Aggregator

Other Microsoft Windows operating systems, including systems running
Microsoft Windows XP Service Pack 2, are not affected by default. However,
this vulnerability may affect all versions of the Microsoft Windows
operating systems if an application or update installs a vulnerable
version of the gdiplus.dll file onto the system.

Please note that this vulnerability affects any software that uses the
Microsoft Windows operating system or Microsoft's GDI+ library to render
JPEG graphics. Please see the Systems Affected
section of the vulnerability note to determine if third-party software
is affected. A list of affected Microsoft products is available in Appendix B, or for the complete list of affected and
non-affected Microsoft products, please see Microsoft Security
Bulletin MS04-028.

Overview

Microsoft's Graphic Device Interface Plus (GDI+) contains a
vulnerability in the processing of JPEG images. This vulnerability may
allow attackers to remotely execute arbitrary code on the affected
system. Exploitation may occur as the result of viewing a malicious web
site, reading an HTML-rendered email message, or opening a crafted JPEG
image in any vulnerable application. The privileges gained by a remote
attacker depend on the software component being attacked.

Description

Microsoft Security Bulletin MS04-028
describes a remotely exploitable buffer overflow vulnerability in
Microsoft's Graphic Device Interface Plus (GDI+) JPEG processing
component. Attackers can exploit this vulnerability by convincing a victim user to
visit a malicious web site, read an HTML-rendered email message, or
otherwise view a crafted JPEG image with a vulnerable application. No user
intervention is required beyond viewing an attacker-supplied JPEG
image.

Any applications (Microsoft or third-party) that use the GDI+ library
to render JPEG images may present additional attack vectors for this
vulnerability. While some applications use the Windows operating system
version of the GDI+ library, other applications may install and use
another version, which may also be vulnerable. Microsoft has created a
GDI+ Detection Tool to help detect products that may contain a vulnerable
version of the JPEG parsing component. Microsoft Knowledge Base
Article 873374 provides instructions on how to download and use this
tool.

In addition to running Microsoft's detection utility, we recommend
searching your system for "gdiplus.dll" to help determine what
third-party applications may be affected by this vulnerability. Also note
that applications may re-install a vulnerable version of the
GDI+ library if re-installed after a patch has been applied.

We are tracking this vulnerability in Vulnerability
Note VU#297462. This reference number corresponds to CVE candidate CAN-2004-0200.

Impact

Remote attackers exploiting the vulnerability described above may
execute arbitrary code with the privileges of the user running the
software components being attacked.

Solution Apply patches from Microsoft

Apply the appropriate patches as specified in Microsoft Security
Bulletin MS04-028.
Please note that this bulletin provides several updates to the operating
system and various applications that rely on GDI+ to render JPEG images.
Depending on your system's configuration, you may need to install multiple
patches.

In addition to releasing some patches on Windows Update, Microsoft
has released some patches on Office Update, and
developer tool patches are available from MS04-028.

Apply patches from third-party vendors

Third-party software that relies on GDI+ to render JPEG images may
also need to be updated. Apply the appropriate patches specified by
your vendor. Please see your vendor's site and the Systems Affected
section of the vulnerability note for more information. Depending on
your system's configuration, you may need to install multiple patches.

Follow Microsoft recommendations for workarounds

Microsoft provides several workarounds for this vulnerability.
Note that these workarounds do not remove the vulnerability from the
system, and they will limit functionality. Please consult the "Workarounds
for JPEG Vulnerability - CAN-2004-0200" section of Microsoft Security
Bulletin MS04-028.

Appendix A. References

Microsoft Security Bulletin MS04-028 - http://microsoft.com/technet/security/bulletin/MS04-028.asp
Microsoft End User Security Bulletin for MS04-028 - http://www.microsoft.com/security/bulletins/200409_jpeg.mspx
US-CERT Vulnerability Note VU#297462 - http://www.kb.cert.org/vuls/id/297462
Microsoft KB Article 873374 - http://support.microsoft.com/?id=873374
CVE CAN-2004-0200 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0200

Appendix B. Affected Microsoft Products

The following Microsoft Products are affected:

