Vigil@nce: Windows, code execution via ICM
August 2008 by Vigil@nce
An attacker can create a malicious MetaFile image leading to code execution when it is displayed in Windows.
Consequences: user access/rights
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 13/08/2008
Microsoft Windows 2000 [confidential versions]
Microsoft Windows 2003 [confidential versions]
Microsoft Windows XP [confidential versions]
The ICM (Image Color Management) system uses ICC (International Color Consortium) information indicating how to adjust colors depending on the display or printing device.
The MSCMS (Microsoft Color Management System) module uses ICC, and is implemented in the mscms.dll library.
However, a malformed EMF MetaFile creates an overflow in the InternalOpenColorProfile() function of mscms.dll.
As EMF image are automatically displayed by Internet Explorer, Outlook and Outlook Express, an attacker can create a web page or send an email in order to execute code on victim’s computer.
Identifiers: 952954, CVE-2008-2245, MS08-046, VIGILANCE-VUL-8012