Microsoft Security Bulletin MS09-062 - Critical

Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:

• An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
• In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker’s Web site.
• By default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration. This mode sets the security level for the Internet zone to High. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone. See the FAQ subsection of this vulnerability section for more information about Internet Explorer Enhanced Security Configuration.
• The vulnerability could be exploited by an attacker who convinced a user to open a specially crafted file. There is no way for an attacker to force a user to open a specially crafted file.

Workaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:

• Disable metafile processing

  1. Click Start, click Run, type Regedit, and then click OK.

  2. Locate and then click the following registry subkey:

  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize

  3. On the Edit menu, select New, and then click DWORD.

  4. Type DisableMetaFiles, and then press ENTER.

  5. On the Edit menu, click Modify to modify the DisableMetaFiles registry entry.

  6. In the Value data box, type 1, and then click OK.

  7. Exit Registry Editor.

  8. Reboot the computer.

  Impact of workaround. Metafile processing will stop working.

  How to undo the workaround.

  1. Click Start, click Run, type Regedit, and then click OK.

  2. Locate and then click the following registry subkey:

  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize

  3. On the Edit menu, click Modify on the DisableMetaFiles registry entry.

  4. In the Value data box, type 0, and then click OK.

  5. Exit Registry Editor.

  6. Reboot the computer.

• Disable metafile processing through GPO

  1. Save the following to a file with a .REG extension (e.g. Disable_MetaFiles.reg):

  Windows Registry Editor Version 5.00

  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize]

  "DisableMetaFiles"=dword:00000001

  2. Run the above registry script on the target machine with the following command from an administrator command prompt:

  Regedit.exe /s Disable_MetaFiles.reg

  3. Reboot the computer.

  Impact of workaround. Metafile processing will stop working.

• Restrict access to gdiplus.dll

  1. Run the following commands from an elevated administrator command prompt

  for /F "tokens=*" %G IN ('dir /b /s %windir%\Microsoft.NET\Framework\gdiplus.dll') DO cacls %G /E /P everyone:N
for /F "tokens=*" %G IN ('dir /b /s %windir%\winsxs\gdiplus.dll') DO cacls %G /E /P everyone:N
for /F "tokens=*" %G IN ('dir /b /s ^"%windir%\Downloaded Program Files\gdiplus.dll^"') DO cacls %G /E /P everyone:N
for /F "tokens=*" %G IN ('dir /b /s ^"%programfiles%\microsoft office\gdiplus.dll^"') DO cacls "%G" /E /P everyone:N
for /F "tokens=*" %G IN ('dir /b /s ^"%programfiles^(86^)%\microsoft office\gdiplus.dll^"') DO cacls "%G" /E /P everyone:N
cacls "%programfiles%\Common Files\Microsoft Shared\VFP\gdiplus.dll" /E /P everyone:N
cacls "%programfiles(x86)%\Common Files\Microsoft Shared\VFP\gdiplus.dll" /E /P everyone:N
cacls "%programfiles%\Microsoft Visual FoxPro 8\gdiplus.dll" /E /P everyone:N
cacls "%programfiles(x86)%\Microsoft Visual FoxPro 8\gdiplus.dll" /E /P everyone:N
cacls "%programfiles%\Microsoft Visual FoxPro 9\gdiplus.dll" /E /P everyone:N
cacls "%programfiles(x86)%\Microsoft Visual FoxPro 9\gdiplus.dll" /E /P everyone:N
cacls "%programfiles%\Microsoft Digital Image 2006\gdiplus.dll" /E /P everyone:N
cacls "%programfiles(x86)%\Microsoft Digital Image 2006\gdiplus.dll" /E /P everyone:N
cacls "%programfiles%\Common Files\Microsoft shared\Works Shared\gdiplus.dll" /E /P everyone:N
cacls "%programfiles(x86)%\Common Files\Microsoft shared\Works Shared\gdiplus.dll" /E /P everyone:N
cacls "%programfiles%\Microsoft Works\gdiplus.dll" /E /P everyone:N
cacls "%programfiles(x86)%\Microsoft Works\gdiplus.dll" /E /P everyone:N
cacls "%programfiles%\Common Files\Microsoft Shared\VGX\vgx.dll" /E /P everyone:N
cacls "%programfiles(x86)%\Common Files\Microsoft Shared\VGX\vgx.dll" /E /P everyone:N

