Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Critical Integer Overflow Vulnerability in Microsoft's GDI+ Image Processing API


( MS11-029, CVE-2011-0041 )

Summary


An integer overflow vulnerability has been discovered in the way that the GDI+ application programming interface handles integer calculations. A remote attacker who successfully exploits this vulnerability could take complete control of an affected system.

Details

GDI+ is a Microsoft graphics device interface that provides two-dimensional vector graphics, imaging, and typography functions to applications and programmers.

The vulnerability is caused by a memory corruption when GDI+ improperly processes a specially crafted EMF image file. By convincing a user to open a specially crafted EMF image file, a remote attacker could exploit this issue. Successful exploitation may allow execution of arbitrary code on a vulnerable system.

Danny Lieblich, a senior member of the IPS Research Team at Check Point, provides this analysis:

"The attack is an unusual one, and is based on overflowing an integer value in the application’s memory, as with normal integer overflow vulnerabilities – but using an out-of-range floating-point value rather than an integer value. The attack makes use of the fact that some fields in certain files and network protocols may include either an integer value or a floating-point value. As floating-point values allow for a wider range of values (at the expense of smaller precision for higher absolute values), they can be used to specify very large values, causing an overflow when converted to integers by the vulnerable application. Having seen only two attacks of this type, it may be too early to determine whether or not this is a new trend."

Affected Products

The following products are affected by this vulnerability:

  • Windows XP SP3 and XP Professional x64 Edition SP2
  • Windows Server 2003 SP2, Server 2003 x64 Edition SP2, and Server 2003 with SP2 (Itanium)
  • Windows Vista SP1and Vista SP2
  • Windows Vista x64 Edition SP1 and Vista x64 Edition SP2
  • Windows Server 2008 for 32-bit Systems - original release and SP2
  • Windows Server 2008 for x64-based Systems - original release and SP2
  • Windows Server 2008 (Itanium) - original release and SP2
  • Microsoft Office XP SP3

Solution


Check Point recommends deploying the patch as described in MS11-029 as soon as is practical. However, if your network  is protected by Check Point's IPS Software Blade or NGX SmartDefense, all systems on it are afforded immediate protection against this vulnerability in the latest IPS update by detecting and blocking the transferal of malformed EMF files via HTTP. For more information, see CPAI-2011-224.

 

Originally Published:

Last Updated: 12-Apr-2011

Legal Notice for Threat Center Advisories