CERT-In Vulnerability Note CIVN-2010-12
Microsoft Paint Buffer Overflow Vulnerability
Original Issue Date: February 11, 2010
Severity Rating:
Medium
System Affected
- Microsoft Windows 2000 Service Pack 4
- Microsoft Windows XP Service Pack 3
- Microsoft Windows XP Service Pack 2
- Microsoft Windows XP Professional x64 Edition Service Pack 2
- Microsoft Windows Server 2003 Service Pack 2
- Microsoft Windows Server 2003 with SP2 for Itanium-based Systems
Overview
A vulnerability has been reported in Microsoft Paint that could allow remote code execution if user viewed specially crafted JPEG image file using Microsoft Paint.
Description The vulnerability is caused due to an integer overflow error in Microsoft Paint when parsing certain image content. This can be exploited to cause a heap-based buffer overflow by tricking a user into viewing a specially crafted JPEG image.
An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker could take complete control of the affected system.
Solution
Apply appropriate updates as mentioned in Microsoft Security Bulletin MS10-005
Vendor Information
Microsoft
http://www.microsoft.com/technet/security/Bulletin/MS10-005.mspx References
Secunia
http://secunia.com/advisories/36634/
VUPEN
http://www.vupen.com/english/advisories/2010/0338
SecurityFocus
http://www.securityfocus.com/bid/38042
SecurityTracker
http://securitytracker.com/alerts/2010/Feb/1023564.html
SANS
http://isc.sans.org/diary.html
CVE Name
CVE-2010-0028
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
|
