[NT] Microsoft Office BMP Input Filter Heap Overflow Vulnerability (MS08-044)
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 13 Aug 2008 14:43:12 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Microsoft Office BMP Input Filter Heap Overflow Vulnerability (MS08-044)
------------------------------------------------------------------------
SUMMARY
Microsoft <http://support.microsoft.com/?scid=kb;en-us;290362> Office
contains a "number of import filters. These input filters allow
transparent conversion from external types into a form that the Office
applications can use". Remote exploitation of a heap buffer overflow
vulnerability in the "BMPIMP32.FLT" filter module, as distributed with
Microsoft Office, allows attackers to execute arbitrary code.
DETAILS
Vulnerable Systems:
* "BMPIMP32.FLT" module installed with Microsoft Office XP SP3, including
all patches as of May 24, 2006
The vulnerability specifically exists in the handling of Windows Bitmap
(BMP) image files with malformed headers. By specifying a very large
number of colors in the header, it is possible to cause controllable heap
corruption, which can be leveraged to execute arbitrary code.
Analysis:
Exploitation could allow attackers to execute arbitrary code on the
targeted host under the security context of the current logged in user.
Successful exploitation would require the attacker to entice his or her
victim into opening a specially crafted BMP image with a vulnerable
version of Office.
Workaround:
This workaround replaces the affected filter with an empty file. Creating
this file prevents Office from offering to reinstall the affected
component.
1. Close all running applications.
2. Open the folder "C:\Program Files\Common Files\Microsoft
Shared\Grphflt".
3. Rename the file "BMPIMP32.FLT" to "BMPIMP.FLT.disabled".
4. Create an empty file in this directory with the name "BMPIMP32.FLT".
(Open Notepad, go to this directory and choose File, Save..., type
"BMPIMP32.FLT" including the quotes and click Save.
In testing on Windows 2000 with Office XP SP3 installed, this workaround
did not adversely impact functionality. BMP format image files can still
be imported into Word, but the operations that can be performed on them
may be impacted.
Vendor response:
Microsoft has officially addressed this vulnerability with Security
Bulletin MS08-044. For more information, consult their bulletin at the
following URL:
<http://www.microsoft.com/technet/security/bulletin/ms08-044.mspx>
http://www.microsoft.com/technet/security/bulletin/ms08-044.mspx
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3020>
CVE-2008-3020
Disclosure timeline:
09/11/2006 - Initial vendor notification
09/11/2006 - Initial vendor response
08/12/2008 - Coordinated public disclosure
ADDITIONAL INFORMATION
The information has been provided by
<mailto:idlabs-advisories@xxxxxxxxxxxx> iDefense Labs Security Advisories.
The original article can be found at:
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=736>
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=736
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [NEWS] Alcatel-Lucent OmniSwitch Stack Buffer Overflow
- Next by Date: [NT] CA HIPS KmxFw.sys Kernel Memory Corruption
- Previous by thread: [NEWS] Alcatel-Lucent OmniSwitch Stack Buffer Overflow
- Next by thread: [NT] CA HIPS KmxFw.sys Kernel Memory Corruption
- Index(es):
Relevant Pages
|
