WelcomeEnterpriseSmall BusinessHome & Home OfficePartnersAbout Symantec

Microsoft GDI+ Library JPEG Segment Length Integer Underflow Vulnerability

Risk
High

Date Discovered
09-14-2004

Description
Microsoft (Graphics Device Interface) GDI+ JPEG handler is reported prone to an integer underflow vulnerability when handling JPEG format images. This issue presents itself due to a lack of sufficient sanity checks performed on certain JPEG data before this data employed as a bounds value for a memory copy operation.

A specially crafted JPEG image may trigger this vulnerability and result in the execution of arbitrary attacker-supplied code. Code execution would occur in the context of the user who is running the vulnerable software.

**Update: This issue is similar in nature to BID 1503, discovered by Solar Designer.

Symantec AntiVirus Products
A heuristic detection has been released to detect possible exploits of this vulnerability. Symantec Antivirus products will detect files which contain code to exploit this vulnerability as Bloodhound.Exploit.13.

Symantec ManHunt 3.0
As of September 25, 2004, users of Symantec Manhunt 3.0 can update to Security Update 28 to detect attempts to exploit this vulnerability. Click here for more information.

Symantec Network Security 7100
As of September 25, 2004, users of Symantec Network Security 7100 can update to Security Update 2 to detect attempts to exploit this vulnerability. Click here for more information. This update is available via LiveUpdate.

Symantec Enterprise Security Manager Network Assessment Module
Symantec Enterprise Security Manager Network Assessment Module detects and reports this vulnerability. Click here for the advisory released January 18, 2006.

Platforms Affected
Microsoft Excel 2002 SP3
Microsoft Excel 2003
Microsoft FrontPage 2002 SP3
Microsoft FrontPage 2003
Microsoft InfoPath 2003
Microsoft MSN Messenger Service 9.0
Microsoft OneNote 2003
Microsoft Outlook 2002 SP3
Microsoft Outlook 2003
Microsoft PowerPoint 2002 SP3
Microsoft PowerPoint 2003
Microsoft Publisher 2002 SP3
Microsoft Publisher 2003
Microsoft Visual Basic .NET Standard 2002
Microsoft Visual Basic .NET Standard 2003
Microsoft Visual C# .NET Standard 2002
Microsoft Visual C# .NET Standard 2003
Microsoft Visual C++ .NET Standard 2002
Microsoft Visual C++ .NET Standard 2003
Microsoft Visual J# .NET Standard 2003
Microsoft Word 2002 SP3
Microsoft Word 2003

Components Affected
Avaya DefinityOne Media Servers
Avaya IP600 Media Servers
Avaya S3400 Modular Messaging
Avaya S8100 Media Servers
Microsoft .NET Framework 1.0 SP2
Microsoft .NET Framework 1.1
Microsoft .NET Framework SDK 1.0 SP2
Microsoft .NET Framework SDK 1.0 SP1
Microsoft .NET Framework SDK 1.0
Microsoft Digital Image Pro 7.0
Microsoft Digital Image Pro 9.0
Microsoft Digital Image Suite 9.0
Microsoft Greetings 2002
Microsoft Internet Explorer 6.0 SP1
Microsoft Office 2003
Microsoft Office XP SP3
Microsoft Picture It! 7.0
Microsoft Picture It! 9.0
Microsoft Picture It! 2002
Microsoft Picture It! Library
Microsoft Platform SDK Redistributable: GDI+
Microsoft Producer for Microsoft Office PowerPoint
Microsoft Project 2002 SP1
Microsoft Project 2002
Microsoft Project 2003
Microsoft Visio 2002 Professional SP2
Microsoft Visio 2002 Standard SP2
Microsoft Visio 2003 Professional
Microsoft Visio 2003 Standard
Microsoft Visual Studio .NET 2002
Microsoft Visual Studio .NET 2003
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows Server 2003 Datacenter Edition 64-bit
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Enterprise Edition 64-bit
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Web Edition
Microsoft Windows XP 64-bit Edition SP1
Microsoft Windows XP 64-bit Edition
Microsoft Windows XP 64-bit Edition Version 2003
Microsoft Windows XP Home SP1
Microsoft Windows XP Home
Microsoft Windows XP Professional SP1
Microsoft Windows XP Professional

Recommendations
Do not accept or execute files from untrusted or unknown sources.
A remote attacker will need to present a JPEG file to a victim user in order to exploit this vulnerability. Avoid accepting or opening files that originate from a user of questionable integrity.

Do not follow links provided by unknown or untrusted sources.
A remote attacker may exploit this vulnerability through a remote Web site. Avoid following links that originate from a user of questionable integrity.

