Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
Database
Search
Advisories by Product
Advisories by Vendor
Terminology
Report Vulnerability
Insecure Library Loading
Highly critical

Microsoft Office Graphics Filters Multiple Vulnerabilities

-

Description


Multiple vulnerabilities have been discovered in Microsoft Office, which can be exploited by malicious people to compromise a user's system.

1) A validation error in the CGM Filter (CGMIMP32.FLT) when allocating memory can be exploited to cause a buffer overflow via a specially crafted CGM image file.

2) An integer truncation error in the PICT import filter (PICTIM32.FLT) can be exploited to cause a heap-based buffer overflow by tricking a user into importing a specially crafted PICT file.

3) An input validation error in the TIFF Import/Export Graphic Filter (TIFFIM32.FLT) when parsing BitsPerSample entries in IFD structures can be exploited to cause a heap-based buffer overflow via a specially crafted TIFF image containing an overly large SamplesPerPixel entry as well as an overly large count value in the BitsPerSample entry.

4) An input validation error in the TIFF Import/Export Graphic Filter (TIFFIM32.FLT) when an error occurs while reading data during parsing of a BitsPerSample entry in an IFD structure can be exploited to cause a heap-based buffer overflow via a specially crafted TIFF image.

5) An error in the TIFF Import/Export Graphic Filter (TIFFIM32.FLT) when converting the endianess of certain data can be exploited to corrupt memory via a specially crafted TIFF image with an overly large "count" field value in an IFD entry.

6) An error due to missing input validation within a library used by the bundled Microsoft Office Document Imaging application when converting certain data during parsing of TIFF images can be exploited to corrupt memory via a TIFF image containing specially crafted IFD entries.

7) A boundary error in the FlashPix image converter when parsing OLE property sets with a long entry can be exploited to cause a stack-based buffer overflow.

8) A boundary error in the FlashPix image converter when parsing overly large tile data can be exploited to cause a buffer overflow in the data section of the process memory space.

9) A boundary error in the FlashPix image converter when parsing overly large tile data can be exploited to cause a stack-based buffer overflow.


Solution:
Apply patches.

Further details available to Secunia VIM customers

Provided and/or discovered by:
1) The vendor credits Yamata Li, Palo Alto Networks
2) Alin Rad Pop, Secunia Research
The vendor also credits Yamata Li, Palo Alto Networks.
3, 4, 5, 6) Carsten Eiram, Secunia Research
7, 8, 9) Dyon Balding, Secunia Research

Original Advisory:
MS10-105 (KB2288931, KB2289078, KB2289162, KB2289163, KB2431831, KB2456849):
http://www.microsoft.com/technet/security/bulletin/ms10-105.mspx

Secunia Research:
http://secunia.com/secunia_research/2009-30/
http://secunia.com/secunia_research/2009-31/
http://secunia.com/secunia_research/2009-32/
http://secunia.com/secunia_research/2009-33/
http://secunia.com/secunia_research/2009-34/
http://secunia.com/secunia_research/2009-39/

Deep Links:
Links available to Secunia VIM customers

Do you have additional information related to this advisory?

Please provide information about patches, mitigating factors, new versions, exploits, faulty patches, links, and other relevant data by posting comments to this Advisory. You can also send this information to vuln@secunia.com

Subject: Microsoft Office Graphics Filters Multiple Vulnerabilities

No posts yet

-

You must be logged in to post a comment.



 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Factsheets
Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability