ID CVE-2008-3013
Summary gdiplus.dll in GDI+ in Microsoft Internet Explorer 6 SP1, Windows XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, Server 2008, Office XP SP3, Office 2003 SP2 and SP3, 2007 Microsoft Office System Gold and SP1, Visio 2002 SP2, PowerPoint Viewer 2003, Works 8, Digital Image Suite 2006, SQL Server 2000 Reporting Services SP2, SQL Server 2005 SP2, Report Viewer 2005 SP1 and 2008, and Forefront Client Security 1.0 allows remote attackers to execute arbitrary code via a malformed GIF image file containing many extension markers for graphic control extensions and subsequent unknown labels, aka "GDI+ GIF Parsing Vulnerability."
References
Vulnerable Configurations
  • cpe:2.3:a:microsoft:digital_image_suite:2006:*:*:*:*:*:*:*
    cpe:2.3:a:microsoft:digital_image_suite:2006:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:forefront_client_security:1.0:*:*:*:*:*:*:*
    cpe:2.3:a:microsoft:forefront_client_security:1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:ie:6:sp1:*:*:*:*:*:*
    cpe:2.3:a:microsoft:ie:6:sp1:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:office:2003:sp2:*:*:*:*:*:*
    cpe:2.3:a:microsoft:office:2003:sp2:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:office:2003:sp3:*:*:*:*:*:*
    cpe:2.3:a:microsoft:office:2003:sp3:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:office:2007:*:gold:*:*:*:*:*
    cpe:2.3:a:microsoft:office:2007:*:gold:*:*:*:*:*
  • cpe:2.3:a:microsoft:office:2007:sp1:*:*:*:*:*:*
    cpe:2.3:a:microsoft:office:2007:sp1:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:office:xp:sp3:*:*:*:*:*:*
    cpe:2.3:a:microsoft:office:xp:sp3:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:powerpoint_viewer:2003:*:*:*:*:*:*:*
    cpe:2.3:a:microsoft:powerpoint_viewer:2003:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:report_viewer:2005:sp1:*:*:*:*:*:*
    cpe:2.3:a:microsoft:report_viewer:2005:sp1:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:report_viewer:2008:*:*:*:*:*:*:*
    cpe:2.3:a:microsoft:report_viewer:2008:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:sql_server:2005:sp2:*:*:*:*:*:*
    cpe:2.3:a:microsoft:sql_server:2005:sp2:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:sql_server_reporting_services:2000:sp2:*:*:*:*:*:*
    cpe:2.3:a:microsoft:sql_server_reporting_services:2000:sp2:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:visio:2002:sp2:*:*:*:*:*:*
    cpe:2.3:a:microsoft:visio:2002:sp2:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:works:8.0:*:*:*:*:*:*:*
    cpe:2.3:a:microsoft:works:8.0:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_server_2008:-:*:*:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_server_2008:-:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_vista:*:gold:*:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_vista:*:gold:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_vista:*:sp2:*:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_vista:*:sp2:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_xp:*:sp2:*:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_xp:*:sp2:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_xp:*:sp3:*:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_xp:*:sp3:*:*:*:*:*:*
CVSS
Base: 9.3 (as of 30-10-2018 - 16:25)
Impact:
Exploitability:
CWE CWE-399
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
cvss-vector via4 AV:N/AC:M/Au:N/C:C/I:C/A:C
oval via4
accepted 2014-06-30T04:11:11.749-04:00
class vulnerability
contributors
  • name Sudhir Gandhe
    organization Secure Elements, Inc.
  • name Todd Dolinsky
    organization Hewlett-Packard
  • name Mike Lah
    organization The MITRE Corporation
  • name Mike Lah
    organization The MITRE Corporation
  • name Pradeep R B
    organization SecPod Technologies
  • name Dragos Prisaca
    organization Symantec Corporation
  • name Josh Turpin
    organization Symantec Corporation
  • name Shane Shaffer
    organization G2, Inc.