Run all software as a non-privileged user with minimal access rights.
Run all applications with the minimum amount of privileges required to function adequately. This action can limit the impact of a successful attack.

Do not open email messages from unknown or untrusted individuals.
A remote attacker may exploit this vulnerability through email. Avoid accepting or opening unsolicited emails that originate from a user of questionable integrity.

Microsoft has released a security bulletin MS04-028 and fixes to address this issue in affected products. Additionally, the vendor reports that this issue is addressed in Microsoft Office 2003 Service Pack 1 for Office 2003, Microsoft Visio 2003 Service Pack 1 for Visio 2003 and Microsoft Project 2003 Service Pack 1 for Project 2003.

The vendor also reports that customers that have installed MSN 9, and have chosen to install Picture It! Express version 9 and Picture It! Library, should install the Picture It! version 9 update.

Customers are advised to access the referenced advisory for further information pertaining to obtaining and applying appropriate updates.

It should be noted that not all of the fixes to address this vulnerability are available at the time of writing. These fixes will be added later once they are available.

Avaya has released an advisory that acknowledges this vulnerability for
Avaya products. Customers are advised to apply the appropriate fix for Microsoft Internet Explorer to the affected Avaya Platforms. Please see the referenced Avaya advisory at this location for further details.


Avaya DefinityOne Media Servers :
Avaya IP600 Media Servers :
Avaya S3400 Modular Messaging :
Avaya S8100 Media Servers :
Microsoft .NET Framework 1.0 SP2:
Microsoft .NET Framework 1.1:

Microsoft Service Pack .NET Framework 1.1 Service Pack 1
http://www.microsoft.com/downloads/details.aspx?familyid=A8F5654F-088E-40B2-BBDB-A83353618B38&displaylang=en

Microsoft .NET Framework SDK 1.0 SP2:
Microsoft Service Pack .NET Framework 1.0 Service Pack 3
http://www.microsoft.com/downloads/details.aspx?familyid=6978D761-4A92-4106-A9BC-83E78D4ABC5B&displaylang=en

Microsoft .NET Framework SDK 1.0 SP1:
Microsoft Service Pack .NET Framework 1.0 Service Pack 3
http://www.microsoft.com/downloads/details.aspx?familyid=6978D761-4A92-4106-A9BC-83E78D4ABC5B&displaylang=en

Microsoft .NET Framework SDK 1.0:
Microsoft Service Pack .NET Framework 1.0 Service Pack 3
http://www.microsoft.com/downloads/details.aspx?familyid=6978D761-4A92-4106-A9BC-83E78D4ABC5B&displaylang=en

Microsoft Digital Image Pro 7.0:
Microsoft Patch Picture It! and Digital Image Security Update - Also includes Greetings 2002
http://www.microsoft.com/downloads/details.aspx?FamilyId=235EBC80-564B-4B52-A344-502E25AAD7FE&displaylang=en

Microsoft Digital Image Pro 9.0:
Microsoft Patch Picture It! and Digital Image Security Update - Also includes Greetings 2002
http://www.microsoft.com/downloads/details.aspx?FamilyId=235EBC80-564B-4B52-A344-502E25AAD7FE&displaylang=en

Microsoft Digital Image Suite 9.0:
Microsoft Patch Picture It! and Digital Image Security Update - Also includes Greetings 2002
http://www.microsoft.com/downloads/details.aspx?FamilyId=235EBC80-564B-4B52-A344-502E25AAD7FE&displaylang=en

Microsoft Greetings 2002 :
Microsoft Patch Picture It! and Digital Image Security Update - Also includes Greetings 2002
http://www.microsoft.com/downloads/details.aspx?FamilyId=235EBC80-564B-4B52-A344-502E25AAD7FE&displaylang=en

Microsoft Internet Explorer 6.0 SP1:
Microsoft Patch Security Update for Internet Explorer 6 Service Pack 1: KB833989
http://www.microsoft.com/downloads/details.aspx?FamilyId=B0095851-674D-4357-868C-DD75D88405EC&displaylang=en

Microsoft Office 2003 :
Microsoft Upgrade Office 2003 Service Pack 1
http://www.microsoft.com/downloads/details.aspx?FamilyId=9C51D3A6-7CB1-4F61-837E-5F938254FC47&displaylang=en
Microsoft Upgrade Office 2003 Security Update: KB838905
http://www.microsoft.com/downloads/details.aspx?FamilyId=106BCF99-1BA9-4035-94C5-2A7FA90E5971&displaylang=en

Microsoft Office XP SP3:
Microsoft Upgrade Office XP Security Update: KB832332
http://www.microsoft.com/downloads/details.aspx?FamilyId=7D128614-6D34-49DF-8D63-6C17E9A2D312&displaylang=en

