Think you have a false positive on this rule?

Sid 1-35848

Message

FILE-IMAGE Microsoft Windows Bitmap width integer overflow attempt

Summary

Integer overflow in the bitmap (BMP) decoder for Mozilla Firefox before the Preview Release, Mozilla before 1.7.3, and Thunderbird before 0.8 allow remote attackers to execute arbitrary code via wide bitmap files that trigger heap-based buffer overflows.

Impact

CVSS base score 10.0 CVSS impact score 10.0 CVSS exploitability score 10.0 confidentialityImpact COMPLETE integrityImpact COMPLETE availabilityImpact COMPLETE

CVE-2004-0904:

CVSS base score 10.0

CVSS impact score 10.0

CVSS exploitability score 10.0

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

CVE-2008-3015:

CVSS base score 9.3

CVSS impact score 10.0

CVSS exploitability score 8.6

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

Detailed information

CVE-2004-0904: Integer overflow in the bitmap (BMP) decoder for Mozilla Firefox before the Preview Release, Mozilla before 1.7.3, and Thunderbird before 0.8 allow remote attackers to execute arbitrary code via wide bitmap files that trigger heap-based buffer overflows.

CVE-2008-3015: Integer overflow in gdiplus.dll in GDI+ in Microsoft Office XP SP3, Office 2003 SP2 and SP3, 2007 Microsoft Office System Gold and SP1, Visio 2002 SP2, PowerPoint Viewer 2003, Works 8, Digital Image Suite 2006, SQL Server 2000 Reporting Services SP2, SQL Server 2005 SP2, Report Viewer 2005 SP1 and 2008, and Forefront Client Security 1.0 allows remote attackers to execute arbitrary code via a BMP image file with a malformed BitMapInfoHeader that triggers a buffer overflow, aka "GDI+ BMP Integer Overflow Vulnerability."

Affected systems

  • mozilla firefox 0.8
  • mozilla firefox 0.9
  • mozilla firefox 0.9.1
  • mozilla firefox 0.9.2
  • mozilla firefox 0.9.3
  • mozilla mozilla 1.7
  • mozilla mozilla 1.7.1
  • mozilla mozilla 1.7.2
  • mozilla thunderbird 0.6
  • mozilla thunderbird 0.7
  • mozilla thunderbird 0.7.1
  • mozilla thunderbird 0.7.2
  • mozilla thunderbird 0.7.3
  • netscape navigator 7.0
  • netscape navigator 7.0.2
  • netscape navigator 7.1
  • netscape navigator 7.2
  • conectiva linux 9.0
  • conectiva linux 10.0
  • redhat enterprise_linux 2.1
  • redhat enterprise_linux 3.0
  • redhat enterpriselinuxdesktop 3.0
  • redhat fedoracore core1.0
  • redhat linux 7.3
  • redhat linux 9.0
  • redhat linuxadvancedworkstation 2.1
  • microsoft digitalimagesuite 2006
  • microsoft forefrontclientsecurity 1.0
  • microsoft office 2003
  • microsoft office 2007
  • microsoft office xp
  • microsoft officepowerpointviewer 2003
  • microsoft report_viewer 2005
  • microsoft report_viewer 2008
  • microsoft sql_server 2005
  • microsoft sqlserverreporting_services 2000
  • microsoft visio 2002
  • microsoft works 8.0

Ease of attack

CVE-2004-0904:

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

CVE-2008-3015:

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

False positives

None known

False negatives

None known

Corrective action

Upgrade to the latest non-affected version of the software.

Apply the appropriate vendor supplied patches.

Contributors

  • Talos research team.
  • This document was generated from data supplied by the national vulnerability database, a product of the national institute of standards and technology.
  • For more information see nvd.

Additional References

  • bugzilla.mozilla.org/show_bug.cgi?id=255067
  • technet.microsoft.com/en-us/security/bulletin/MS08-052