Contactez-nous Suivez-nous sur Twitter En francais English Language

De la Théorie à la pratique

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN



Vigil@nce: Windows, code execution via ICM

August 2008 by Vigil@nce


An attacker can create a malicious MetaFile image leading to code execution when it is displayed in Windows.

Gravity: 4/4

Consequences: user access/rights

Provenance: document

Means of attack: no proof of concept, no attack

Ability of attacker: expert (4/4)

Confidence: confirmed by the editor (5/5)

Diffusion of the vulnerable configuration: high (3/3)

Creation date: 13/08/2008

Identifier: VIGILANCE-VUL-8012


- Microsoft Windows 2000 [confidential versions]
- Microsoft Windows 2003 [confidential versions]
- Microsoft Windows XP [confidential versions]


The ICM (Image Color Management) system uses ICC (International Color Consortium) information indicating how to adjust colors depending on the display or printing device.

The MSCMS (Microsoft Color Management System) module uses ICC, and is implemented in the mscms.dll library.

However, a malformed EMF MetaFile creates an overflow in the InternalOpenColorProfile() function of mscms.dll.

As EMF image are automatically displayed by Internet Explorer, Outlook and Outlook Express, an attacker can create a web page or send an email in order to execute code on victim’s computer.


Identifiers: 952954, CVE-2008-2245, MS08-046, VIGILANCE-VUL-8012

See previous articles


See next articles