O-213: Windows Buffer Overrun in JPEG Processing Could Allow Code Execution

REVISION HISTORY:
09/23/04 - Microsoft added Office XP Service Pack 2 to their list of affected
           products.
10/13/04 - Microsoft has revised the security updates for Office XP, Visio 2002, 
           and Project 2002 customers that are using Windows XP Service pack 2 
		   and the Knowledge Base Article 833987 and 886988. See their bulletin 
		   for more information for these updates.
   
   
   
[***** Start Microsoft Security Bulletin MS04-028 *****]

Microsoft Security Bulletin MS04-028

Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution (833987)

Issued: September 14, 2004
Updated: October 12, 2004
Version: 2.0

Summary

Who should read this document: Customers who use any of the affected operating 
systems, affected software programs, or affected components.

Impact of Vulnerability:  Remote Code Execution

Maximum Severity Rating: Critical

Recommendation: Customers should apply the update immediately.

Security Update Replacement: None

Caveats: If you have installed any of the affected programs or affected components listed in this 
bulletin, you should install the required security update for each of the affected programs or affected 
components. This may require the installation of multiple security updates. See the FAQ section of this 
bulletin for more information.

Microsoft Knowledge Base Article 833987 documents the currently known issues that customers may experience 
when they install this security update. The article also documents recommended solutions for these issues. 
For more information, see Microsoft Knowledge Base Article 833987 or the FAQ section of this security 
bulletin. 


Tested Software and Security Update Download Locations:

Affected Software: 

• Microsoft Windows XP and Microsoft Windows XP Service Pack 1 – Download the update
 
• Microsoft Windows XP 64-Bit Edition Service Pack 1 – Download the update
 
• Microsoft Windows XP 64-Bit Edition Version 2003 – Download the update
 
• Microsoft Windows Server™ 2003 – Download the update
 
• Microsoft Windows Server 2003 64-Bit Edition – Download the update
 
• Microsoft Office XP Service Pack 3 – Download the update

• Microsoft Office XP Service Pack 2 – Download the update

Microsoft Office XP Service Pack Software:

• Outlookฎ 2002 
 
• Word 2002
 
• Excel 2002
 
• PowerPointฎ 2002 
 
• FrontPageฎ 2002
 
• Publisher 2002
 
• Access 2002

• Microsoft Office 2003 – Download the update

Microsoft Office 2003 Software:

• Outlookฎ 2003 
 
• Word 2003
 
• Excel 2003
 
• PowerPointฎ 2003 
 
• FrontPageฎ 2003
 
• Publisher 2003

• Access 2003
 
• InfoPath™ 2003 
 
• OneNote™ 2003
 
 
• Microsoft Project 2002 Service Pack 1 (all versions) – Download the update
 
• Microsoft Project 2003 (all versions) – Download the update
 
• Microsoft Visio 2002 Service Pack 2 (all versions) – Download the update
 
• Microsoft Visio 2003 (all versions) – Download the update
 
• Microsoft Visual Studio .NET 2002 – Download the update

Microsoft Visual Studio .NET 2002 Software:

• Visual Basic .NET Standard 2002
 
• Visual C# .NET Standard 2002
 
• Visual C++ .NET Standard 2002
 
 
• Microsoft Visual Studio .NET 2003 – Download the update

Microsoft Visual Studio .NET 2003 Software:

• Visual Basic .NET Standard 2003
 
• Visual C# .NET Standard 2003
 
• Visual C++ .NET Standard 2003
 
• Visual J# .NET Standard 2003
 
 
• The Microsoft .NET Framework version 1.0 SDK Service Pack 2 – Download the update
 
• Microsoft Picture It!ฎ 2002 (all versions) – Download the update
 
• Microsoft Greetings 2002 – Download the update
 
• Microsoft Picture It! version 7.0 (all versions) – Download the update
 
• Microsoft Digital Image Pro version 7.0 – Download the update
 
• Microsoft Picture It! version 9 (All Versions, including Picture It! Library) – Download the update
 
• Microsoft Digital Image Pro version 9 – Download the update
 
• Microsoft Digital Image Suite version 9 – Download the update
 
• Microsoft Producer for Microsoft Office PowerPoint (all versions) – Download the update
 
• Microsoft Platform SDK Redistributable: GDI+ - Download the update
 

Office Users Note Office XP Service Pack 2 and Office XP Service 
Pack 3 are both vulnerable to this issue. However the security update 
for Office XP Service Pack 2 is only provided as part of the Office 
XP administrative security update. For more information, see the 
Security Update Information section. Office 2003 Service Pack 1, 
Visio 2003 Service Pack 1, and Project 2003 Service Pack 1 contain 
an updated version of the affected component and are not affected. 
Customers that have installed these service packs do not need to 
install the available security updates for these products.

