US-CERT Technical Cyber Security Alert TA05-012A -- Multiple Vulnerabilities in Microsoft Windows Icon and Cursor Processing

National Cyber Alert System

Technical Cyber Security Alert TA05-012A

Multiple Vulnerabilities in Microsoft Windows Icon and Cursor Processing

Original release date: January 12, 2005
Last revised: January 12, 2005
Source: US-CERT

Systems Affected

Microsoft Windows Operating Systems excluding Microsoft Windows XP SP2

Overview

Microsoft Windows contains multiple vulnerabilities in the way that it handles cursor and icon files. A remote attacker could execute arbitrary code or cause a denial-of-service condition.

I. Description

Microsoft Security Bulletin MS05-002 describes a number of vulnerabilities in the way that Windows handles icons, cursors, animated cursors, and bitmaps. Further details are available in the following vulnerability notes:

VU#625856 - Microsoft Windows LoadImage API vulnerable to integer overflow

The Microsoft Windows LoadImage routine is vulnerable to an integer overflow that may allow a remote attacker to execute arbitrary code on a vulnerable system.
(CAN-2004-1049)

VU#697136 - Microsoft Windows kernel vulnerable to denial-of-service condition via animated cursor (.ani) rate number

A vulnerability exists in the way the Microsoft Windows kernel processes animated cursor (.ani) files with a rate number set to zero. Exploitation of this vulnerability may allow a remote attacker to cause a denial-of-service condition.
(CAN-2004-1305)

VU#177584 - Microsoft Windows kernel vulnerable to denial-of-service condition via animated cursor (.ani) frame number

A vulnerability exists in the way the Microsoft Windows kernel processes animated cursor (.ani) files with a frame number set to zero. Exploitation of this vulnerability may allow a remote attacker to cause a denial-of-service condition.
(CAN-2004-1305)

Note that exploits for these vulnerabilities are publicly available.

II. Impact

If a remote attacker can persuade a user to access a specially crafted bitmap image, icon, or cursor file, the attacker may be able to execute arbitrary code on that user's system, with their privileges. Potentially, any operation that displays an image could trigger exploitation; for instance, browsing the file system, reading HTML email, or browsing websites.

III. Solution

Install an Update

Install the update as described in Microsoft Security Bulletin MS05-002. Please also note that this update is also available via Windows Update and Automatic Updates.

Appendix A. References

US-CERT Vulnerability Note VU#697136 - <http://www.kb.cert.org/vuls/id/697136>
US-CERT Vulnerability Note VU#177584 - <http://www.kb.cert.org/vuls/id/177584>
US-CERT Vulnerability Note VU#625856 - <http://www.kb.cert.org/vuls/id/625856>
Microsoft Security Bulletin MS05-002 - <http://www.microsoft.com/technet/security/bulletin/ms05-002.mspx>

These vulnerabilities were reported by Flashsky Fangxing and eEye Digital Security.

Feedback can be directed to the author: Jeffrey Gennari.

Revision History

Jan 12, 2005: Initial release
Jan 12, 2005: Updated revision release date and copyright date

Last updated February 08, 2008

US-CERT: United States Computer Emergency Readiness Team

Information For

Sign Up

Reporting

DHS Threat Advisory