Alert GCSA-09093 - Vulnerabilita' in Microsoft GDI+ (MS09-062)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
******************************************************************
Alert ID : GCSA-09093
Data : 15 Ottobre 2009
Titolo : Vulnerabilita' in Microsoft GDI+ (MS09-062)
******************************************************************
:: Descrizione del problema
Sono state identificate diverse vulnerabilita' in Microsoft Windows
GDI+, che potrebbero essere sfruttate per eseguire codice arbitrario e
compromettere un sistema vulnerabile. Le vulnerabilita' sono dovute ad
un errore di memory corruption, integer, heap e buffer overflow ed
errori di validazione dell'input in GDI+ nell'elaborazione di file di
immagine WMF, PNG, TIFF e BMP malevoli, o nel processare le Property
Tables di Office Art nei documenti di Office e potrebbero permettere ad
un attaccante remoto l'esecuzione di codice arbitrario su una macchina
che ne sia affetta.
:: Software interessato
Microsoft Windows 2000 Service Pack 4
Microsoft Windows XP Service Pack 2
Microsoft Windows XP Service Pack 3
Microsoft Windows XP Professional x64 Edition Service Pack 2
Microsoft Windows Server 2003 Service Pack 2
Microsoft Windows Server 2003 x64 Edition Service Pack 2
Microsoft Windows Server 2003 SP2 (Itanium)
Microsoft Windows Vista
Microsoft Windows Vista Service Pack 1
Microsoft Windows Vista x64 Edition
Microsoft Windows Vista x64 Edition Service Pack 1
Microsoft Windows Server 2008 (32-bit)
Microsoft Windows Server 2008 (x64)
Microsoft Windows Server 2008 (Itanium)
Microsoft Internet Explorer 6 Service Pack 1
Microsoft .NET Framework 1.1 Service Pack 1
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft Office XP Service Pack 3
Microsoft Office 2003 Service Pack 3
2007 Microsoft Office System Service Pack 1
2007 Microsoft Office System Service Pack 2
Microsoft Office Project 2002 Service Pack 1
Microsoft Office Visio 2002 Service Pack 2
Microsoft Office Word Viewer
Microsoft Word Viewer 2003
Microsoft Word Viewer 2003 Service Pack 3
Microsoft Office Excel Viewer 2003
Microsoft Office Excel Viewer 2003 Service Pack 3
Microsoft Office Excel Viewer, PowerPoint Viewer 2007
Microsoft PowerPoint Viewer 2007 Service Pack 1
Microsoft PowerPoint Viewer 2007 Service Pack 2
Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007
File Formats Service Pack 1
Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007
File Formats Service Pack 2
Microsoft Expression Web and Microsoft Expression Web 2
Microsoft Office Groove 2007 and Microsoft Office Groove 2007 Service Pack 1
Microsoft Works 8.5
Microsoft SQL Server 2000 Reporting Services Service Pack 2
Microsoft SQL Server 2005 Service Pack 2
Microsoft SQL Server 2005 x64 Edition Service Pack 2
Microsoft SQL Server 2005 for Itanium-based Systems Service Pack 2
Microsoft SQL Server 2005 Service Pack 3
Microsoft SQL Server 2005 x64 Edition Service Pack 3
Microsoft SQL Server 2005 for Itanium-based Systems Service Pack 3
Microsoft Visual Studio .NET 2003 Service Pack 1
Microsoft Visual Studio 2005 Service Pack 1
Microsoft Visual Studio 2008
Microsoft Visual Studio 2008 Service Pack 1
Microsoft Report Viewer 2005 Service Pack 1 Redistributable Package
Microsoft Report Viewer 2008 Redistributable Package
Microsoft Report Viewer 2008 Redistributable Package Service Pack 1
Microsoft Visual FoxPro 8.0 Service Pack 1 when installed on Microsoft
Windows 2000 Service Pack 4
Microsoft Visual FoxPro 9.0 Service Pack 2 when installed on Microsoft
Windows 2000 Service Pack 4
Microsoft Platform SDK Redistributable: GDI+
Microsoft Forefront Client Security 1.0
:: Impatto
Esecuzione di codice arbitrario
Possibile compromissione del sistema
:: Soluzioni
Applicare gli aggiornamenti rilasciati da Microsoft:
http://www.microsoft.com/technet/security/Bulletin/MS09-062.mspx
:: Riferimenti
Microsoft Security Bulletin MS09-062
http://www.microsoft.com/technet/security/Bulletin/MS09-062.mspx
Secunia
http://secunia.com/advisories/37007
VuPEN
http://www.vupen.com/english/advisories/2009/2897
Mitre's CVE ID
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2500
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2501
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2502
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2503
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2504
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3126
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2528
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2518
-----BEGIN PGP SIGNATURE-----
iQCVAwUBStcAI/OB+SpikaiRAQLKtAP+Jk06p+xMqxIyhldbHVHB5Cwcoy2imBww
igTIKO5mIJoPRVHVpjILsFv16pnaW9MnQEDQMtSsfkZCqvLzEoxf3PSkagd/01Hr
Fx8zGMFPsRg9oekollBw5MoMJVW8rYkgEJ/ogsSbAOkmF7dxNgoqWNwXZpg+t8q0
KO59ZI1R6j4=
=qHA3
-----END PGP SIGNATURE-----
Hash: SHA1
******************************************************************
Alert ID : GCSA-09093
Data : 15 Ottobre 2009
Titolo : Vulnerabilita' in Microsoft GDI+ (MS09-062)
******************************************************************
:: Descrizione del problema
Sono state identificate diverse vulnerabilita' in Microsoft Windows
GDI+, che potrebbero essere sfruttate per eseguire codice arbitrario e
compromettere un sistema vulnerabile. Le vulnerabilita' sono dovute ad
un errore di memory corruption, integer, heap e buffer overflow ed
errori di validazione dell'input in GDI+ nell'elaborazione di file di
immagine WMF, PNG, TIFF e BMP malevoli, o nel processare le Property
Tables di Office Art nei documenti di Office e potrebbero permettere ad
un attaccante remoto l'esecuzione di codice arbitrario su una macchina
che ne sia affetta.