  2. Restart.

  Impact of workaround. Windows Picture and Fax Viewer (on editions prior to Windows Vista) and other applications that rely on GDI+ will not be able to view images. Also, thumbnails in Windows Explorer (on versions prior to Vista) will not display.

  How to undo the workaround.

  1. Run the following commands from an elevated administrator command prompt

  for /F "tokens=*" %G IN ('dir /b /s %windir%\Microsoft.NET\Framework\gdiplus.dll') DO cacls %G /E /R everyone
for /F "tokens=*" %G IN ('dir /b /s %windir%\winsxs\gdiplus.dll') DO cacls %G /E /R everyone
for /F "tokens=*" %G IN ('dir /b /s ^"%windir%\Downloaded Program Files\gdiplus.dll^"') DO cacls %G /E /R everyone
for /F "tokens=*" %G IN ('dir /b /s ^"%programfiles%\microsoft office\gdiplus.dll^"') DO cacls "%G" /E /R everyone
for /F "tokens=*" %G IN ('dir /b /s ^"%programfiles^(86^)%\microsoft office\gdiplus.dll^"') DO cacls "%G" /E /R everyone
cacls "%programfiles%\Common Files\Microsoft Shared\VFP\gdiplus.dll" /E /R everyone
cacls "%programfiles(x86)%\Common Files\Microsoft Shared\VFP\gdiplus.dll" /E /R everyone
cacls "%programfiles%\Microsoft Visual FoxPro 8\gdiplus.dll" /E /R everyone
cacls "%programfiles(x86)%\Microsoft Visual FoxPro 8\gdiplus.dll" /E /R everyone
cacls "%programfiles%\Microsoft Visual FoxPro 9\gdiplus.dll" /E /R everyone
cacls "%programfiles(x86)%\Microsoft Visual FoxPro 9\gdiplus.dll" /E /R everyone
cacls "%programfiles%\Microsoft Digital Image 2006\gdiplus.dll" /E /R everyone
cacls "%programfiles(x86)%\Microsoft Digital Image 2006\gdiplus.dll" /E /R everyone
cacls "%programfiles%\Common Files\Microsoft shared\Works Shared\gdiplus.dll" /E /R everyone
cacls "%programfiles(x86)%\Common Files\Microsoft shared\Works Shared\gdiplus.dll" /E /R everyone
cacls "%programfiles%\Microsoft Works\gdiplus.dll" /E /R everyone
cacls "%programfiles(x86)%\Microsoft Works\gdiplus.dll" /E /R everyone
cacls "%programfiles%\ Common Files\Microsoft Shared\VGX\vgx.dll" /E /R everyone
cacls "%programfiles(x86)%\ Common Files\Microsoft Shared\VGX\vgx.dll" /E /R everyone

  2. Restart.

• Unregister vgx.dll

  1. Click Start, click Run, type "%SystemRoot%\System32\regsvr32.exe" -u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll", and then click OK.

  2. A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.

  Impact of workaround. Applications that render VML will no longer do so once vgx.dll has been unregistered.

  How to undo the workaround.

  1. Click Start, click Run, type "%SystemRoot%\System32\regsvr32.exe" "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll", and then click OK.

  2. A dialog box appears to confirm that the registration process has succeeded. Click OK to close the dialog box.

• Prevent RSClientPrint from running in Internet Explorer

  You can disable attempts to instantiate RSClientPrint in Internet Explorer by setting the kill bit for the control in the registry.

  Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

  For detailed steps that you can use to prevent a control from running in Internet Explorer, see Microsoft Knowledge Base Article 240797. Follow these steps in this article to create a Compatibility Flags value in the registry to prevent RSClientPrint from being instantiated in Internet Explorer.

  Paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension.

  Windows Registry Editor Version 5.00

  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{41861299-EAB2-4DCC-986C-802AE12AC499}]

  "Compatibility Flags"=dword:00000400

  [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{41861299-EAB2-4DCC-986C-802AE12AC499}]

  "Compatibility Flags"=dword:00000400

  You can apply this .reg file to individual systems by double-clicking it. You can also apply it across domains by using Group Policy. For more information about Group Policy, visit the following Microsoft Web sites:

  • Group Policy collection
  • What is Group Policy Object Editor?
  • Core Group Policy tools and settings

  Note You must restart Internet Explorer for your changes to take effect.

  Impact of workaround. There is no impact as long as the object is not intended to be used in Internet Explorer.

  How to undo the workaround.

  Paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension.

  Windows Registry Editor Version 5.00

  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{41861299-EAB2-4DCC-986C-802AE12AC499}]

  "Compatibility Flags"=-

  [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{41861299-EAB2-4DCC-986C-802AE12AC499}]

  "Compatibility Flags"=-

  You can apply this .reg file to individual systems by double-clicking it. You can also apply it across domains by using Group Policy. For more information about Group Policy, visit the following Microsoft Web sites:

  • Group Policy collection
  • What is Group Policy Object Editor?
  • Core Group Policy tools and settings

  Note You must restart Internet Explorer for your changes to take effect.

• Read e-mails in plain text

  To help protect yourself from the e-mail attack vector, read e-mail messages in plain text format.

  Microsoft Office Outlook 2002 users who have applied Office XP Service Pack 1 or a later version and Microsoft Office Outlook Express 6 users who have applied Internet Explorer 6 Service Pack 1 or a later version can enable this setting and view e-mail messages that are not digitally signed or e-mail messages that are not encrypted in plain text only.

  Digitally signed e-mail messages or encrypted e-mail messages are not affected by the setting and may be read in their original formats. For more information about how to enable this setting in Outlook 2002, see Microsoft Knowledge Base Article 307594.

  For information about this setting in Outlook Express 6, see Microsoft Knowledge Base Article 291387.

  Impact of workaround. E-mail messages that are viewed in plain text format will not contain pictures, specialized fonts, animations, or other rich content. Additionally:

  • The changes are applied to the preview pane and to open messages.
  • Pictures become attachments so that they are not lost.
  • Because the message is still in Rich Text or HTML format in the store, the object model (custom code solutions) may behave unexpectedly.

What is the scope of the vulnerability? 
This is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

What causes the vulnerability? 
The vulnerability results from GDI+ improperly validating and restricting buffer lengths passed to the heap.

What might an attacker use the vulnerability to do? 
An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

How could an attacker exploit the vulnerability? 
An attacker could host a specially crafted Web site that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the Web site. This can also include compromised Web sites and Web sites that accept or host user-provided content or advertisements. These Web sites could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or in an Instant Messenger request that takes users to the attacker's Web site. It could also be possible to display specially crafted Web content by using banner advertisements or by using other methods to deliver Web content to affected systems.

In an e-mail attack scenario, an attacker could exploit the vulnerability by sending Outlook users a specially crafted e-mail, or by sending a specially-crafted Office Document to the user and by convincing the user to open the file or read the message.

Attackers could also exploit this vulnerability by hosting a malicious image on a network share and then convincing a user to browse to the folder in Windows Explorer.

What systems are primarily at risk from the vulnerability? 
This vulnerability requires that a user is logged on and reading e-mail messages, visiting Web sites, or opening files from a network share for any malicious action to occur. Therefore, any systems where e-mail messages are read, where Internet Explorer is used frequently, or where users have network share access, such as workstations or terminal servers, are at the most risk from this vulnerability. Systems that are not typically used to visit Web sites, such as most server systems, are at a reduced risk.

