__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Windows Buffer Overrun in JPEG Processing Could Allow Code Execution [Microsoft Security Bulletin MS04-028] September 14, 2004 21:00 GMT Number O-213 [REVISED 23 Sep 2004] [REVISED 13 Oct 2004] ______________________________________________________________________________ PROBLEM: A buffer overrun in jpeg (.jpg) image processing could allow arbitrary code to be run on a system with the privileges of the logged on user. The intruder would need to convince the user to open a specially crafted jpeg document. The document could be on a website, in an e-mail message or on the user's system. PLATFORM: Many versions of the Windows operating system and Windows Office products. See the list in the bulletin by product version number and service pack level to determine which products are vulnerable. Note that while an operating system may not be vulnerable, if an office product that contains the vulnerability is installed the system becomes vulnerable. DAMAGE: An intruder would be able to run programs with the privileges of the logged on user. If the user has administrator privileges the intruder would be able to do anything on a system. While the intruder must convince the user to open a specially crafted jpeg document, that document could be part of a web page of an html formatted e-mail message. Viewing the e-mail message or web page triggers the vulnerability. SOLUTION: Apply the indicated patches from the Microsoft website. ______________________________________________________________________________ VULNERABILITY The risk is HIGH. This vulnerability is in many commonly used ASSESSMENT: products and would allow an intruder to get root privileges if the user is logged in as administrator. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/o-213.shtml ORIGINAL BULLETIN: http://www.microsoft.com/technet/security/bulletin/ms04-028.mspx CVE/CAN: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CAN-2004-0200 ______________________________________________________________________________ REVISION HISTORY: 09/23/04 - Microsoft added Office XP Service Pack 2 to their list of affected products. 10/13/04 - Microsoft has revised the security updates for Office XP, Visio 2002, and Project 2002 customers that are using Windows XP Service pack 2 and the Knowledge Base Article 833987 and 886988. See their bulletin for more information for these updates. [***** Start Microsoft Security Bulletin MS04-028 *****] Microsoft Security Bulletin MS04-028 Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution (833987) Issued: September 14, 2004 Updated: October 12, 2004 Version: 2.0 Summary Who should read this document: Customers who use any of the affected operating systems, affected software programs, or affected components. Impact of Vulnerability: Remote Code Execution Maximum Severity Rating: Critical Recommendation: Customers should apply the update immediately. Security Update Replacement: None Caveats: If you have installed any of the affected programs or affected components listed in this bulletin, you should install the required security update for each of the affected programs or affected components. This may require the installation of multiple security updates. See the FAQ section of this bulletin for more information. Microsoft Knowledge Base Article 833987 documents the currently known issues that customers may experience when they install this security update. The article also documents recommended solutions for these issues. For more information, see Microsoft Knowledge Base Article 833987 or the FAQ section of this security bulletin. Tested Software and Security Update Download Locations: Affected Software: • Microsoft Windows XP and Microsoft Windows XP Service Pack 1 – Download the update • Microsoft Windows XP 64-Bit Edition Service Pack 1 – Download the update • Microsoft Windows XP 64-Bit Edition Version 2003 – Download the update • Microsoft Windows Server™ 2003 – Download the update • Microsoft Windows Server 2003 64-Bit Edition – Download the update • Microsoft Office XP Service Pack 3 – Download the update • Microsoft Office XP Service Pack 2 – Download the update Microsoft Office XP Service Pack Software: • Outlookฎ 2002 • Word 2002 • Excel 2002 • PowerPointฎ 2002 • FrontPageฎ 2002 • Publisher 2002 • Access 2002 • Microsoft Office 2003 – Download the update Microsoft Office 2003 Software: • Outlookฎ 2003 • Word 2003 • Excel 2003 • PowerPointฎ 2003 • FrontPageฎ 2003 • Publisher 2003 • Access 2003 • InfoPath™ 2003 • OneNote™ 2003 • Microsoft Project 2002 Service Pack 1 (all versions) – Download the update • Microsoft Project 2003 (all versions) – Download the update • Microsoft Visio 2002 Service Pack 2 (all versions) – Download the update • Microsoft Visio 2003 (all versions) – Download the update • Microsoft Visual Studio .NET 2002 – Download the update Microsoft Visual Studio .NET 2002 Software: • Visual Basic .NET Standard 2002 • Visual C# .NET Standard 2002 • Visual C++ .NET Standard 2002 • Microsoft Visual Studio .NET 2003 – Download the update Microsoft Visual Studio .NET 2003 Software: • Visual Basic .NET Standard 2003 • Visual C# .NET Standard 2003 • Visual C++ .NET Standard 2003 • Visual J# .NET Standard 2003 • The Microsoft .NET Framework version 1.0 SDK Service Pack 2 – Download the update • Microsoft Picture It!