Two vulnerabilities have been discovered in Microsoft Windows, which can be exploited by malicious people to compromise a vulnerable system.

1) An input validation error in the Fax Cover Page Editor (fxscover.exe) when the "CDrawPoly::Serialize()" function reads in data from a Fax Cover Page file (".cov") can be exploited to cause a heap-based buffer overflow via a Fax Cover Page file containing specially crafted content.

This vulnerability is confirmed in fully patched versions of Windows XP Professional SP3, Windows Server 2003 R2 Enterprise Edition SP2, and Windows 7 Professional. Other versions may also be affected.

2) A use-after-free error in the Fax Cover Page Editor (fxscover.exe) when processing a Fax Cover Page file (".cov") can be exploited to dereference freed memory to load an object pointer for use in a virtual function call via a specially crafted file.

This vulnerability is confirmed in a fully patched version of Windows XP Professional SP3. Other versions may also be affected.

Successful exploitation of these vulnerabilities allows execution of arbitrary code, but requires that "Fax Services" / "Windows Fax and Scan" is installed.

Solution
Apply patches.
Further details available to Secunia VIM customers

Provided and/or discovered by
1) Andrea Micalizzi (rgod)
2) Luigi Auriemma

Changelog
Further details available to Secunia VIM customers

Original Advisory
MS11-024 (KB2527308, KB2491683, KB2506212):
http://www.microsoft.com/technet/security/bulletin/MS11-024.mspx

Andrea Micalizzi:
http://retrogod.altervista.org/9sg_cov_bof.html

Luigi Auriemma:
http://aluigi.altervista.org/adv/fxscover_1-adv.txt

Technical Analysis
Further details available to Secunia VIM customers

Alternate/detailed remediation
Further details available in Customer Area

Deep Links
Links available to Secunia VIM customers