MSN 9 Users Note MSN 9 distributes Picture It! Express version 9 and Picture It! 
Library. You have the option to install these programs when you install MSN 9. 
You should install the Picture It! version 9 update only if you installed Picture 
It! Express version 9 or Picture It! Library when you installed MSN 9.

Affected Components:

• Internet Explorer 6 Service Pack 1 - Download the update
 
• The Microsoft .NET Framework version 1.0 Service Pack 2 – Download the update
 
• The Microsoft .NET Framework version 1.1 – Download the update

• Windows Journal Viewer - Download the update (KB886179) 

Non-Affected Software

• Microsoft Windows NT Server 4.0 Service Pack 6a
 
• Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6
 
• Microsoft Windows 2000 Service Pack 3, Microsoft Windows 2000 Service Pack 4
 
• Microsoft Windows XP Service Pack 2
 
• Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft 
  Windows Millennium Edition (Me)
 
• Microsoft Office 2003 Service Pack 1
 
• Microsoft Office 2000
 
• Microsoft Visio 2003 Service Pack 1
 
• Microsoft Visio 2000
 
• Microsoft Project 2003 Service Pack 1
 
• Microsoft Project 2000
 
• Microsoft Digital Image Suite 10, Microsoft Digital Image Pro 10, Picture It! Premium 10
 
• The Microsoft.NET Framework version 1.1 SDK

• Microsoft Works (all versions)

• Microsoft Systems Management Server (all versions)

• Microsoft SQL Server Reporting Services

• Microsoft Broadband Networking

Non-Affected Components:

• Internet Explorer 5.01 Service Pack 3 on Windows 2000 Service Pack 3
 
• Internet Explorer 5.01 Service Pack 4 on Windows 2000 Service Pack 4
 
• Internet Explorer 5.5 Service Pack 2 on Microsoft Windows Millennium Edition
 
• The Microsoft .NET Framework version 1.0 Service Pack 3
 
• The Microsoft .NET Framework version 1.1 Service Pack 1
 
• The Microsoft .NET Framework version 1.1 Service Pack 1 for Windows Server 2003
 

Note The non-affected versions of Windows do not natively contain the vulnerable 
component. However, the vulnerable component is installed on these non-affected 
operating systems when you install any of the software programs or components 
that are listed in the Affected Software and Affected Components sections of 
this bulletin. See the FAQ section of this bulletin for more information. 

The software in this list has been tested to determine if the versions are 
affected. Other versions either no longer include security update support or 
may not be affected. To determine the support lifecycle for your product and 
version, visit the following Microsoft Support Lifecycle Web site.

General Information

Executive Summary:

This update resolves a newly-discovered, privately reported vulnerability. A buffer 
overrun vulnerability exists in the processing of JPEG image formats that could 
allow remote code execution on an affected system. The vulnerability is documented 
in this bulletin in its own section.

If a user is logged on with administrator privileges, an attacker who successfully 
exploited this vulnerability could take complete control of an affected system, 
including installing programs; viewing, changing, or deleting data; or creating 
new accounts with full privileges. Users whose accounts are configured to have 
fewer privileges on the system would be at less risk than users who operate 
with administrative privileges.

Microsoft recommends that customers apply the update immediately.

Severity Ratings and Vulnerability Identifier:

Vulnerability Identifier - JPEG Vulnerability - CAN-2004-0200
Impact of Vulnerability -  Remote Code Execution
Outlook (Versions 2002 and 2003)  - Critical 
Internet Explorer 6 Service Pack 1 - Critical 
Windows XP, Windows XP Service Pack 1, Windows Server 2003 - Critical 
.NET Framework 1.0, Service Pack 2, .NET Framework 1.1 - Critical 
Other Affected Software and Affected Components Listed Earlier - Important

This assessment is based on the types of systems that are affected by the vulnerability, their 
typical deployment patterns, and the effect that exploiting the vulnerability would have on them.


Acknowledgments

Microsoft thanks the following for working with us to help protect customers:

• Nick DeBaggis for reporting the JPEG Vulnerability (CAN-2004-0200).
 

Obtaining Other Security Updates:

Updates for other security issues are available from the following locations:

• Security updates are available from the Microsoft Download Center: You can 
  find them most easily by doing a keyword search for "security_patch".
 
• Updates for consumer platforms are available from the Windows Update Web site. 
 

Support: 

• Customers in the U.S. and Canada can receive technical support from Microsoft 
  Product Support Services at 1-866-PCSAFETY. There is no charge for support 
  calls that are associated with security updates.
 