Microsoft Office XP Service Pack 3
Microsoft Office XP Service Pack 2
Microsoft Office XP Software:
- Outlook 2002
- Word 2002
- Excel 2002
- PowerPoint 2002
- FrontPage 2002
- Publisher 2002
Microsoft Office 2003
Microsoft Office 2003 Software:
- Outlook 2003
- Word 2003
- Excel 2003
- PowerPoint 2003
- FrontPage 2003
- Publisher 2003
- InfoPath 2003
- OneNote 2003
Microsoft Project 2002 Service Pack 1 (all versions)
Microsoft Project 2003 (all versions)
Microsoft Visio 2002 Service Pack 2 (all versions)
Microsoft Visio 2003 (all versions)
Microsoft Visual Studio .NET 2002
Microsoft Visual Studio .NET 2002 Software:
- Visual Basic .NET Standard 2002
- Visual C# .NET Standard 2002
- Visual C++ .NET Standard 2002
Microsoft Visual Studio .NET 2003
Microsoft Visual Studio .NET 2003 Software:
- Visual Basic .NET Standard 2003
- Visual C# .NET Standard 2003
- Visual C++ .NET Standard 2003
- Visual J# .NET Standard 2003
The Microsoft .NET Framework version 1.0 SDK Service Pack 2
Microsoft Picture It! 2002 (all versions)
Microsoft Greetings 2002
Microsoft Picture It! version 7.0 (all versions)
Microsoft Digital Image Pro version 7.0
Microsoft Picture It! version 9 (all versions, including Picture It!
Library)
Microsoft Digital Image Pro version 9
Microsoft Digital Image Suite version 9
Microsoft Producer for Microsoft Office PowerPoint (all versions)
Microsoft Platform SDK Redistributable: GDI+
Internet Explorer 6 Service Pack 1
The Microsoft .NET Framework version 1.0 Service Pack 2
The Microsoft .NET Framework version 1.1

Feedback can be directed to the US-CERT
Technical Staff.

Revision History

Sept 16, 2004: Initial release

Last updated

CISA

Vulnerability in Microsoft Image Processing Component

CISA News

21 years 3 months ago

Systems Affected

Applications that process JPEG images on Microsoft Windows, including
but not limited to

Internet Explorer
Microsoft Office
Microsoft Visual Studio
Picture It!
Applications from other vendors besides Microsoft

Overview

An attacker may be able to gain control of your computer by taking
advantage of the way some programs process the JPEG image format.

Solution Apply a patch

Microsoft has issued updates to address the problem. Obtain the
appropriate update from Windows Update and from Office Update.

Note: You may need to install multiple patches depending what
software you have on your computer.

Use caution with email attachments

Never open unexpected email attachments. Before opening an attachment,
save it to a disk and scan it with anti-virus software. Make sure to
turn off the option to automatically download attachments.

View email messages in plain text

Email programs like Outlook and Outlook Express interpret HTML code
the same way that Internet Explorer does. Attackers may be able to
take advantage of that by sending malicious HTML-formatted email
messages.

Maintain updated anti-virus software

It is important that you use anti-virus software and keep it up to
date. Most anti-virus software vendors frequently release updated
information, tools, or virus databases to help detect and recover from
virus infections. Many anti-virus packages support automatic updates
of virus definitions. US-CERT recommends using these automatic updates
when possible.

Description

Microsoft Windows Graphics Device Interface (GDI+) is used to display information on screens
and printers, including JPEG image files. An attacker could execute arbitrary code on a vulnerable system if the user opens a malicious JPEG file via applications such as a web browser, email program, internet chat program, or
via email attachment. Any application that uses GDI+ to process JPEG image files is vulnerable to this type of attack. This vulnerability also affects products from
companies
other than Microsoft.

References

September 2004 Security Update for JPEG Processing (GDI+) - <http://www.microsoft.com/security/bulletins/200409_jpeg.mspx>
US-CERT Vulnerability Note VU#297462 - <http://www.kb.cert.org/vuls/id/297462>

Author: Mindi McDowell. Feedback
can be directed to US-CERT -->.

Revision History

September 14, 2004: Initial release

Last updated

CISA

Vulnerabilities in MIT Kerberos 5

CISA News

21 years 3 months ago

Systems Affected

MIT Kerberos 5 versions prior to krb5-1.3.5
Applications that use versions of MIT Kerberos 5 libraries prior to krb5-1.3.5
Applications that contain code derived from MIT Kerberos 5

Updated vendor information is available in the systems affected section of the individual vulnerability notes.

