Microsoft Color Management Module Vulnerability Protection (MS05-036)

Attack ID:	CPAI-2005-124

Publish Date:

Category:	Remote Code Execution

Vulnerable Systems:	Microsoft Windows 2000 SP4 Microsoft Windows XP SP1 and SP2 Microsoft Windows XP Professional x64 Edition Microsoft Windows Server 2003 Microsoft Windows Server 2003 SP1 Microsoft Windows Server 2003 for Itanium-based Systems Microsoft Windows Server 2003 with SP1 for Itanium-based Systems Microsoft Windows Server 2003 x64 Edition

Source:	Microsoft Security Bulletin MS05-036 Microsoft Security Bulletin MS05-038

Description:	Several vulnerabilities were detected in the way various Microsoft operating systems handle image formats. A vulnerability was detected in Microsoft Color Management module. The Microsoft Color Management Module allows the operating system to provide consistent color mappings between different devices and applications. A vulnerability in the way the Color Management module handles certain image formats including JPEG and TIFF allows remote attackers to execute arbitrary code on a vulnerable system. This can be exploited by convincing a user to view an image with a maliciously crafted ICC profile tag appearing on a web page or in an HTML email message. A vulnerability was also detected in the rendering of crafted JPEG images by Internet Explorer 5.0, 5.5, and 6.0. A remote attacker can execute arbitrary code via a web site or an HTML e-mail containing a crafted JPEG image.

Severity:

Details:	The color management vulnerability is caused due to a boundary condition error when handling the parsing of ICC (International Color Consortium) Profile tags in various file formats. The International Color Consortium is an organization whose purpose is to provide a standard by which vendors can implement color management to ensure cross vendor compatibility. Certain file types, such as JPEG, may allow a user to embed a color profile format tag within the file data in order to specify the ICC profile associated with the file or device. An attacker may be able to craft an image file with an embedded ICC profile format tag and create a buffer overflow condition resulting from validation of the tag. The JPEG rendering vulnerability is present when Internet Explorer displays a specially formed JPEG image. This may corrupt system memory in such a way that an attacker could execute arbitrary code.

Attack Detection:	Users of VPN-1 NG with Application Intelligence R55 and R55W, users of VPN-1 NGX R60 and users of InterSpect who have applied the solution outlined below will identify the attack by the following log entries: Attack Name: JPEG Content Protection Violation Attack Information: Malformed ICC Profile Tag found in JPEG file (MS05-036) JPEG Rendering Buffer Overflow (MS05-038) Users of VPN-1 NG with Application Intelligence R55 will receive rule 99805 on the SmartView Tracker screen. Attack Name: TIFF Content Protection Violation Attack information: Malformed TIFF Users of VPN-1 NG with Application Intelligence R55 will receive rule 9980 on the SmartView Tracker screen.

Solution:	Users of VPN-1 NG with Application Intelligence R55 and R55W, users of VPN-1 NGX R60 and users of InterSpect should update their SmartDefense by clicking Online Update (R55 - Update Now) in the SmartDashboard General window. The Update protects against the color management vulnerability by blocking malformed ICC Profile tags in JPEG and TIFF image file formats. Also included with this Update is a protection against processing of malformed, specially crafted JPEG messages. This issue is introduced in MS05-038. To enable the JPEG protection: 1. On the SmartDefense navigation tree, click Content Protection > Malformed JPEG. 2. Enable Block malformed ICC profile tags and Block JPEG Rendering Buffer Overflow (MS05-038). 3. Install security policy on all modules. To enable the TIFF protection: 1. On the SmartDefense tree, click Content Protection > Malformed TIFF. 2. Install security policy on all modules. Note: This protection is performance-intensive. Activating it may consume considerable system resources.

Industry Reference:	CAN-2005-1219 CAN-2005-1988

Additional Information:	Zone Labs Security Advisory This Update also includes: -Protection against CA BrightStor Backup Server (CPAI-2005-125) -Protection against Remote Desktop Protocol (CPAI-2005-126) -Protection against Direct Connect Peer to Peer Protection (CPAI-2005-127)