[NT] Microsoft Windows Color Management Module Heap Buffer Overflow Vulnerability (MS08-046)
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 13 Aug 2008 08:02:27 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
- - - - - - - - -
Microsoft Windows Color Management Module Heap Buffer Overflow
Microsoft Windows <http://www.microsoft.com/whdc/archive/icmwp.mspx>
Color Management Module provides "consistent color mappings between
different devices and applications. It is also used to transform colors
between color spaces". Remote exploitation of a heap-based buffer overflow
vulnerability in multiple versions of Microsoft Corp.'s Windows operating
system allows an attacker to execute arbitrary code with the privileges of
the current user.
* Windows 2000 Service Pack 4
* Windows XP Service Pack 2
* Windows Server 2003 Service Pack 1
* Windows Server 2003 Service Pack 2
* Windows Vista
* Windows Vista Service Pack 1
* Windows Server 2008
This vulnerability specifically exists in the InternalOpenColorProfile
function in mscms.dll. When a malformed parameter is supplied, a
heap-based buffer overflow can occur, resulting in an exploitable
Exploitation allows an attacker to execute arbitrary code with the
privileges of the current user. Exploitation would require convincing a
targeted user to view a malicious image file either hosted on a Web
server, on local file system or embedded in an-email or Office documents,
or through some form of social engineering.
This vulnerability also can be triggered through e-mail. If the e-mail
client can automatically display images embedded in the e-mail, the user
only needs to open the e-mail to trigger the vulnerability. Currently an
EMF file is used as test attack vector. Outlook and Outlook Express will
automatically display EMF image and trigger the vulnerability. Lotus Notes
and Thunderbird do not display EMF images in e-mail directly, but the
vulnerability still can be triggered when opening or viewing the EMF
In order to prevent exploitation of this vulnerability, turn off metafile
processing by modifying the registry. Under the registry key,
NT\CurrentVersion\GRE_Initialize" create a DWORD entry "DisableMetaFiles"
and set it to 1.
Keep in mind that this only blocks the attack vector through Windows
metafiles. It may be possible to exploit this vulnerability through other
Note: Modifying the registry does not affect processes that are already
running, so you may need to log off and log on again or restart the
computer after making the change.
Implementing this workaround may cause components relying on metafile
processing, such as printing, to misbehave.
Viewing e-mail in plain text format mitigates e-mail-based attack.
Microsoft has officially addressed this vulnerability with Security
Bulletin MS08-046. For more information, consult their bulletin at the
04/10/2008 - Initial vendor notification
04/16/2008 - Initial vendor response
08/12/2008 - Coordinated public disclosure
The information has been provided by
<mailto:idlabs-advisories@xxxxxxxxxxxx> iDefense Labs Security Advisories.
The original article can be found at:
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [UNIX] Solaris snoop SMB Multiple Vulnerabilities
- Next by Date: [NT] Microsoft Excel FORMAT Record Invalid Array Index Vulnerability (MS08-044)
- Previous by thread: [UNIX] Solaris snoop SMB Multiple Vulnerabilities
- Next by thread: [NT] Microsoft Excel FORMAT Record Invalid Array Index Vulnerability (MS08-044)