What does the update do? 
The update addresses the vulnerability by introducing proper data validations within GDI+ when rendering WMF images.

When this security bulletin was issued, had this vulnerability been publicly disclosed? 
No. Microsoft received information about this vulnerability through responsible disclosure.

When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited? 
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.

Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:

• An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
• In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker’s Web site.
• By default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration. This mode sets the security level for the Internet zone to High. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone. See the FAQ subsection of this vulnerability section for more information about Internet Explorer Enhanced Security Configuration.

Workaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:

• Restrict access to gdiplus.dll

  1. Run the following commands from an elevated administrator command prompt

  for /F "tokens=*" %G IN ('dir /b /s %windir%\Microsoft.NET\Framework\gdiplus.dll') DO cacls %G /E /P everyone:N
for /F "tokens=*" %G IN ('dir /b /s %windir%\winsxs\gdiplus.dll') DO cacls %G /E /P everyone:N
for /F "tokens=*" %G IN ('dir /b /s ^"%windir%\Downloaded Program Files\gdiplus.dll^"') DO cacls %G /E /P everyone:N
for /F "tokens=*" %G IN ('dir /b /s ^"%programfiles%\microsoft office\gdiplus.dll^"') DO cacls "%G" /E /P everyone:N
for /F "tokens=*" %G IN ('dir /b /s ^"%programfiles^(86^)%\microsoft office\gdiplus.dll^"') DO cacls "%G" /E /P everyone:N
cacls "%programfiles%\Common Files\Microsoft Shared\VFP\gdiplus.dll" /E /P everyone:N
cacls "%programfiles(x86)%\Common Files\Microsoft Shared\VFP\gdiplus.dll" /E /P everyone:N
cacls "%programfiles%\Microsoft Visual FoxPro 8\gdiplus.dll" /E /P everyone:N
cacls "%programfiles(x86)%\Microsoft Visual FoxPro 8\gdiplus.dll" /E /P everyone:N
cacls "%programfiles%\Microsoft Visual FoxPro 9\gdiplus.dll" /E /P everyone:N
cacls "%programfiles(x86)%\Microsoft Visual FoxPro 9\gdiplus.dll" /E /P everyone:N
cacls "%programfiles%\Microsoft Digital Image 2006\gdiplus.dll" /E /P everyone:N
cacls "%programfiles(x86)%\Microsoft Digital Image 2006\gdiplus.dll" /E /P everyone:N
cacls "%programfiles%\Common Files\Microsoft shared\Works Shared\gdiplus.dll" /E /P everyone:N
cacls "%programfiles(x86)%\Common Files\Microsoft shared\Works Shared\gdiplus.dll" /E /P everyone:N
cacls "%programfiles%\Microsoft Works\gdiplus.dll" /E /P everyone:N
cacls "%programfiles(x86)%\Microsoft Works\gdiplus.dll" /E /P everyone:N
cacls "%programfiles%\Common Files\Microsoft Shared\VGX\vgx.dll" /E /P everyone:N
cacls "%programfiles(x86)%\Common Files\Microsoft Shared\VGX\vgx.dll" /E /P everyone:N

  2. Restart.

  Impact of workaround. Windows Picture and Fax Viewer (on editions prior to Windows Vista) and other applications that rely on GDI+ will not be able to view images. Also, thumbnails in Windows Explorer (on versions prior to Vista) will not display.

  How to undo the workaround.

  1. Run the following commands from an elevated administrator command prompt

  for /F "tokens=*" %G IN ('dir /b /s %windir%\Microsoft.NET\Framework\gdiplus.dll') DO cacls %G /E /R everyone
for /F "tokens=*" %G IN ('dir /b /s %windir%\winsxs\gdiplus.dll') DO cacls %G /E /R everyone
for /F "tokens=*" %G IN ('dir /b /s ^"%windir%\Downloaded Program Files\gdiplus.dll^"') DO cacls %G /E /R everyone
for /F "tokens=*" %G IN ('dir /b /s ^"%programfiles%\microsoft office\gdiplus.dll^"') DO cacls "%G" /E /R everyone
for /F "tokens=*" %G IN ('dir /b /s ^"%programfiles^(86^)%\microsoft office\gdiplus.dll^"') DO cacls "%G" /E /R everyone
cacls "%programfiles%\Common Files\Microsoft Shared\VFP\gdiplus.dll" /E /R everyone
cacls "%programfiles(x86)%\Common Files\Microsoft Shared\VFP\gdiplus.dll" /E /R everyone
cacls "%programfiles%\Microsoft Visual FoxPro 8\gdiplus.dll" /E /R everyone
cacls "%programfiles(x86)%\Microsoft Visual FoxPro 8\gdiplus.dll" /E /R everyone
cacls "%programfiles%\Microsoft Visual FoxPro 9\gdiplus.dll" /E /R everyone
cacls "%programfiles(x86)%\Microsoft Visual FoxPro 9\gdiplus.dll" /E /R everyone
cacls "%programfiles%\Microsoft Digital Image 2006\gdiplus.dll" /E /R everyone
cacls "%programfiles(x86)%\Microsoft Digital Image 2006\gdiplus.dll" /E /R everyone
cacls "%programfiles%\Common Files\Microsoft shared\Works Shared\gdiplus.dll" /E /R everyone
cacls "%programfiles(x86)%\Common Files\Microsoft shared\Works Shared\gdiplus.dll" /E /R everyone
cacls "%programfiles%\Microsoft Works\gdiplus.dll" /E /R everyone
cacls "%programfiles(x86)%\Microsoft Works\gdiplus.dll" /E /R everyone
cacls "%programfiles%\ Common Files\Microsoft Shared\VGX\vgx.dll" /E /R everyone
cacls "%programfiles(x86)%\ Common Files\Microsoft Shared\VGX\vgx.dll" /E /R everyone

  2. Restart.

• Unregister vgx.dll

  1. Click Start, click Run, type "%SystemRoot%\System32\regsvr32.exe" -u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll", and then click OK.

  2. A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.

  Impact of workaround. Applications that render VML will no longer do so once vgx.dll has been unregistered.

  How to undo the workaround.

  1. Click Start, click Run, type "%SystemRoot%\System32\regsvr32.exe" "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll", and then click OK.

  2. A dialog box appears to confirm that the registration process has succeeded. Click OK to close the dialog box.

• Prevent RSClientPrint from running in Internet Explorer

  You can disable attempts to instantiate RSClientPrint in Internet Explorer by setting the kill bit for the control in the registry.

  Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

  For detailed steps that you can use to prevent a control from running in Internet Explorer, see Microsoft Knowledge Base Article 240797. Follow these steps in this article to create a Compatibility Flags value in the registry to prevent RSClientPrint from being instantiated in Internet Explorer.

  Paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension.

  Windows Registry Editor Version 5.00

  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{41861299-EAB2-4DCC-986C-802AE12AC499}]

  "Compatibility Flags"=dword:00000400

  [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{41861299-EAB2-4DCC-986C-802AE12AC499}]

  "Compatibility Flags"=dword:00000400

  You can apply this .reg file to individual systems by double-clicking it. You can also apply it across domains by using Group Policy. For more information about Group Policy, visit the following Microsoft Web sites:

  • Group Policy collection
  • What is Group Policy Object Editor?
  • Core Group Policy tools and settings

  Note You must restart Internet Explorer for your changes to take effect.

  Impact of workaround. There is no impact as long as the object is not intended to be used in Internet Explorer.

  How to undo the workaround.

  Paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension.

  Windows Registry Editor Version 5.00

  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{41861299-EAB2-4DCC-986C-802AE12AC499}]

  "Compatibility Flags"=-

  [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{41861299-EAB2-4DCC-986C-802AE12AC499}]

  "Compatibility Flags"=-

  You can apply this .reg file to individual systems by double-clicking it. You can also apply it across domains by using Group Policy. For more information about Group Policy, visit the following Microsoft Web sites:

  • Group Policy collection
  • What is Group Policy Object Editor?
  • Core Group Policy tools and settings

  Note You must restart Internet Explorer for your changes to take effect.

• Read e-mails in plain text

  To help protect yourself from the e-mail attack vector, read e-mail messages in plain text format.

  Microsoft Office Outlook 2002 users who have applied Office XP Service Pack 1 or a later version and Microsoft Office Outlook Express 6 users who have applied Internet Explorer 6 Service Pack 1 or a later version can enable this setting and view e-mail messages that are not digitally signed or e-mail messages that are not encrypted in plain text only.

  Digitally signed e-mail messages or encrypted e-mail messages are not affected by the setting and may be read in their original formats. For more information about how to enable this setting in Outlook 2002, see Microsoft Knowledge Base Article 307594.

  For information about this setting in Outlook Express 6, see Microsoft Knowledge Base Article 291387.

  Impact of workaround. E-mail messages that are viewed in plain text format will not contain pictures, specialized fonts, animations, or other rich content. Additionally:

  • The changes are applied to the preview pane and to open messages.
  • Pictures become attachments so that they are not lost.
  • Because the message is still in Rich Text or HTML format in the store, the object model (custom code solutions) may behave unexpectedly.

What is the scope of the vulnerability? 
This is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

What causes the vulnerability? 
This vulnerability is caused by an unchecked buffer in the PNG processing by GDI+.

What might an attacker use the vulnerability to do? 
An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

How could an attacker exploit the vulnerability? 
An attacker could host a specially crafted Web site that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the Web site. This can also include compromised Web sites and Web sites that accept or host user-provided content or advertisements. These Web sites could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or in an Instant Messenger request that takes users to the attacker's Web site. It could also be possible to display specially crafted Web content by using banner advertisements or by using other methods to deliver Web content to affected systems.

In an e-mail attack scenario, an attacker could exploit the vulnerability by sending Outlook users a specially crafted e-mail, or by sending a specially-crafted Office Document to the user and by convincing the user to open the file or read the message. .

Attackers could also exploit this vulnerability by hosting a malicious image on a network share and then convincing a user to browse to the folder in Windows Explorer.

What systems are primarily at risk from the vulnerability? 
This vulnerability requires that a user is logged on and reading e-mail messages, visiting Web sites, or opening files from a network share for any malicious action to occur. Therefore, any systems where e-mail messages are read, where Internet Explorer is used frequently, or where users have network share access, such as workstations or terminal servers, are at the most risk from this vulnerability. Systems that are not typically used to visit Web sites, such as most server systems, are at a reduced risk.

What does the update do? 
The update removes the vulnerability by modifying the way that GDI+ manages a heap buffer when reading a PNG file.

When this security bulletin was issued, had this vulnerability been publicly disclosed? 
No. Microsoft received information about this vulnerability through responsible disclosure.

When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited? 
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.

Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:

• An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
• In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker’s Web site.
• By default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration. This mode sets the security level for the Internet zone to High. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone. See the FAQ subsection of this vulnerability section for more information about Internet Explorer Enhanced Security Configuration.

Workaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:

• Restrict access to gdiplus.dll

  1. Run the following commands from an elevated administrator command prompt

  for /F "tokens=*" %G IN ('dir /b /s %windir%\Microsoft.NET\Framework\gdiplus.dll') DO cacls %G /E /P everyone:N
for /F "tokens=*" %G IN ('dir /b /s %windir%\winsxs\gdiplus.dll') DO cacls %G /E /P everyone:N
for /F "tokens=*" %G IN ('dir /b /s ^"%windir%\Downloaded Program Files\gdiplus.dll^"') DO cacls %G /E /P everyone:N
for /F "tokens=*" %G IN ('dir /b /s ^"%programfiles%\microsoft office\gdiplus.dll^"') DO cacls "%G" /E /P everyone:N
for /F "tokens=*" %G IN ('dir /b /s ^"%programfiles^(86^)%\microsoft office\gdiplus.dll^"') DO cacls "%G" /E /P everyone:N
cacls "%programfiles%\Common Files\Microsoft Shared\VFP\gdiplus.dll" /E /P everyone:N
cacls "%programfiles(x86)%\Common Files\Microsoft Shared\VFP\gdiplus.dll" /E /P everyone:N
cacls "%programfiles%\Microsoft Visual FoxPro 8\gdiplus.dll" /E /P everyone:N
cacls "%programfiles(x86)%\Microsoft Visual FoxPro 8\gdiplus.dll" /E /P everyone:N
cacls "%programfiles%\Microsoft Visual FoxPro 9\gdiplus.dll" /E /P everyone:N
cacls "%programfiles(x86)%\Microsoft Visual FoxPro 9\gdiplus.dll" /E /P everyone:N
cacls "%programfiles%\Microsoft Digital Image 2006\gdiplus.dll" /E /P everyone:N
cacls "%programfiles(x86)%\Microsoft Digital Image 2006\gdiplus.dll" /E /P everyone:N
cacls "%programfiles%\Common Files\Microsoft shared\Works Shared\gdiplus.dll" /E /P everyone:N
cacls "%programfiles(x86)%\Common Files\Microsoft shared\Works Shared\gdiplus.dll" /E /P everyone:N
cacls "%programfiles%\Microsoft Works\gdiplus.dll" /E /P everyone:N
cacls "%programfiles(x86)%\Microsoft Works\gdiplus.dll" /E /P everyone:N
cacls "%programfiles%\Common Files\Microsoft Shared\VGX\vgx.dll" /E /P everyone:N
cacls "%programfiles(x86)%\Common Files\Microsoft Shared\VGX\vgx.dll" /E /P everyone:N

  2. Restart.

  Impact of workaround. Windows Picture and Fax Viewer (on editions prior to Windows Vista) and other applications that rely on GDI+ will not be able to view images. Also, thumbnails in Windows Explorer (on versions prior to Vista) will not display.

  How to undo the workaround.

  1. Run the following commands from an elevated administrator command prompt

  for /F "tokens=*" %G IN ('dir /b /s %windir%\Microsoft.NET\Framework\gdiplus.dll') DO cacls %G /E /R everyone
for /F "tokens=*" %G IN ('dir /b /s %windir%\winsxs\gdiplus.dll') DO cacls %G /E /R everyone
for /F "tokens=*" %G IN ('dir /b /s ^"%windir%\Downloaded Program Files\gdiplus.dll^"') DO cacls %G /E /R everyone
for /F "tokens=*" %G IN ('dir /b /s ^"%programfiles%\microsoft office\gdiplus.dll^"') DO cacls "%G" /E /R everyone
for /F "tokens=*" %G IN ('dir /b /s ^"%programfiles^(86^)%\microsoft office\gdiplus.dll^"') DO cacls "%G" /E /R everyone
cacls "%programfiles%\Common Files\Microsoft Shared\VFP\gdiplus.dll" /E /R everyone
cacls "%programfiles(x86)%\Common Files\Microsoft Shared\VFP\gdiplus.dll" /E /R everyone
cacls "%programfiles%\Microsoft Visual FoxPro 8\gdiplus.dll" /E /R everyone
cacls "%programfiles(x86)%\Microsoft Visual FoxPro 8\gdiplus.dll" /E /R everyone
cacls "%programfiles%\Microsoft Visual FoxPro 9\gdiplus.dll" /E /R everyone
cacls "%programfiles(x86)%\Microsoft Visual FoxPro 9\gdiplus.dll" /E /R everyone
cacls "%programfiles%\Microsoft Digital Image 2006\gdiplus.dll" /E /R everyone
cacls "%programfiles(x86)%\Microsoft Digital Image 2006\gdiplus.dll" /E /R everyone
cacls "%programfiles%\Common Files\Microsoft shared\Works Shared\gdiplus.dll" /E /R everyone
cacls "%programfiles(x86)%\Common Files\Microsoft shared\Works Shared\gdiplus.dll" /E /R everyone
cacls "%programfiles%\Microsoft Works\gdiplus.dll" /E /R everyone
cacls "%programfiles(x86)%\Microsoft Works\gdiplus.dll" /E /R everyone
cacls "%programfiles%\ Common Files\Microsoft Shared\VGX\vgx.dll" /E /R everyone
cacls "%programfiles(x86)%\ Common Files\Microsoft Shared\VGX\vgx.dll" /E /R everyone

