Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Windows :: b06-3577.htm

Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution
SYMSA-2006-004 (Full Details): Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution
SYMSA-2006-004 (Full Details): Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution

Hash: SHA1=0D
		Symantec Vulnerability Research=0D 
			Security Advisory=0D
Advisory ID   : SYMSA-2006-004=0D
Advisory Title: Vulnerability in Graphics Rendering Engine Could=0D
		Allow Remote Code Execution=0D
Author : Peter Ferrie / 
Release Date  : 06-13-2006 (no details), 07-13-2006 (full details)=0D
Application   : Those which utilize the vulnerable function on=0D
		affected platforms=0D
Platform      : Windows 98, Windows 98 Second Edition, Windows=0D
		Millennium Edition=0D
Severity      : Remotely exploitable arbitrary code execution=0D
Vendor status : Vendor verified, patch available (See MS06-026=0D
		and KB918547)=0D
CVE Number    : CVE-2006-2376=0D
Reference : 
	A remote code execution vulnerability exists in the=0D
	Graphics Rendering Engine because of the way that it=0D
	handles Windows Metafile (WMF) images.=0D
	An attacker could exploit this by placing a specially=0D
	crafted WMF or EMF image on a webpage, or by sending=0D
	the image as an attachment in an e-mail.  The exploit=0D
	is triggered by viewing the specially crafted image=0D
	file.  No user interaction is required.=0D
	An attacker who successfully exploited this vulnerability=0D
	could take complete control of the affected system.=0D
	A heap overflow vulnerability exists in the WMF=0D
	PolyPolygon function, because of an unchecked user-=0D
	supplied parameter.=0D
	Specifically, an integer overflow can occur because=0D
	the sum of the entries in the vertex counts array is=0D
	added to the number of polygons, then multiplied by=0D
	six. This calculation is done without checking if the=0D
	result overflows a 32-bit integer.=0D
	The result is passed to a memory allocation routine,=0D
	which will allocate a small memory buffer when an integer=0D
	overflow occurs.  The allocated buffer will then be filled=0D
	by the vertex data, which exceeds the size of the buffer,=0D
	causing heap corruption.=0D
	The manner of the heap corruption is under user control,=0D
	which can result in the execution of arbitrary code.=0D
Vendor Response:=0D
	The above vulnerability was addressed for the affected=0D
	platforms via Microsoft Security Bulletin MS06-026. If=0D
	there are any further questions about this statement,=0D
please contact 
	Follow your organization's testing procedures before=0D
	applying patches or workarounds.  Customers should apply=0D
	Microsoft's update as soon as possible.=0D
Common Vulnerabilities and Exposures (CVE) Information:=0D
The Common Vulnerabilities and Exposures (CVE) project has assigned=0D
the following names to these issues.  These are candidates for=0D
inclusion in the CVE list (, which standardizes=0D 
names for security problems.=0D
- -------Symantec Vulnerability Research Advisory Information-------=0D
For questions about this advisory, or to report an error:=0D 
For details on Symantec's Vulnerability Reporting Policy:=0D 
Symantec Vulnerability Research Advisory Archive:=0D 
Symantec Vulnerability Research GPG Key:=0D 
- -------------Symantec Product Advisory Information-------------=0D
To Report a Security Vulnerability in a Symantec Product:=0D 
For general information on Symantec's Product Vulnerability=0D
reporting and response:=0D 
Symantec Product Advisory Archive:=0D 
Symantec Product Advisory PGP Key:=0D 
- ---------------------------------------------------------------=0D
Copyright (c) 2006 by Symantec Corp.=0D
Permission to redistribute this alert electronically is granted=0D
as long as it is not edited in any way unless authorized by=0D
Symantec Consulting Services. Reprinting the whole or part of=0D
this alert in any medium other than electronically requires=0D
permission from 
The information in the advisory is believed to be accurate at the=0D
time of publishing based on currently available information. Use=0D
of the information constitutes acceptance for use in an AS IS=0D
condition. There are no warranties with regard to this information.=0D
Neither the author nor the publisher accepts any liability for any=0D
direct, indirect, or consequential loss or damage arising from use=0D
of, or reliance on, this information.=0D
Symantec, Symantec products, and Symantec Consulting Services are=0D
registered trademarks of Symantec Corp. and/or affiliated companies=0D
in the United States and other countries. All other registered and=0D
unregistered trademarks represented in this document are the sole=0D
property of their respective companies/owners.=0D
Version: GnuPG v1.4.0 (Cygwin)=0D

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH