iDefense Security Advisory 08.12.08
Aug 12, 2008
Microsoft Windows Color Management Module provides consistent color
mappings between different devices and applications. It is also used to
transform colors between color spaces. For more information about
Windows Color Management, visit the following URL.
Remote exploitation of a heap-based buffer overflow vulnerability in
multiple versions of Microsoft Corp.'s Windows operating system allows
an attacker to execute arbitrary code with the privileges of the
This vulnerability specifically exists in the InternalOpenColorProfile
function in mscms.dll. When a malformed parameter is supplied, a
heap-based buffer overflow can occur, resulting in an exploitable
Exploitation allows an attacker to execute arbitrary code with the
privileges of the current user. Exploitation would require convincing a
targeted user to view a malicious image file either hosted on a Web
server, on local file system or embedded in an-email or Office
documents, or through some form of social engineering.
This vulnerability also can be triggered through e-mail. If the e-mail
client can automatically display images embedded in the e-mail, the
user only needs to open the e-mail to trigger the vulnerability.
Currently an EMF file is used as test attack vector. Outlook and
Outlook Express will automatically display EMF image and trigger the
vulnerability. Lotus Notes and Thunderbird do not display EMF images in
e-mail directly, but the vulnerability still can be triggered when
opening or viewing the EMF attachment.
iDefense has confirmed the existence of this vulnerability in the
following Microsoft products:
Windows 2000 Service Pack 4
Windows XP Service Pack 2
Windows Server 2003 Service Pack 1
Windows Server 2003 Service Pack 2
The following products are not affected:
Windows Vista Service Pack 1
Windows Server 2008
In order to prevent exploitation of this vulnerability, turn off
metafile processing by modifying the registry. Under the registry key,
NT\CurrentVersion\GRE_Initialize" create a DWORD entry
"DisableMetaFiles" and set it to 1.
Keep in mind that this only blocks the attack vector through Windows
metafiles. It may be possible to exploit this vulnerability through
other attack vectors.
Note: Modifying the registry does not affect processes that are already
running, so you may need to log off and log on again or restart the
computer after making the change.
Implementing this workaround may cause components relying on metafile
processing, such as printing, to misbehave.
Viewing e-mail in plain text format mitigates e-mail-based attack.
VI. VENDOR RESPONSE
Microsoft has officially addressed this vulnerability with Security
Bulletin MS08-046. For more information, consult their bulletin at the
VII. CVE INFORMATION
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2008-2245 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
VIII. DISCLOSURE TIMELINE
04/10/2008 Initial vendor notification
04/16/2008 Initial vendor response
08/12/2008 Coordinated public disclosure
This vulnerability was discovered by Jun Mao of iDefense Labs.
Get paid for vulnerability research
Free tools, research and upcoming events
X. LEGAL NOTICES
Copyright =A9 2008 iDefense, Inc.
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail email@example.com for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.