  • name Sharath S
    organization SecPod Technologies
  • name Maria Kedovskaya
    organization ALTX-SOFT
  • name Maria Kedovskaya
    organization ALTX-SOFT
  • name Maria Mikhno
    organization ALTX-SOFT
definition_extensions
  • comment Microsoft Internet Explorer 6 is installed
    oval oval:org.mitre.oval:def:563
  • comment Microsoft Windows 2000 SP4 or later is installed
    oval oval:org.mitre.oval:def:229
  • comment Microsoft Windows XP (x86) SP2 is installed
    oval oval:org.mitre.oval:def:754
  • comment Microsoft Windows XP (x86) SP3 is installed
    oval oval:org.mitre.oval:def:5631
  • comment Microsoft Windows Server 2003 SP2 (x86) is installed
    oval oval:org.mitre.oval:def:1935
  • comment Microsoft Windows XP x64 Edition SP2 is installed
    oval oval:org.mitre.oval:def:4193
  • comment Microsoft Windows Server 2003 SP2 (x64) is installed
    oval oval:org.mitre.oval:def:2161
  • comment Microsoft Windows Server 2003 SP1 (x86) is installed
    oval oval:org.mitre.oval:def:565
  • comment Microsoft Windows XP Professional x64 Edition SP1 is installed
    oval oval:org.mitre.oval:def:720
  • comment Microsoft Windows Server 2003 SP1 (x64) is installed
    oval oval:org.mitre.oval:def:4386
  • comment Microsoft Windows Server 2003 SP1 for Itanium is installed
    oval oval:org.mitre.oval:def:1205
  • comment Microsoft Windows Vista (32-bit) is installed
    oval oval:org.mitre.oval:def:1282
  • comment Microsoft Windows Vista x64 Edition is installed
    oval oval:org.mitre.oval:def:2041
  • comment Microsoft Windows Vista (32-bit) Service Pack 1 is installed
    oval oval:org.mitre.oval:def:4873
  • comment Microsoft Windows Server 2008 (32-bit) is installed
    oval oval:org.mitre.oval:def:4870
  • comment Microsoft Windows Server 2008 (64-bit) is installed
    oval oval:org.mitre.oval:def:5356
  • comment Microsoft Windows Server 2008 (ia-64) is installed
    oval oval:org.mitre.oval:def:5667
  • comment Microsoft Windows Vista x64 Edition Service Pack 1 is installed
    oval oval:org.mitre.oval:def:5254
  • comment Microsoft Office XP is installed
    oval oval:org.mitre.oval:def:663
  • comment Microsoft Office 2003 is installed
    oval oval:org.mitre.oval:def:233
  • comment Microsoft Office 2007 is installed
    oval oval:org.mitre.oval:def:1211
  • comment Microsoft Office Visio 2002 SP2 is installed
    oval oval:org.mitre.oval:def:692
  • comment Microsoft PowerPoint Viewer is installed
    oval oval:org.mitre.oval:def:6014
  • comment Microsoft SQL Server 2005 is installed
    oval oval:org.mitre.oval:def:6082
  • comment Microsoft SQL Server 2005 SP2 is installed
    oval oval:org.mitre.oval:def:8397
description gdiplus.dll in GDI+ in Microsoft Internet Explorer 6 SP1, Windows XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, Server 2008, Office XP SP3, Office 2003 SP2 and SP3, 2007 Microsoft Office System Gold and SP1, Visio 2002 SP2, PowerPoint Viewer 2003, Works 8, Digital Image Suite 2006, SQL Server 2000 Reporting Services SP2, SQL Server 2005 SP2, Report Viewer 2005 SP1 and 2008, and Forefront Client Security 1.0 allows remote attackers to execute arbitrary code via a malformed GIF image file containing many extension markers for graphic control extensions and subsequent unknown labels, aka "GDI+ GIF Parsing Vulnerability."
family windows
id oval:org.mitre.oval:def:5986
status accepted
submitted 2008-09-09T13:58:00
title GDI+ GIF Parsing Vulnerability
version 69
refmap via4
bid 31020
bugtraq 20080909 ZDI-08-056: Microsoft Windows GDI+ GIF Parsing Code Execution Vulnerability
cert TA08-253A
hp
  • HPSBST02372
  • SSRT080133
misc
sectrack 1020836
secunia 32154
vupen
  • ADV-2008-2520
  • ADV-2008-2696
Last major update 30-10-2018 - 16:25
Published 11-09-2008 - 01:11
Last modified 30-10-2018 - 16:25
Back to Top