Signature Detail

HTTP: EMF GDIplus GpFont.SetData Integer Overflow

This signature detects attempts to exploit a known vulnerability against the Microsoft EMF file format parser. Attackers can craft a malicious emf file, which if a user downloads, allows the attacker to execute arbitrary code in the context of the user.

Extended Description

Microsoft GDI+ is prone to a stack-based buffer-overflow vulnerability that occurs when an application that uses the library tries to process a specially crafted EMF (Enhanced Metafile) image file. Successfully exploiting this issue causes applications using the affected library to crash. Due to the nature of this issue, attackers may be able to execute arbitrary code in the context of the currently logged-in user; this has not been confirmed. NOTE (March 25, 2009): Further investigation reveals that this issue is in fact a new issue and has been assigned its own BID. Information that was added on March 24, 2009 to BID 31019 ('Microsoft GDI+ EMF Image Processing Memory Corruption Vulnerability') is now provided in this BID. UPDATE (March 26, 2009): Further analysis indicates that successful exploits will not likely result in remote code execution; the impact for this issue has been adjusted accordingly.

Affected Products

• Microsoft windows_xp
• Microsoft windows_xp_gold
• Microsoft windows_xp_home SP1
• Microsoft windows_xp_home SP2
• Microsoft windows_xp_home SP3
• Microsoft windows_xp_home
• Microsoft windows_xp_media_center_edition SP1
• Microsoft windows_xp_media_center_edition SP2
• Microsoft windows_xp_media_center_edition SP3
• Microsoft windows_xp_media_center_edition
• Microsoft windows_xp_professional SP1
• Microsoft windows_xp_professional SP2
• Microsoft windows_xp_professional SP3
• Microsoft windows_xp_professional

References

• BugTraq: 34250
• CVE: CVE-2009-1217