vulnerability
• k-otik: Windows JPEG Processing Buffer Overrun PoC Exploit (MS04-028)
• k-otik: Windows JPEG GDI+ Overflow Shellcoded Exploit (MS04-028)
• k-otik: Windows JPEG GDI+ Overflow Administrator Exploit (MS04-028)
• k-otik: Windows JPEG GDI+ Heap Overflow Remote Exploit (MS04-028)
• k-otik: Windows JPEG GDI+ All in One Remote Exploit (MS04-028)
• Bugtraq: NEW GDI+ JPEG Remote Exploit (JpegOfDeath.c v0.5)
• SANS - Internet Storm Center - Handler's Diary: MS04-028 PoCs and Exploits released
• SANS - Internet Storm Center - Handler's Diary: GDI Scanner Released
• SANS - Internet Storm Center - Handler's Diary: JPEG exploit toolkit , JPEG Hacktool, GDIScan Tool
• SANS - Internet Storm Center - Handler's Diary: GDI Vulnerabilities : An open letter to Microsoft
• SANS - Internet Storm Center - Handler's Diary: MS04-028 Public Exploit Attempts
• Scanner Tool Released To Thwart JPEG Attack
• Bugtraq: Microsoft's GDI Detetection Tool faults
• JPEG GDI+ Trojan Unleashed
• First JPEG Virus Posted To Usenet
• GDI Scan Tutorial and how to fix the GDI+ JPEG Vulnerability via SANS - Internet Security Center