Vigil@nce - Windows: information disclosure via TIFF
February 2015 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can read a memory fragment of Windows via a TIFF
image, in order to obtain sensitive information.
Impacted products: Windows 2003, Windows 2008 R0, Windows 2008 R2,
Microsoft Windows 2012, Windows 7, Windows 8, Windows RT, Windows
Vista
Severity: 2/4
Creation date: 10/02/2015
DESCRIPTION OF THE VULNERABILITY
The Gdiplus.dll library of Windows supports images in the TIFF
format.
However, when a TIFF image is processed, Gdiplus.dll does not
initialize a memory area before returning it to the user.
An attacker can therefore read a memory fragment of Windows via a
TIFF image, in order to obtain sensitive information.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Windows-information-disclosure-via-TIFF-16166