Vigil@nce: Windows, code execution via ICM
August 2008 by Vigil@nce
SYNTHESIS
An attacker can create a malicious MetaFile image leading to code
execution when it is displayed in Windows.
Gravity: 4/4
Consequences: user access/rights
Provenance: document
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 13/08/2008
Identifier: VIGILANCE-VUL-8012
IMPACTED PRODUCTS
– Microsoft Windows 2000 [confidential versions]
– Microsoft Windows 2003 [confidential versions]
– Microsoft Windows XP [confidential versions]
DESCRIPTION
The ICM (Image Color Management) system uses ICC (International
Color Consortium) information indicating how to adjust colors
depending on the display or printing device.
The MSCMS (Microsoft Color Management System) module uses ICC, and is implemented in the mscms.dll library.
However, a malformed EMF MetaFile creates an overflow in the
InternalOpenColorProfile() function of mscms.dll.
As EMF image are automatically displayed by Internet Explorer,
Outlook and Outlook Express, an attacker can create a web page or
send an email in order to execute code on victim’s computer.
CHARACTERISTICS
Identifiers: 952954, CVE-2008-2245, MS08-046, VIGILANCE-VUL-8012