====================================================================== Secunia Research 15/04/2015 Microsoft Windows GDI "MRSETDIBITSTODEVICE ::bPlay()" EMF Parsing Memory Corruption Vulnerability ====================================================================== Table of Contents Affected Software....................................................1 Severity.............................................................2 Description of Vulnerability.........................................3 Solution.............................................................4 Time Table...........................................................5 Credits..............................................................6 References...........................................................7 About Secunia........................................................8 Verification.........................................................9 ====================================================================== 1) Affected Software * Microsoft Windows 7 * Microsoft Windows Server 2003 Datacenter Edition * Microsoft Windows Server 2003 Enterprise Edition * Microsoft Windows Server 2003 Standard Edition * Microsoft Windows Server 2003 Web Edition * Microsoft Windows Storage Server 2003 * Microsoft Windows Server 2008 * Microsoft Windows Vista ====================================================================== 2) Severity Rating: Highly critical Impact: System Access Where: From remote ====================================================================== 3) Description of Vulnerability Secunia Research has discovered a vulnerability in Microsoft Windows, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to an error within the "MRSETDIBITSTODEVICE::bPlay()" function (GDI32.dll) and can be exploited to cause a memory corruption via an EMF file with a specially crafted EMR_SETDIBITSTODEVICE record. Successful exploitation allows execution of arbitrary code. ====================================================================== 4) Solution Apply update provided by MS15-035. ====================================================================== 5) Time Table 14/01/2015 - Vendor notified. 15/01/2015 - Vendor response. 15/01/2015 - Vendor requests delay of disclosure. 15/01/2015 - Replied to vendor requesting planned date of update. 16/02/2015 – Requested status update. 20/02/2015 - Vendor response with no timeline. 23/02/2015 - Replied to vendor requesting future status updates. 26/03/2015 - Requested status update and planned date of update. 08/04/2015 - Vendor response with expected release on 14/04/2015. 11/04/2015 - Replied to vendor. 14/04/2015 - Release of vendor patch and public disclosure. ====================================================================== 6) Credits Discovered by Hossein Lotfi, Secunia Research. ====================================================================== 7) References The Common Vulnerabilities and Exposures (CVE) project has assigned the CVE-2015-1645 identifier for the vulnerabilities. ====================================================================== 8) About Secunia Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration: http://secunia.com/products/ Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security. http://secunia.com/advisories/ Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the security and reliability of software in general: http://secunia.com/secunia_research/ Secunia regularly hires new skilled team members. Check the URL below to see currently vacant positions: http://secunia.com/company/jobs/ ====================================================================== 9) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2015-1/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ======================================================================