ฎ 2002 (all versions) – Download the update • Microsoft Greetings 2002 – Download the update • Microsoft Picture It! version 7.0 (all versions) – Download the update • Microsoft Digital Image Pro version 7.0 – Download the update • Microsoft Picture It! version 9 (All Versions, including Picture It! Library) – Download the update • Microsoft Digital Image Pro version 9 – Download the update • Microsoft Digital Image Suite version 9 – Download the update • Microsoft Producer for Microsoft Office PowerPoint (all versions) – Download the update • Microsoft Platform SDK Redistributable: GDI+ - Download the update Office Users Note: Office XP Service Pack 2 and Office XP Service Pack 3 are both vulnerable to this issue. However the security update for Office XP Service Pack 2 is only provided as part of the Office XP administrative security update. For more information, see the Security Update Information section. Office 2003 Service Pack 1, Visio 2003 Service Pack 1, and Project 2003 Service Pack 1 contain an updated version of the affected component and are not affected. Customers that have installed these service packs do not need to install the available security updates for these products. MSN 9 Users Note MSN 9 distributes Picture It! Express version 9 and Picture It! Library. You have the option to install these programs when you install MSN 9. You should install the Picture It! version 9 update only if you installed Picture It! Express version 9 or Picture It! Library when you installed MSN 9. Affected Components: • Internet Explorer 6 Service Pack 1 - Download the update • The Microsoft .NET Framework version 1.0 Service Pack 2 – Download the update • The Microsoft .NET Framework version 1.1 – Download the update • Windows Journal Viewer - Download the update (KB886179) Non-Affected Software • Microsoft Windows NT Server 4.0 Service Pack 6a • Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6 • Microsoft Windows 2000 Service Pack 3, Microsoft Windows 2000 Service Pack 4 • Microsoft Windows XP Service Pack 2 • Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (Me) • Microsoft Office 2003 Service Pack 1 • Microsoft Office 2000 • Microsoft Visio 2003 Service Pack 1 • Microsoft Visio 2000 • Microsoft Project 2003 Service Pack 1 • Microsoft Project 2000 • Microsoft Digital Image Suite 10, Microsoft Digital Image Pro 10, Picture It! Premium 10 • The Microsoft.NET Framework version 1.1 SDK • Microsoft Works (all versions) • Microsoft Systems Management Server (all versions) • Microsoft SQL Server Reporting Services • Microsoft Broadband Networking Non-Affected Components: • Internet Explorer 5.01 Service Pack 3 on Windows 2000 Service Pack 3 • Internet Explorer 5.01 Service Pack 4 on Windows 2000 Service Pack 4 • Internet Explorer 5.5 Service Pack 2 on Microsoft Windows Millennium Edition • The Microsoft .NET Framework version 1.0 Service Pack 3 • The Microsoft .NET Framework version 1.1 Service Pack 1 • The Microsoft .NET Framework version 1.1 Service Pack 1 for Windows Server 2003 Note The non-affected versions of Windows do not natively contain the vulnerable component. However, the vulnerable component is installed on these non-affected operating systems when you install any of the software programs or components that are listed in the Affected Software and Affected Components sections of this bulletin. See the FAQ section of this bulletin for more information. The software in this list has been tested to determine if the versions are affected. Other versions either no longer include security update support or may not be affected. To determine the support lifecycle for your product and version, visit the following Microsoft Support Lifecycle Web site. General Information Executive Summary: This update resolves a newly-discovered, privately reported vulnerability. A buffer overrun vulnerability exists in the processing of JPEG image formats that could allow remote code execution on an affected system. The vulnerability is documented in this bulletin in its own section. If a user is logged on with administrator privileges, an attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts with full privileges. Users whose accounts are configured to have fewer privileges on the system would be at less risk than users who operate with administrative privileges. Microsoft recommends that customers apply the update immediately. Severity Ratings and Vulnerability Identifier: Vulnerability Identifier - JPEG Vulnerability - CAN-2004-0200 Impact of Vulnerability - Remote Code Execution Outlook (Versions 2002 and 2003) - Critical Internet Explorer 6 Service Pack 1 - Critical Windows XP, Windows XP Service Pack 1, Windows Server 2003 - Critical .NET Framework 1.0, Service Pack 2, .NET Framework 1.1 - Critical Other Affected Software and Affected Components Listed Earlier - Important This assessment is based on the types of systems that are affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. Acknowledgments Microsoft