Signature Detail

HTTP: EMF GDIplus GpFont.SetData Integer Overflow

This signature detects attempts to exploit a known vulnerability against the Microsoft EMF file format parser. Attackers can craft a malicious emf file, which if a user downloads, allows the attacker to execute arbitrary code in the context of the user.

Extended Description

Microsoft GDI+ is prone to a stack-based buffer-overflow vulnerability that occurs when an application that uses the library tries to process a specially crafted EMF (Enhanced Metafile) image file. Successfully exploiting this issue causes applications using the affected library to crash. Due to the nature of this issue, attackers may be able to execute arbitrary code in the context of the currently logged-in user; this has not been confirmed. NOTE (March 25, 2009): Further investigation reveals that this issue is in fact a new issue and has been assigned its own BID. Information that was added on March 24, 2009 to BID 31019 ('Microsoft GDI+ EMF Image Processing Memory Corruption Vulnerability') is now provided in this BID. UPDATE (March 26, 2009): Further analysis indicates that successful exploits will not likely result in remote code execution; the impact for this issue has been adjusted accordingly.

Affected Products

• Microsoft Windows XP
• Microsoft Windows XP Gold
• Microsoft Windows XP Home SP1
• Microsoft Windows XP Home SP2
• Microsoft Windows XP Home SP3
• Microsoft Windows XP Home
• Microsoft Windows XP Media Center Edition SP1
• Microsoft Windows XP Media Center Edition SP2
• Microsoft Windows XP Media Center Edition SP3
• Microsoft Windows XP Media Center Edition
• Microsoft Windows XP Professional SP1
• Microsoft Windows XP Professional SP2
• Microsoft Windows XP Professional SP3
• Microsoft Windows XP Professional

References

• BugTraq: 34250
• CVE: CVE-2009-1217