Microsoft Picture It! 7.0:
Microsoft Patch Picture It! and Digital Image Security Update - Also includes Greetings 2002
http://www.microsoft.com/downloads/details.aspx?FamilyId=235EBC80-564B-4B52-A344-502E25AAD7FE&displaylang=en

Microsoft Picture It! 9.0:
Microsoft Patch Picture It! and Digital Image Security Update - Also includes Greetings 2002
http://www.microsoft.com/downloads/details.aspx?FamilyId=235EBC80-564B-4B52-A344-502E25AAD7FE&displaylang=en

Microsoft Picture It! 2002 :
Microsoft Patch Picture It! and Digital Image Security Update - Also includes Greetings 2002
http://www.microsoft.com/downloads/details.aspx?FamilyId=235EBC80-564B-4B52-A344-502E25AAD7FE&displaylang=en

Microsoft Picture It! Library :
Microsoft Patch Picture It! and Digital Image Security Update - Also includes Greetings 2002
http://www.microsoft.com/downloads/details.aspx?FamilyId=235EBC80-564B-4B52-A344-502E25AAD7FE&displaylang=en

Microsoft Platform SDK Redistributable: GDI+ :
Microsoft Patch Platform SDK Redistributable: GDI+
http://download.microsoft.com/download/a/b/c/abc45517-97a0-4cee-a362-1957be2f24e1/gdiplus_dnld.exe

Microsoft Producer for Microsoft Office PowerPoint :
Microsoft Patch Producer for Microsoft Office PowerPoint 2003
http://www.microsoft.com/downloads/details.aspx?FamilyID=1b3c76d5-fc75-4f99-94bc-784919468e73&DisplayLang=en

Microsoft Project 2002 SP1:
Microsoft Upgrade Project 2002 Security Update: KB831931
http://www.microsoft.com/downloads/details.aspx?FamilyId=B3EBCCEA-B0E4-41C7-A6F4-413864D2CCF3&displaylang=en

Microsoft Project 2002 :
Microsoft Project 2003 :
Microsoft Upgrade Project 2003 Service Pack 1
http://www.microsoft.com/downloads/details.aspx?FamilyId=1B04C073-E58F-4F42-B76D-6B565A45CDC3&displaylang=en
Microsoft Upgrade Project 2003 Security Update: KB838344
http://www.microsoft.com/downloads/details.aspx?FamilyId=9E37B6B0-A028-47EA-8FA1-3705877A2908&displaylang=en

Microsoft Visio 2002 Professional SP2:
Microsoft Upgrade Visio 2002 Security Update: KB831932
http://www.microsoft.com/downloads/details.aspx?FamilyId=16C2DFFD-7B73-43C4-AB0D-2B5EFC80EB63&displaylang=en

Microsoft Visio 2002 Standard SP2:
Microsoft Upgrade Visio 2002 Security Update: KB831932
http://www.microsoft.com/downloads/details.aspx?FamilyId=16C2DFFD-7B73-43C4-AB0D-2B5EFC80EB63&displaylang=en

Microsoft Visio 2003 Professional :
Microsoft Upgrade Visio 2003 Security Update: KB838345
http://www.microsoft.com/downloads/details.aspx?FamilyId=C07D40A5-6F87-4D50-9640-34FFD2F189E1&displaylang=en

Microsoft Visio 2003 Standard :
Microsoft Upgrade Visio 2003 Security Update: KB838345
http://www.microsoft.com/downloads/details.aspx?FamilyId=C07D40A5-6F87-4D50-9640-34FFD2F189E1&displaylang=en

Microsoft Visual Studio .NET 2002 :
Microsoft Upgrade Visual Studio .NET 2002 GDIPLUS.DLL Security Update
http://www.microsoft.com/downloads/details.aspx?FamilyId=44004D19-B22F-4AF2-A701-1FCB0467FBF9&displaylang=en

Microsoft Visual Studio .NET 2003 :
Microsoft Upgrade Visual Studio .NET 2003 GDIPLUS.DLL Security Update
http://www.microsoft.com/downloads/details.aspx?FamilyId=A13B7A21-463C-4286-AD68-E692417E80E2&displaylang=en

Microsoft Windows Server 2003 Datacenter Edition :
Microsoft Patch Security Update for Windows Server 2003 (KB833987)
http://download.microsoft.com/download/e/5/9/e5901f37-e33b-433c-9beb-9f58428c93de/WindowsServer2003-KB833987-x86-ENU.EXE

Microsoft Windows Server 2003 Datacenter Edition 64-bit :
Microsoft Patch Security Update for Windows Server 2003 64-bit Ed. and Windows XP 64-bit Ed, Version 2003 (KB833987
http://download.microsoft.com/download/6/2/8/6281e7a8-5c5b-4c5d-bcd4-9a29f5211dfe/WindowsServer2003-KB833987-IA64-ENU.EXE

