Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Vista

Microsoft GDI+ Library JPEG Segment Length Integer Underflow Vulnerability

Solution:
Microsoft has released a security bulletin MS04-028 and fixes to address this issue in affected products. Additionally, the vendor reports that this issue is addressed in Microsoft Office 2003 Service Pack 1 for Office 2003, Microsoft Visio 2003 Service Pack 1 for Visio 2003 and Microsoft Project 2003 Service Pack 1 for Project 2003.

The vendor also reports that customers that have installed MSN 9, and have chosen to install Picture It! Express version 9 and Picture It! Library, should install the Picture It! version 9 update.

Customers are advised to access the referenced advisory for further information pertaining to obtaining and applying appropriate updates.

Avaya has released an advisory that acknowledges this vulnerability for
Avaya products. Customers are advised to apply the appropriate fix for Microsoft Internet Explorer to the affected Avaya Platforms. Please see the referenced Avaya advisory at the following location for further details:
http://support.avaya.com/japple/css/japple?temp.groupID=128450&temp.selectedFamily=128451&temp.selectedProduct=154235&temp.selectedBucket=126655&temp.feedbackState=askForFeedback&temp.documentID=202196&PAGE=avaya.css.CSSLvl1Detail&executeTransaction=avaya.css.UsageUpdate()

Microsoft has released a revision to their original advisory. Microsoft Office XP service pack 2 has been reported vulnerable to this issue. The update released for Office XP service pack 3 will patch this issue.

Business Objects has issued fixes for Crystal Reports 9 and 10 and Crystal Enterprise 9 and 10.

Microsoft has updated bulletin MS04-028 to include new fixes for Visual FoxPro 8.0, Visual FoxPro 8.0 Runtime Library, .NET Framework 1.0 Service Pack 2, and .NET Framework 1.1. Additionally, Windows Messenger 5.1 has been released containing a fixed version of the vulnerable library.

Symantec products such as Norton SystemWorks, Norton Password Manager, and Symantec Norton Internet Security Professional do include the affected library but are not prone to this vulnerability since the library is not used to process JPEG images. Nonetheless, updated versions of the library may be obtained through LiveUpdate. Further details may be found in the attached "Symantec Completes Update of Microsoft's Graphic Device Interface Component" advisory.


Microsoft Greetings 2002

Microsoft Project 2002 SP1

Microsoft Office XP SP3

Microsoft Picture It! 2002

Microsoft Digital Image Suite 9.0

Microsoft Picture It! Library

Microsoft Digital Image Pro 7.0

Microsoft Platform SDK Redistributable: GDI+

Microsoft Visual FoxPro Runtime Library 8.0

GOST 34.19-2001 Standard Implementation 1.1

Microsoft .NET Framework SDK 1.0

Microsoft Office 2003 0

Microsoft Digital Image Pro 9.0

Microsoft Windows Server 2003 Datacenter Edition

Microsoft Windows XP 64-bit Edition SP1

Microsoft Visual Studio .NET 2003

Microsoft Visio 2003 Professional

Microsoft Windows Server 2003 Enterprise Edition

Microsoft Visual FoxPro 8.0

Microsoft Producer for Microsoft Office PowerPoint

Microsoft Project 2003

Microsoft Visio 2002 Professional SP2

Microsoft Windows Server 2003 Web Edition

Microsoft Windows XP Home

Microsoft Visual Studio .NET 2002

Microsoft Windows XP Home SP1

Microsoft Office XP SP2

Microsoft Windows Server 2003 Enterprise Edition Itanium 0

Microsoft Internet Explorer 6.0 SP1

Microsoft Windows Server 2003 Standard Edition

Microsoft Windows XP 64-bit Edition Version 2003

GOST 34.19-2001 Standard Implementation 1.0 SP2

Microsoft Windows XP 64-bit Edition

Microsoft Visio 2002 Standard SP2

Microsoft .NET Framework SDK 1.0 SP1

Microsoft Visio 2003 Standard

Microsoft Picture It! 9.0

Microsoft .NET Framework SDK 1.0 SP2

Microsoft Windows XP Professional

Microsoft Picture It! 7.0

Microsoft Windows XP Professional SP1

Microsoft Windows Messenger 5.0

Microsoft Windows Server 2003 Datacenter Edition Itanium 0

Business Objects Crystal Reports 10.0

Business Objects Crystal Enterprise 10.0







 

Privacy Statement
Copyright 2008, SecurityFocus