Overview

The MIT Kerberos 5 implementation contains several vulnerabilities, the most severe of which could allow an unauthenticated, remote attacker to execute arbitrary code on a Kerberos Distribution Center (KDC). This could result in the compromise of an entire Kerberos realm.

Description

There are several vulnerabilities in the MIT implementation of the Kerberos 5 protocol. With one exception (VU#550464), all of the vulnerabilities involve insecure deallocation of heap memory (double-free vulnerabilities) during error handling and Abstract Syntax Notation One (ASN.1) decoding. For further details, please see the following vulnerability notes:

VU#795632 - MIT Kerberos 5 ASN.1 decoding functions insecurely deallocate memory (double-free)

The MIT Kerberos 5 library does not securely deallocate heap memory when decoding ASN.1 structures, resulting in double-free vulnerabilities. An unauthenticated, remote attacker could execute arbitrary code on a KDC server, which could compromise an entire Kerberos realm. An attacker may also be able to execute arbitrary code on Kerberos clients, or cause a denial of service on KDCs or clients.

(Other resources: MITKRB5-SA-2004-002, CAN-2004-0642)

VU#866472 - MIT Kerberos 5 ASN.1 decoding function krb5_rd_cred() insecurely deallocates memory (double-free)

The krb5_rd_cred() function in the MIT Kerberos 5 library does not securely deallocate heap memory when decoding ASN.1 structures, resulting in a double-free vulnerability. A remote, authenticated attacker could execute arbitrary code or cause a denial of service on any system running an application that calls krb5_rd_cred(). This includes Kerberos application servers and other applications that process Kerberos authentication via the MIT Kerberos 5 library, Generic Security Services Application Programming Interface (GSSAPI), and other libraries.

(Other resources: MITKRB5-SA-2004-002, CAN-2004-0643)

VU#350792 - MIT Kerberos krb524d insecurely deallocates memory (double-free)

The MIT Kerberos krb524d daemon does not securely deallocate heap memory when handling an error condition, resulting in a double-free vulnerability. An unauthenticated, remote attacker could execute arbitrary code on a system running krb524d, which in many cases is also a KDC. The compromise of a KDC system can lead to the compromise of an entire Kerberos realm. An attacker may also be able to cause a denial of service on a system running krb524d.

(Other resources: MITKRB5-SA-2004-002, CAN-2004-0772)

VU#550464 - MIT Kerberos 5 ASN.1 decoding function asn1buf_skiptail() does not properly terminate loop

The asn1buf_skiptail() function in the MIT Kerberos 5 library does not properly terminate a loop, allowing an unauthenticated, remote attacker to cause a denial of service in a KDC, application server, or Kerberos client.

(Other resources: MITKRB5-SA-2004-003, CAN-2004-0644)

Impact

The impacts of these vulnerabilities vary, but an attacker may be able to execute arbitrary code on KDCs, systems running krb524d (typically also KDCs), application servers, applications that use Kerberos libraries directly or via GSSAPI, and Kerberos clients. An attacker could also cause a denial of service on any of these systems.

The most severe vulnerabilities could allow an unauthenticated, remote attacker to execute arbitrary code on a KDC system. This could result in the compromise of both the KDC and an entire Kerberos realm.

Solution Apply a patch or upgrade

Check with your vendor(s) for patches or updates. For information about a specific vendor, please see the systems affected sections in the individual vulnerability notes or contact your vendor directly.

Alternatively, apply the appropriate source code patch(es) referenced in MITKRB5-SA-2004-002 and MITKRB5-SA-2004-003 and recompile.

These vulnerabilities will be addressed in krb5-1.3.5.

Appendix A. References

Vulnerability Note VU#795632 - http://www.kb.cert.org/vuls/id/795632
Vulnerability Note VU#866472 - http://www.kb.cert.org/vuls/id/866472
Vulnerability Note VU#350792 - http://www.kb.cert.org/vuls/id/350792
Vulnerability Note VU#550464 - http://www.kb.cert.org/vuls/id/550464
MIT krb5 Security Advisory 2004-002 - http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2004-002-dblfree.txt
MIT krb5 Security Advisory 2004-003 - http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2004-003-asn1.txt
Kerberos: The Network Authentication Protocol - http://web.mit.edu/kerberos/www/

Thanks to Tom Yu and the MIT Kerberos Development team for addressing these vulnerabilities and coordinating with vendors. MIT credits the following people: Will Fiveash, Joseph Galbraith, John Hawkinson, Marc Horowitz, and Nico Williams.