:: Software interessato
Microsoft Windows 2000 Service Pack 4
Microsoft Windows XP Service Pack 2
Microsoft Windows XP Service Pack 3
Microsoft Windows XP Professional x64 Edition Service Pack 2
Microsoft Windows Server 2003 Service Pack 2
Microsoft Windows Server 2003 x64 Edition Service Pack 2
Microsoft Windows Server 2003 SP2 (Itanium)
Microsoft Windows Vista
Microsoft Windows Vista Service Pack 1
Microsoft Windows Vista x64 Edition
Microsoft Windows Vista x64 Edition Service Pack 1
Microsoft Windows Server 2008 (32-bit)
Microsoft Windows Server 2008 (x64)
Microsoft Windows Server 2008 (Itanium)
Microsoft Internet Explorer 6 Service Pack 1
Microsoft .NET Framework 1.1 Service Pack 1
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft Office XP Service Pack 3
Microsoft Office 2003 Service Pack 3
2007 Microsoft Office System Service Pack 1
2007 Microsoft Office System Service Pack 2
Microsoft Office Project 2002 Service Pack 1
Microsoft Office Visio 2002 Service Pack 2
Microsoft Office Word Viewer
Microsoft Word Viewer 2003
Microsoft Word Viewer 2003 Service Pack 3
Microsoft Office Excel Viewer 2003
Microsoft Office Excel Viewer 2003 Service Pack 3
Microsoft Office Excel Viewer, PowerPoint Viewer 2007
Microsoft PowerPoint Viewer 2007 Service Pack 1
Microsoft PowerPoint Viewer 2007 Service Pack 2
Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007
File Formats Service Pack 1
Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007
File Formats Service Pack 2
Microsoft Expression Web and Microsoft Expression Web 2
Microsoft Office Groove 2007 and Microsoft Office Groove 2007 Service Pack 1
Microsoft Works 8.5
Microsoft SQL Server 2000 Reporting Services Service Pack 2
Microsoft SQL Server 2005 Service Pack 2
Microsoft SQL Server 2005 x64 Edition Service Pack 2
Microsoft SQL Server 2005 for Itanium-based Systems Service Pack 2
Microsoft SQL Server 2005 Service Pack 3
Microsoft SQL Server 2005 x64 Edition Service Pack 3
Microsoft SQL Server 2005 for Itanium-based Systems Service Pack 3
Microsoft Visual Studio .NET 2003 Service Pack 1
Microsoft Visual Studio 2005 Service Pack 1
Microsoft Visual Studio 2008
Microsoft Visual Studio 2008 Service Pack 1
Microsoft Report Viewer 2005 Service Pack 1 Redistributable Package
Microsoft Report Viewer 2008 Redistributable Package
Microsoft Report Viewer 2008 Redistributable Package Service Pack 1
Microsoft Visual FoxPro 8.0 Service Pack 1 when installed on Microsoft
Windows 2000 Service Pack 4
Microsoft Visual FoxPro 9.0 Service Pack 2 when installed on Microsoft
Windows 2000 Service Pack 4
Microsoft Platform SDK Redistributable: GDI+
Microsoft Forefront Client Security 1.0
:: Impatto
Esecuzione di codice arbitrario
Possibile compromissione del sistema
:: Soluzioni
Applicare gli aggiornamenti rilasciati da Microsoft:
http://www.microsoft.com/technet/security/Bulletin/MS09-062.mspx
:: Riferimenti
Microsoft Security Bulletin MS09-062
http://www.microsoft.com/technet/security/Bulletin/MS09-062.mspx
Secunia
http://secunia.com/advisories/37007
VuPEN
http://www.vupen.com/english/advisories/2009/2897
Mitre's CVE ID
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2500
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2501
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2502
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2503
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2504
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3126
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2528
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2518
-----BEGIN PGP SIGNATURE-----
iQCVAwUBStcAI/OB+SpikaiRAQLKtAP+Jk06p+xMqxIyhldbHVHB5Cwcoy2imBww
igTIKO5mIJoPRVHVpjILsFv16pnaW9MnQEDQMtSsfkZCqvLzEoxf3PSkagd/01Hr
Fx8zGMFPsRg9oekollBw5MoMJVW8rYkgEJ/ogsSbAOkmF7dxNgoqWNwXZpg+t8q0
KO59ZI1R6j4=
=qHA3
-----END PGP SIGNATURE-----