Buffer Overrun in Microsoft JPEG Processing (GDI+)

Reported September 14, 2004, by Microsoft

VERSIONS AFFECTED

Windows Server 2003
Windows XP
Microsoft Office 2003
Microsoft Office XP
Microsoft Project 2002 and 2003
Microsoft Visio 2002 and 2003
Microsoft Visual Studio .NET 2002 and 2003
Microsoft Windows .NET Framework 1.0 SDK Service Pack 2
Microsoft Picture It! 2002 versions 7.0 and 9
Microsoft Greetings 2002
Microsoft Digital Image Pro versions 7.0 and 9
Microsoft Digital Image Suite 9
Microsoft Producer for Microsoft Office PowerPoint
Microsoft Platform SDK Redistributable: GDI+

DESCRIPTION
A buffer-overrun vulnerability in the processing of JPEG image formats could allow remote code execution on a vulnerable system. Any program that processes JPEG images on the affected systems could be vulnerable to this attack, as could any system that uses the affected programs or components. A potential attacker who successfully exploited this vulnerability could take complete control of an affected system.

VENDOR RESPONSE
Microsoft has released security bulletin MS04-028, "Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution (833987)," to address this vulnerability and recommends that affected users immediately apply the appropriate patch listed in the bulletin.

CREDIT
Discovered by Nick DeBaggis.

Comments

Plain text