• International customers can receive support from their local Microsoft 
  subsidiaries. There is no charge for support that is associated with security 
  updates. For more information about how to contact Microsoft for support issues, 
  visit the International Support Web site.
 

Security Resources: 

• The Microsoft TechNet Security Web site provides additional information about 
  security in Microsoft products. 
 
• Microsoft Software Update Services
 
• Microsoft Baseline Security Analyzer (MBSA) 
 
• 
Windows Update 

 
• Windows Update Catalog: For more information about the Windows Update Catalog, 
  see Microsoft Knowledge Base Article 323166.
 
• Office Update 
 

Software Update Services:

By using Microsoft Software Update Services (SUS), administrators can quickly and 
reliably deploy the latest critical updates and security updates to Windows 2000 
and Windows Server 2003-based servers, and to desktop systems that are running 
Windows 2000 Professional or Windows XP Professional.

For more information about how to deploy this security update with Software Update 
Services, visit the Software Update Services Web site. 

Systems Management Server:

Microsoft Systems Management Server (SMS) delivers a highly-configurable enterprise 
solution for managing updates. By using SMS, administrators can identify 
Windows-based systems that require security updates and to perform controlled 
deployment of these updates throughout the enterprise with minimal disruption 
to end users. For more information about how administrators can use SMS 2003 
to deploy security updates, see the SMS 2003 Security Patch Management Web 
site. SMS 2.0 users can also use Software Updates Service Feature Pack to help 
deploy security updates. For information about SMS, visit the SMS Web site.

Note SMS uses the Microsoft Baseline Security Analyzer and the Microsoft Office 
Detection Tool to provide broad support for security bulletin update detection 
and deployment. Some software updates may not be detected by these tools. 
Administrators can use the inventory capabilities of the SMS in these cases 
to target updates to specific systems. For more information about this 
procedure, see the following Web site. Some security updates require 
administrative rights following a restart of the system. Administrators 
can use the Elevated Rights Deployment Tool (available in the 
SMS 2003 Administration Feature Pack and in the SMS 2.0 Administration Feature Pack) 
to install these updates.

Disclaimer: 

The information provided in the Microsoft Knowledge Base is provided "as is" 
without warranty of any kind. Microsoft disclaims all warranties, either 
express or implied, including the warranties of merchantability and fitness 
for a particular purpose. In no event shall Microsoft Corporation or its suppliers 
be liable for any damages whatsoever including direct, indirect, 
incidental, consequential, loss of business profits or special damages, 
even if Microsoft Corporation or its suppliers have been advised of the 
possibility of such damages. Some states do not allow the exclusion or 
limitation of liability for consequential or incidental damages so the 
foregoing limitation may not apply.

Revisions: 

• V1.0 (September 14, 2004): Bulletin published
 
• V1.1 (September 15, 2004): Affected and Non-Affected Software Sections 
  updated. Office XP Service Pack 2 is affected and this has been clarified. 
  The .NET Framework 1.1 SDK and MS Works (all versions) are not affected 
  and have been added to the Non Affected Software Section. FAQ’s have also
  been updated to provide additional information about this issue.
 
• V1.2 (September 21, 2004): Affected and Non-Affected Software Sections 
  updated. Updated Security Update Information Sections for Office XP, 
  Visio 2002, Project 2002, .NET Framework 1.0 and .NET Framework 1.1. 
  FAQ’s have also been updated to provide additional information about 
  this issue.
 
• V2.0 (October 12, 2004): Bulletin updated to advise on the availability 
  of revised security updates for Office XP, Visio 2002, and Project 2002 
  customers that are using Windows XP Service Pack 2. Microsoft Knowledge 
  Base Article 833987 documents the currently known issues that customers 
  may experience when installing these security updates. The article also 
  documents recommended solutions for these issues. Microsoft has also 
  released the MS04-028 Enterprise Update Scanning Tool to help customers 
  detect and deploy the required updates. For more information about the 
  MS04-028 Enterprise Update Scanning Tool, see Microsoft Knowledge Base 
  Article 886988. We have released an update for Windows 2000-based systems 
  that have installed the Windows Journal Viewer. The bulletin has also been 
  updated with a new FAQ that addresses questions regarding the Visio 2002 
  Viewer, Visio 2003 Viewer, and PowerPoint 2003 Viewer programs.

 

[***** End Microsoft Security Bulletin MS04-028 *****]

    Voice:          +1 925-422-8193 (7 x 24)
    FAX:            +1 925-423-8002
    STU-III:        +1 925-423-2604
    E-mail:          ciac@ciac.org
    World Wide Web:  http://www.ciac.org/
    Anonymous FTP:   ftp.ciac.org