Microsoft (Graphics Device Interface) GDI+ JPEG handler is reported prone to an integer underflow vulnerability when handling JPEG format images. This issue presents itself due to a lack of sufficient sanity checks performed on certain JPEG data before this data employed as a bounds value for a memory copy operation. A specially crafted JPEG image may trigger this vulnerability and result in the execution of arbitrary attacker-supplied code. Code execution would occur in the context of the user who is running the vulnerable software. Update: This issue is similar in nature to BID 1503, discovered by Solar Designer. An exploit that opens a command shell on the local vulnerable system as soon as the image is viewed has been released. Symantec has confirmed that this exploit code is functional. It is important to note that this exploit could potentially be modified to execute other code on the system. Administrators should remain vigilant and patch all vulnerable systems.
Do not accept or execute files from untrusted or unknown sources.
A remote attacker will need to present a JPEG file to a victim user in order to exploit this vulnerability. Avoid accepting or opening files that originate from a user of questionable integrity.
Do not follow links provided by unknown or untrusted sources.
A remote attacker may exploit this vulnerability through a remote Web site. Avoid following links that originate from a user of questionable integrity.
Run all software as a nonprivileged user with minimal access rights.
Run all applications with the minimum amount of privileges required to function adequately. This action can limit the impact of a successful attack.
Do not open email messages from unknown or untrusted individuals.
A remote attacker may exploit this vulnerability through email. Avoid accepting or opening unsolicited emails that originate from a user of questionable integrity.
Microsoft has released a security bulletin MS04-028 and fixes to address this issue in affected products. Additionally, the vendor reports that this issue is addressed in Microsoft Office 2003 Service Pack 1 for Office 2003, Microsoft Visio 2003 Service Pack 1 for Visio 2003 and Microsoft Project 2003 Service Pack 1 for Project 2003. The vendor also reports that customers that have installed MSN 9, and have chosen to install Picture It! Express version 9 and Picture It! Library, should install the Picture It! version 9 update. Customers are advised to access the referenced advisory for further information pertaining to obtaining and applying appropriate updates. Avaya has released an advisory that acknowledges this vulnerability for Avaya products. Customers are advised to apply the appropriate fix for Microsoft Internet Explorer to the affected Avaya Platforms. Please see the referenced Avaya advisory at the following location for further details: http://support.avaya.com/japple/css/japple?temp.groupID=128450&temp.selectedFamily=128451&temp.selectedProduct=154235&temp.selectedBucket=126655&temp.feedbackState=askForFeedback&temp.documentID=202196&PAGE=avaya.css.CSSLvl1Detail&executeTransaction=avaya.css.UsageUpdate() Microsoft has released a revision to their original advisory. Microsoft Office XP service pack 2 has been reported vulnerable to this issue. The update released for Office XP service pack 3 will patch this issue. Business Objects has issued fixes for Crystal Reports 9 and 10 and Crystal Enterprise 9 and 10. Microsoft has updated bulletin MS04-028 to include new fixes for Visual FoxPro 8.0, Visual FoxPro 8.0 Runtime Library, .NET Framework 1.0 Service Pack 2, and .NET Framework 1.1. Additionally, Windows Messenger 5.1 has been released containing a fixed version of the vulnerable library. Symantec products such as Norton SystemWorks, Norton Password Manager, and Symantec Norton Internet Security Professional do include the affected library but are not prone to this vulnerability since the library is not used to process JPEG images. Nonetheless, updated versions of the library may be obtained through LiveUpdate. Further details may be found in the attached "Symantec Completes Update of Microsoft's Graphic Device Interface Component" advisory.