CIS CYBER SECURITY ADVISORIES

MS-ISAC CYBER SECURITY ADVISORY NUMBER:
2013-061

DATE(S) ISSUED:
07/09/2013

SUBJECT:
Vulnerability in GDI+ Could Allow Remote Code Execution (MS13-054)

OVERVIEW:

A vulnerability has been discovered in the Microsoft Graphics Device Interface (GDI+). Microsoft Windows GDI+ enables various applications to display images. Microsoft GDI+ is installed by default on all Microsoft Windows operating systems.

Successful exploitation will result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, the attacker could then install programs; view, change, or delete data; or create new accounts with full privileges.

SYSTEMS AFFECTED:

  • Windows XP
  • Windows Server 2003
  • Windows Vista
  • Windows Server 2008
  • Windows 7
  • Windows 8
  • Windows Server 2012
  • Windows RT
  • Microsoft Office 2003-2010
  • Microsoft Visual Studio .NET 2003 SP1

RISK:

Government:

  • Large and medium government entities: High
  • Small government entities: High

Businesses:

  • Large and medium business entities: High
  • Small business entities: High

Home users: High

DESCRIPTION:

Microsoft GDI+ is vulnerable to remote code execution. The vulnerability is caused due to the improper parsing of TrueType fonts (TTF) in shared content. The vulnerability could be exploited if an attacker crafts a malicious file or website and convinces a user to download the file or open an attachment.

Successful exploitation will result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, the attacker could then install programs; view, change, or delete data; or create new accounts with full privileges.

RECOMMENDATIONS:

We recommend the following actions be taken:

  • Apply appropriate patches provided by Microsoft to vulnerable systems immediately after appropriate testing.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Do not visit untrusted websites or follow links provided by unknown or untrusted sources.
  • Do not open email attachments from unknown or untrusted sources.
  • Consider implementing file extension whitelists for allowed e-mail attachments.


REFERENCES:

Microsoft:

http://technet.microsoft.com/en-us/security/bulletin/ms13-054

CVE:

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-3129