=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2009/VULN413
_____________________________________________________________________

DATE                      : 14/10/2009

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Microsoft Windows GDI+.

======================================================================
KB957488
http://www.microsoft.com/technet/security/bulletin/ms09-062.mspx
______________________________________________________________________

Microsoft Security Bulletin MS09-062 - Critical

Vulnerabilities in GDI+ Could Allow Remote Code Execution (957488)

Version: 1.0

General Information

Executive Summary

  This security update resolves several privately reported vulnerabilities in
  Microsoft Windows GDI+. These vulnerabilities could allow remote code
  execution if a user viewed a specially crafted image file using affected
  software or browsed a Web site that contains specially crafted content. Users
  whose accounts are configured to have fewer user rights on the system could
  be less impacted than users who operate with administrative user rights.

  This security update is rated Critical for all supported editions of Windows
  XP and Windows Server 2003; Windows Vista and Windows Vista Service Pack 1;
  Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1;
  Windows Server 2008 for 32-bit Systems, Windows Server 2008 for x64-based
  Systems, and Windows Server 2008 for Itanium-based Systems; Microsoft
  Internet Explorer 6 Service Pack 1 when installed on Microsoft Windows 2000
  Service Pack 4, SQL Server 2000 Reporting Services Service Pack 2, all
  supported editions of SQL Server 2005, Microsoft Report Viewer 2005 Service
  Pack 1 Redistributable Package, Microsoft Report Viewer 2008 Redistributable
  Package, and Microsoft Report Viewer 2008 Redistributable Package Service
  Pack 1.

  This security update is rated Important for all supported editions of
  Microsoft .NET Framework 1.1 and Microsoft .NET Framework 2.0 on Microsoft
  Windows 2000; Microsoft Office XP; Microsoft Office 2003; all affected Office
  Viewer software for Microsoft Office 2003; 2007 Microsoft Office System; all
  affected Office Viewer software for 2007 Microsoft Office System; Microsoft
  Office Compatibility Pack, Microsoft Expression Web, Microsoft Expression Web
  2, Microsoft Office Groove 2007 and Microsoft Office Groove 2007 Service Pack
  1; Microsoft Office Project 2002; Microsoft Office Visio 2002; Microsoft
  Works 8.5; and Microsoft Forefront Client Security 1.0.

  The security update addresses the vulnerabilities by introducing proper data
  validations within GDI+ when rendering WMF images, modifying the way that
  GDI+ manages a heap buffer when reading a PNG file, modifying the way that
  GDI+ allocates a buffer used when reading TIFF files, This update modifies
  the way that GDI+ manages buffers when certain .NET API calls are made,
  modifying the way that GDI+ calculates the required size of a buffer while
  parsing a PNG image, and modifying the way that Microsoft Office opens
  specially crafted files.

  Recommendation. Microsoft recommends that customers apply the update
  immediately.

  Known Issues. Microsoft Knowledge Base Article 957488 documents the currently
  known issues that customers may experience when installing this security
  update. The article also documents recommended solutions for these issues.

Affected Software:

  Microsoft Windows 2000 Service Pack 4: Microsoft Internet Explorer 6 Service
  Pack 1, Microsoft .NET Framework 1.1 Service Pack 1, Microsoft .NET Framework
  2.0 Service Pack 1, Microsoft .NET Framework 2.0 Service Pack 2

  Windows XP Service Pack 2 and Windows XP Service Pack 3

  Windows XP Professional x64 Edition Service Pack 2

  Windows Server 2003 Service Pack 2

  Windows Server 2003 x64 Edition Service Pack 2

  Windows Server 2003 with SP2 for Itanium-based Systems

  Windows Vista and Windows Vista Service Pack 1

  Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1

  Windows Server 2008 for 32-bit Systems (Windows Server 2008 Server Core
  installation not affected)

  Windows Server 2008 for x64-based Systems (Windows Server 2008 Server Core
  installation not affected)

  Windows Server 2008 for Itanium-based Systems

  Microsoft Office XP Service Pack 3

  Microsoft Office 2003 Service Pack 3

  2007 Microsoft Office System Service Pack 1 and 2007 Microsoft Office System
  Service Pack 2

  Microsoft Office Visio 2002 Service Pack 2

  Microsoft Office Project 2002 Service Pack 1

  Microsoft Office Word Viewer, Microsoft Word Viewer 2003, Microsoft Word
  Viewer 2003 Service Pack 3, Microsoft Office Excel Viewer 2003, and Microsoft
  Office Excel Viewer 2003 Service Pack 3

  Microsoft Office Excel Viewer, PowerPoint Viewer 2007, and PowerPoint Viewer
  2007 Service Pack 1

  PowerPoint Viewer 2007 Service Pack 2

  Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File
  Formats Service Pack 1

  Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File
  Formats Service Pack 2