Revision History

September 3, 2004: Initial release

Last updated

CISA

Multiple Vulnerabilities in Oracle Products

CISA News

21 years 3 months ago

Systems Affected

The following Oracle applications are affected:

Oracle Database 10g Release 1, version 10.1.0.2
Oracle9i Database Server Release 2, versions 9.2.0.4 and 9.2.0.5
Oracle9i Database Server Release 1, versions 9.0.1.4, 9.0.1.5 and 9.0.4
Oracle8i Database Server Release 3, version 8.1.7.4
Oracle Enterprise Manager Grid Control 10g, version 10.1.0.2
Oracle Enterprise Manager Database Control 10g, version 10.1.0.2
Oracle Application Server 10g (9.0.4), versions 9.0.4.0 and 9.0.4.1
Oracle9i Application Server Release 2, versions 9.0.2.3 and 9.0.3.1
Oracle9i Application Server Release 1, version 1.0.2.2

Oracle's Collaboration Suite and E-Business Suite 11i contain some of the
vulnerable components and are also affected.

According to Oracle, the following product releases and versions, and
all future releases and versions are not affected:

Oracle Database 10g Release 1, version 10.1.0.3
Oracle Enterprise Manager Grid Control 10g, version 10.1.0.3 (not yet
available)
Oracle Application Server 10g (9.0.4), version 9.0.4.2 (not yet
available)

Overview

Several vulnerabilities exist in the Oracle Database Server, Application
Server, and Enterprise Manager software. The most serious vulnerabilities
could allow a remote attacker to execute arbitrary code on an affected
system. Oracle's Collaboration Suite and E-Business Suite 11i contain the
vulnerable software and are affected as well.

Description

Several vulnerabilities have been reported in Oracle's Database Server,
Application Server, and Enterprise Manager software. According to reports,
several buffer overflow, format string, SQL injection and other types of
vulnerabilities were discovered and reported to Oracle.

Oracle has released Oracle
Security Alert #68 (pdf) to address these vulnerabilities.

We are tracking them as follows:

VU#170830 -
Oracle Enterprise Manager contains several vulnerabilities

VU#316206 -
Oracle Database Server contains several vulnerabilities

VU#435974 -
Oracle Application Server contains several vulnerabilities

As more information becomes available, we will update these
vulnerability notes as appropriate.

Impact

The impacts of the vulnerabilities described above are unclear.

According to credible reports, the impacts of these vulnerabilities
range from the remote, unauthenticated execution of arbitrary code to data
corruption or leakage.

Solution Apply a patch or upgrade

Apply the appropriate patch or upgrade as specified in the Oracle
Security Alert #68 (pdf).

Organizations that use Oracle's Collaboration Suite or E-Business Suite
11i should see Oracle
Security Alert #68 (pdf) for remediation instructions.

Appendix A. References

Oracle Security Alert #68 (pdf) - http://www.oracle.com/technology/deploy/security/pdf/2004alert68.pdf
US-CERT Vulnerability Note VU#316206 - http://www.kb.cert.org/vuls/id/316206
US-CERT Vulnerability Note VU#435974 - http://www.kb.cert.org/vuls/id/435974
US-CERT Vulnerability Note VU#170830 - http://www.kb.cert.org/vuls/id/170830

US-CERT thanks all the parties involved in researching and reporting these
vulnerabilities. Specifically, Oracle credits the people for discovering
these issues: Cesar Cerrudo, Pete Finnigan, Jonathan Gennick, Alexander
Kornbrust of Red Database Security, Stephen Kost of Integrigy, David
Litchfield of NGSS Limited, Matt Moore of PenTest Limited, Aaron Newman of
Application Security Inc., Andy Rees of QinetiQ, Christian Schaller of
Siemens CERT.

Feedback can be directed to the author:
Jason
A. Rafail.

Revision History

Sep 1, 2004: Initial release

Sep 3, 2004: Updated Credits

Last updated

CISA

Aggregator

Managed ad