[NT] Microsoft Office BMP Input Filter Heap Overflow Vulnerability (MS08-044)



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Microsoft Office BMP Input Filter Heap Overflow Vulnerability (MS08-044)
------------------------------------------------------------------------


SUMMARY

Microsoft <http://support.microsoft.com/?scid=kb;en-us;290362> Office
contains a "number of import filters. These input filters allow
transparent conversion from external types into a form that the Office
applications can use". Remote exploitation of a heap buffer overflow
vulnerability in the "BMPIMP32.FLT" filter module, as distributed with
Microsoft Office, allows attackers to execute arbitrary code.

DETAILS

Vulnerable Systems:
* "BMPIMP32.FLT" module installed with Microsoft Office XP SP3, including
all patches as of May 24, 2006

The vulnerability specifically exists in the handling of Windows Bitmap
(BMP) image files with malformed headers. By specifying a very large
number of colors in the header, it is possible to cause controllable heap
corruption, which can be leveraged to execute arbitrary code.

Analysis:
Exploitation could allow attackers to execute arbitrary code on the
targeted host under the security context of the current logged in user.
Successful exploitation would require the attacker to entice his or her
victim into opening a specially crafted BMP image with a vulnerable
version of Office.

Workaround:
This workaround replaces the affected filter with an empty file. Creating
this file prevents Office from offering to reinstall the affected
component.
1. Close all running applications.
2. Open the folder "C:\Program Files\Common Files\Microsoft
Shared\Grphflt".
3. Rename the file "BMPIMP32.FLT" to "BMPIMP.FLT.disabled".
4. Create an empty file in this directory with the name "BMPIMP32.FLT".
(Open Notepad, go to this directory and choose File, Save..., type
"BMPIMP32.FLT" including the quotes and click Save.

In testing on Windows 2000 with Office XP SP3 installed, this workaround
did not adversely impact functionality. BMP format image files can still
be imported into Word, but the operations that can be performed on them
may be impacted.

Vendor response:
Microsoft has officially addressed this vulnerability with Security
Bulletin MS08-044. For more information, consult their bulletin at the
following URL:
<http://www.microsoft.com/technet/security/bulletin/ms08-044.mspx>
http://www.microsoft.com/technet/security/bulletin/ms08-044.mspx

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3020>
CVE-2008-3020

Disclosure timeline:
09/11/2006 - Initial vendor notification
09/11/2006 - Initial vendor response
08/12/2008 - Coordinated public disclosure


ADDITIONAL INFORMATION

The information has been provided by
<mailto:idlabs-advisories@xxxxxxxxxxxx> iDefense Labs Security Advisories.
The original article can be found at:
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=736>
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=736



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • SecurityFocus Microsoft Newsletter #165
    ... Tenable Security ... distribute, manage, and communicate vulnerability and intrusion detection ... Microsoft Internet Explorer MHTML Forced File Execution Vuln... ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #174
    ... This issue sponsored by: Tenable Network Security ... the worlds only 100% passive vulnerability ... MICROSOFT VULNERABILITY SUMMARY ... Novell Netware Enterprise Web Server Multiple Vulnerabilitie... ...
    (Focus-Microsoft)
  • [NT] Cumulative Security Update for Internet Explorer (MS04-038)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Get your security news from a reliable source. ... CSS Heap Memory Corruption Vulnerability, ... Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6 ...
    (Securiteam)
  • SecurityFocus Microsoft Newsletter #171
    ... Better Management for Network Security ... GoodTech Telnet Server Remote Denial Of Service Vulnerabilit... ... ASPApp PortalAPP Remote User Database Access Vulnerability ...
    (Focus-Microsoft)
  • SSRT3509 Potential Security Vulnerability in CIFS/9000 Server
    ... SSRT3509 Potential Security Vulnerability in CIFS/9000 Server ... Bulletin provided that it remains complete and intact. ...
    (comp.security.misc)