CVE-2010-3970

22.12.2010, 21:00

Stack-based buffer overflow in the CreateSizedDIBSECTION function in shimgvw.dll in the Windows Shell graphics processor (aka graphics rendering engine) in Microsoft Windows XP SP2 and SP3, Server 2003 SP2, Vista SP1 and SP2, and Server 2008 Gold and SP2 allows remote attackers to execute arbitrary code via a crafted .MIC or unspecified Office document containing a thumbnail bitmap with a negative biClrUsed value, as reported by Moti and Xu Hao, aka "Windows Shell Graphics Processing Overrun Vulnerability."

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	9.3 UNKNOWN	NETWORK	MEDIUM		AV:N/AC:M/Au:N/C:C/I:C/A:C
microsoft	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 99%

Vendor	Product	Version
microsoft	windows_server_2003	*
microsoft	windows_server_2008	*
microsoft	windows_server_2008	*
microsoft	windows_server_2008	*
microsoft	windows_server_2008	*
microsoft	windows_server_2008	*
microsoft	windows_server_2008	-
microsoft	windows_vista	*
microsoft	windows_vista	*
microsoft	windows_xp	*
microsoft	windows_xp	-

𝑥

= Vulnerable software versions

Known Exploits!

Common Weakness Enumeration

CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer
The software performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.

References

http://blogs.technet.com/b/srd/archive/2011/01/07/assessing-the-risk-of-public-issues-currently-being-tracked-by-the-msrc.aspx

http://secunia.com/advisories/42779

http://www.kb.cert.org/vuls/id/106516

http://www.metasploit.com/redmine/projects/framework/repository/revisions/11466/entry/modules/exploits/windows/fileformat/ms11_xxx_createsizeddibsection.rb

http://www.microsoft.com/technet/security/advisory/2490606.mspx

http://www.powerofcommunity.net/speaker.html

http://www.securityfocus.com/bid/45662

http://www.securitytracker.com/id?1024932

http://www.vupen.com/english/advisories/2011/0018

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-006

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11671

http://blogs.technet.com/b/srd/archive/2011/01/07/assessing-the-risk-of-public-issues-currently-being-tracked-by-the-msrc.aspx

http://secunia.com/advisories/42779

http://www.kb.cert.org/vuls/id/106516

http://www.metasploit.com/redmine/projects/framework/repository/revisions/11466/entry/modules/exploits/windows/fileformat/ms11_xxx_createsizeddibsection.rb

http://www.microsoft.com/technet/security/advisory/2490606.mspx

http://www.powerofcommunity.net/speaker.html

http://www.securityfocus.com/bid/45662

http://www.securitytracker.com/id?1024932

http://www.vupen.com/english/advisories/2011/0018

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-006

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11671