thanks the following for working with us to help protect customers: • Nick DeBaggis for reporting the JPEG Vulnerability (CAN-2004-0200). Obtaining Other Security Updates: Updates for other security issues are available from the following locations: • Security updates are available from the Microsoft Download Center: You can find them most easily by doing a keyword search for "security_patch". • Updates for consumer platforms are available from the Windows Update Web site. Support: • Customers in the U.S. and Canada can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates. • International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site. Security Resources: • The Microsoft TechNet Security Web site provides additional information about security in Microsoft products. • Microsoft Software Update Services • Microsoft Baseline Security Analyzer (MBSA) • Windows Update • Windows Update Catalog: For more information about the Windows Update Catalog, see Microsoft Knowledge Base Article 323166. • Office Update Software Update Services: By using Microsoft Software Update Services (SUS), administrators can quickly and reliably deploy the latest critical updates and security updates to Windows 2000 and Windows Server 2003-based servers, and to desktop systems that are running Windows 2000 Professional or Windows XP Professional. For more information about how to deploy this security update with Software Update Services, visit the Software Update Services Web site. Systems Management Server: Microsoft Systems Management Server (SMS) delivers a highly-configurable enterprise solution for managing updates. By using SMS, administrators can identify Windows-based systems that require security updates and to perform controlled deployment of these updates throughout the enterprise with minimal disruption to end users. For more information about how administrators can use SMS 2003 to deploy security updates, see the SMS 2003 Security Patch Management Web site. SMS 2.0 users can also use Software Updates Service Feature Pack to help deploy security updates. For information about SMS, visit the SMS Web site. Note SMS uses the Microsoft Baseline Security Analyzer and the Microsoft Office Detection Tool to provide broad support for security bulletin update detection and deployment. Some software updates may not be detected by these tools. Administrators can use the inventory capabilities of the SMS in these cases to target updates to specific systems. For more information about this procedure, see the following Web site. Some security updates require administrative rights following a restart of the system. Administrators can use the Elevated Rights Deployment Tool (available in the SMS 2003 Administration Feature Pack and in the SMS 2.0 Administration Feature Pack) to install these updates. Disclaimer: The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Revisions: • V1.0 (September 14, 2004): Bulletin published • V1.1 (September 15, 2004): Affected and Non-Affected Software Sections updated. Office XP Service Pack 2 is affected and this has been clarified. The .NET Framework 1.1 SDK and MS Works (all versions) are not affected and have been added to the Non Affected Software Section. FAQ’s have also been updated to provide additional information about this issue. • V1.2 (September 21, 2004): Affected and Non-Affected Software Sections updated. Updated Security Update Information Sections for Office XP, Visio 2002, Project 2002, .NET Framework 1.0 and .NET Framework 1.1. FAQ’s have also been updated to provide additional information about this issue. • V2.0 (October 12, 2004): Bulletin updated to advise on the availability of revised security updates for Office XP, Visio 2002, and Project 2002 customers that are using Windows XP Service Pack 2. Microsoft Knowledge Base Article 833987 documents the currently known issues that customers may experience when installing these security updates. The article also documents recommended solutions for these issues. Microsoft has also released the MS04-028 Enterprise Update Scanning Tool to help customers detect and deploy the required updates. For more information about the MS04-028 Enterprise Update Scanning Tool, see Microsoft Knowledge Base Article 886988. We have released an update for Windows 2000-based systems that have installed the Windows Journal Viewer. The bulletin has also been updated with a new FAQ that addresses questions regarding the Visio 2002 Viewer, Visio 2003 Viewer, and PowerPoint 2003 Viewer programs. [***** End Microsoft Security Bulletin MS04-028 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Microsoft for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) O-203: Cisco Secure Access Control Server Vulnerabilities O-204: Netscape NSS Library Suite Remote Buffer Overflow O-205: Adobe Acrobat Reader Uuencoding Buffer Overflow O-206: Entrust LibKmp Library Vulnerabilities O-207: Cisco IOS Telnet Denial of Service Vulnerability O-208: Kerberos krb5 Vulnerabilities O-209: Oracle Database Server Vulnerabilities O-210: LHA Packages Buffer Overflow Vulnerability O-211: Potential Buffer Overflows in WinZip O-212: Apple Security Update