Microsoft Windows Server 2003 Enterprise Edition :
Microsoft Patch Security Update for Windows Server 2003 (KB833987)
http://download.microsoft.com/download/e/5/9/e5901f37-e33b-433c-9beb-9f58428c93de/WindowsServer2003-KB833987-x86-ENU.EXE

Microsoft Windows Server 2003 Enterprise Edition 64-bit :
Microsoft Patch Security Update for Windows Server 2003 64-bit Ed. and Windows XP 64-bit Ed, Version 2003 (KB833987
http://download.microsoft.com/download/6/2/8/6281e7a8-5c5b-4c5d-bcd4-9a29f5211dfe/WindowsServer2003-KB833987-IA64-ENU.EXE

Microsoft Windows Server 2003 Standard Edition :
Microsoft Patch Security Update for Windows Server 2003 (KB833987)
http://download.microsoft.com/download/e/5/9/e5901f37-e33b-433c-9beb-9f58428c93de/WindowsServer2003-KB833987-x86-ENU.EXE

Microsoft Windows Server 2003 Web Edition :
Microsoft Patch Security Update for Windows Server 2003 (KB833987)
http://download.microsoft.com/download/e/5/9/e5901f37-e33b-433c-9beb-9f58428c93de/WindowsServer2003-KB833987-x86-ENU.EXE

Microsoft Windows XP 64-bit Edition SP1:
Microsoft Patch Security Update for Windows XP 64-bit Edition (KB833987)
http://download.microsoft.com/download/1/d/c/1dc38e9f-0fc7-4cf9-8cec-6b1246aca884/WindowsXP-KB833987-ia64-ENU.EXE

Microsoft Windows XP 64-bit Edition :
Microsoft Patch Security Update for Windows XP 64-bit Edition (KB833987)
http://download.microsoft.com/download/1/d/c/1dc38e9f-0fc7-4cf9-8cec-6b1246aca884/WindowsXP-KB833987-ia64-ENU.EXE

Microsoft Windows XP 64-bit Edition Version 2003 :
Microsoft Patch Security Update for Windows Server 2003 64-bit Ed. and Windows XP 64-bit Ed, Version 2003 (KB833987
http://download.microsoft.com/download/6/2/8/6281e7a8-5c5b-4c5d-bcd4-9a29f5211dfe/WindowsServer2003-KB833987-IA64-ENU.EXE

Microsoft Windows XP Home SP1:
Microsoft Patch Security Update for Windows XP (KB833987)
http://download.microsoft.com/download/a/a/d/aadac1be-dc9d-49a6-945c-778409909bcc/WindowsXP-KB833987-x86-ENU.EXE

Microsoft Windows XP Home :
Microsoft Patch Security Update for Windows XP (KB833987)
http://download.microsoft.com/download/a/a/d/aadac1be-dc9d-49a6-945c-778409909bcc/WindowsXP-KB833987-x86-ENU.EXE

Microsoft Windows XP Professional SP1:
Microsoft Patch Security Update for Windows XP (KB833987)
http://download.microsoft.com/download/a/a/d/aadac1be-dc9d-49a6-945c-778409909bcc/WindowsXP-KB833987-x86-ENU.EXE

Microsoft Windows XP Professional :
Microsoft Patch Security Update for Windows XP (KB833987)
http://download.microsoft.com/download/a/a/d/aadac1be-dc9d-49a6-945c-778409909bcc/WindowsXP-KB833987-x86-ENU.EXE

References
Source: CERT TA04-260A Microsoft Windows JPEG component buffer overflow
URL: http://online.securityfocus.com/advisories/7211

Source: Microsoft GDIPlus.DLL JPEG Parsing Engine Buffer Overflow
URL: msg://bugtraq/414770A2.9030603@verizon.net

Source: Microsoft Security Bulletin MS04-028
URL: http://www.microsoft.com/technet/security/bulletin/ms04-028.mspx

Source: Netscape Communicator JPEG-Comment Heap Overwrite Vulnerability
URL: http://www.securityfocus.com/bid/1503

Source: RE: old netscape vuln - affecting XP/explorer?
URL: http://www.securityfocus.com/archive/82/290856

Credits
This issue was discovered by Cassidy Macfarlane and later independently rediscovered by Nick Debaggis. The issue is similar in nature to BID 1503, discovered by Solar Designer.


Copyright (c) 2004 by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from symsecurity@symantec.com.

Disclaimer
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

Symantec, Symantec products, Symantec Security Response, and SymSecurity are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.