  Microsoft Expression Web and Microsoft Expression Web 2

  Microsoft Office Groove 2007 and Microsoft Office Groove 2007 Service Pack 1

  Microsoft Works 8.5

  SQL Server 2000 Reporting Services Service Pack 2

  SQL Server 2005 Service Pack 2

  SQL Server 2005 x64 Edition Service Pack 2

  SQL Server 2005 for Itanium-based Systems Service Pack 2

  SQL Server 2005 Service Pack 3

  SQL Server 2005 x64 Edition Service Pack 3

  SQL Server 2005 for Itanium-based Systems Service Pack 3

  Microsoft Visual Studio .NET 2003 Service Pack 1

  Microsoft Visual Studio 2005 Service Pack 1

  Microsoft Visual Studio 2008

  Microsoft Visual Studio 2008 Service Pack 1

  Microsoft Visual FoxPro 8.0 Service Pack 1 when installed on Microsoft
  Windows 2000 Service Pack 4

  Microsoft Visual FoxPro 9.0 Service Pack 2 when installed on Microsoft
  Windows 2000 Service Pack 4

  Microsoft Report Viewer 2005 Service Pack 1 Redistributable Package

  Microsoft Report Viewer 2008 Redistributable Package

  Microsoft Report Viewer 2008 Redistributable Package Service Pack 1

  Microsoft Platform SDK Redistributable: GDI+

  Microsoft Forefront Client Security 1.0 when installed on Microsoft Windows
  2000 Service Pack 4

Vulnerability Information

GDI+ WMF Integer Overflow Vulnerability - CVE-2009-2500

  A remote code execution vulnerability exists in the way that GDI+ allocates
  buffer size when handling WMF image files. The vulnerability could allow
  remote code execution if a user opens a specially crafted WMF image file or
  browses to a Web site that contains specially crafted content. An attacker
  who successfully exploited this vulnerability could take complete control of
  an affected system. An attacker could then install programs; view, change, or
  delete data; or create new accounts with full user rights. Users whose
  accounts are configured to have fewer user rights on the system could be less
  impacted than users who operate with administrative user rights.

GDI+ PNG Heap Overflow Vulnerability - CVE-2009-2501

   A remote code execution vulnerability exists in the way that GDI+ allocates
   memory. The vulnerability could allow remote code execution if a user opens
   a specially crafted PNG image file. An attacker who successfully exploited
   this vulnerability could take complete control of an affected system. An
   attacker could then install programs; view, change, or delete data; or
   create new accounts with full user rights. Users whose accounts are
   configured to have fewer user rights on the system could be less impacted
   than users who operate with administrative user rights.

GDI+ TIFF Buffer Overflow Vulnerability - CVE-2009-2502

   A remote code execution vulnerability exists in the way that GDI+ allocates
   memory. The vulnerability could allow remote code execution if a user opens
   a specially crafted TIFF file. An attacker who successfully exploited this
   vulnerability could take complete control of an affected system. An attacker
   could then install programs; view, change, or delete data; or create new
   accounts with full user rights. Users whose accounts are configured to have
   fewer user rights on the system could be less impacted than users who operate
   with administrative user rights.

GDI+ TIFF Memory Corruption Vulnerability - CVE-2009-2503

   A remote code execution vulnerability exists in the way that GDI+ allocates
   memory. The vulnerability could allow remote code execution if a user opens
   a specially crafted TIFF file. An attacker who successfully exploited this
   vulnerability could take complete control of an affected system. An attacker
   could then install programs; view, change, or delete data; or create new
   accounts with full user rights. Users whose accounts are configured to have
   fewer user rights on the system could be less impacted than users who operate
   with administrative user rights.

GDI+ .NET API Vulnerability - CVE-2009-2504

   A remote code execution vulnerability exists in GDI+ that can allow a
   malicious Microsoft .NET application to gain unmanaged code execution
   privileges.. Microsoft .NET applications that are not malicious are not at
   risk for being compromised because of this vulnerability.

GDI+ PNG Integer Overflow Vulnerability - CVE-2009-3126

   A remote code execution vulnerability exists in the way that GDI+ allocates
   memory. The vulnerability could allow remote code execution if a user opens a
   specially crafted PNG image file. An attacker who successfully exploited this
   vulnerability could take complete control of an affected system. An attacker
   could then install programs; view, change, or delete data; or create new
   accounts with full user rights. Users whose accounts are configured to have
   fewer user rights on the system could be less impacted than users who operate
   with administrative user rights.

Memory Corruption Vulnerability - CVE-2009-2528

   A remote code execution vulnerability exists in Microsoft Office that could
   allow remote code execution if a user opens a specially crafted Office file
   that includes a malformed object. An attacker who successfully exploited this
   vulnerability could take complete control of an affected system. An attacker
   could then install programs; view, change, or delete data; or create new
   accounts with full user rights.

Office BMP Integer Overflow Vulnerability - CVE-2009-2518

   A remote code execution vulnerability exists in the way that Microsoft Office
   handles specially crafted Office Documents containing BMP images. The
   vulnerability could allow remote code execution if an Outlook user opens a
   specially crafted e-mail or opens an Office Document with a malformed Bitmap
   file. Users whose accounts are configured to have fewer user rights on the
   system could be less impacted than users who operate with administrative user rights.


======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================