Overview: eEye Digital Security has discovered a heap overflow vulnerability in the way the Windows Graphical Device Interface (GDI) processes Windows enhanced metafile images (file extensions EMF and WMF). An attacker could send a malicious metafile to a victim of his choice over any of a variety of media -- such as HTML e-mail, a link to a web page, a metafile-bearing Microsoft Office document, or a chat message -- in order to execute code on that user's system at the user's privilege level. Technical Details: The Windows metafile rendering code in GDI32.DLL contains a number of integer overflow flaws in its processing of EMF/WMF file data that lead to exploitable heap overflows through any number of specially crafted metafile structures. For example, the following disassembly from MRBP16::bCheckRecord demonstrates a size calculation that is susceptible to integer overflow and as a result may pass validation with a dangerous value: 77F6C759 mov edx, [ecx+18h] ; malicious count (e.g., 8000000Dh) 77F6C75C mov eax, [ecx+4] ; heap allocation size ... 77F6C764 lea edx, [edx*4+1Ch] ; EDX >= 3FFFFFF9h: integer overflow 77F6C76B cmp edx, eax ; validation check 77F6C76D jnz 77F6C77F Protection: Retina Network Security Scanner has been updated to identify this vulnerability. Blink - Endpoint Vulnerability Prevention - preemptively protects from this vulnerability. Vendor Status: Microsoft has released a patch for this vulnerability. The patch is available at: http://www.microsoft.com/technet/security/bulletin/MS05-053.mspx Credit: Discovery: Fang Xing Related Links: Retina Network Security Scanner - Free Trial Blink Endpoint Vulnerability Prevention - Free Trial Retina Network Security Scanner - Japanese Edition- http://www.sse.co.jp/eeye/index.html Greetings: Thanks Derek and and eEye guys helped me write this advisory. Greeting xfocus guys and venustech lab guys.