  2. Restart.

• Unregister vgx.dll

  1. Click Start, click Run, type "%SystemRoot%\System32\regsvr32.exe" -u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll", and then click OK.

  2. A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.

  Impact of workaround. Applications that render VML will no longer do so once vgx.dll has been unregistered.

  How to undo the workaround.

  1. Click Start, click Run, type "%SystemRoot%\System32\regsvr32.exe" "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll", and then click OK.

  2. A dialog box appears to confirm that the registration process has succeeded. Click OK to close the dialog box.

• Prevent RSClientPrint from running in Internet Explorer

  You can disable attempts to instantiate RSClientPrint in Internet Explorer by setting the kill bit for the control in the registry.

  Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

  For detailed steps that you can use to prevent a control from running in Internet Explorer, see Microsoft Knowledge Base Article 240797. Follow these steps in this article to create a Compatibility Flags value in the registry to prevent RSClientPrint from being instantiated in Internet Explorer.

  Paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension.

  Windows Registry Editor Version 5.00

  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{41861299-EAB2-4DCC-986C-802AE12AC499}]

  "Compatibility Flags"=dword:00000400

  [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{41861299-EAB2-4DCC-986C-802AE12AC499}]

  "Compatibility Flags"=dword:00000400

  You can apply this .reg file to individual systems by double-clicking it. You can also apply it across domains by using Group Policy. For more information about Group Policy, visit the following Microsoft Web sites:

  • Group Policy collection
  • What is Group Policy Object Editor?
  • Core Group Policy tools and settings

  Note You must restart Internet Explorer for your changes to take effect.

  Impact of workaround. There is no impact as long as the object is not intended to be used in Internet Explorer.

  How to undo the workaround.

  Paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension.

  Windows Registry Editor Version 5.00

  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{41861299-EAB2-4DCC-986C-802AE12AC499}]

  "Compatibility Flags"=-

  [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{41861299-EAB2-4DCC-986C-802AE12AC499}]

  "Compatibility Flags"=-

  You can apply this .reg file to individual systems by double-clicking it. You can also apply it across domains by using Group Policy. For more information about Group Policy, visit the following Microsoft Web sites:

  • Group Policy collection
  • What is Group Policy Object Editor?
  • Core Group Policy tools and settings

  Note You must restart Internet Explorer for your changes to take effect.

• Read e-mails in plain text

  To help protect yourself from the e-mail attack vector, read e-mail messages in plain text format.

  Microsoft Office Outlook 2002 users who have applied Office XP Service Pack 1 or a later version and Microsoft Office Outlook Express 6 users who have applied Internet Explorer 6 Service Pack 1 or a later version can enable this setting and view e-mail messages that are not digitally signed or e-mail messages that are not encrypted in plain text only.

  Digitally signed e-mail messages or encrypted e-mail messages are not affected by the setting and may be read in their original formats. For more information about how to enable this setting in Outlook 2002, see Microsoft Knowledge Base Article 307594.

  For information about this setting in Outlook Express 6, see Microsoft Knowledge Base Article 291387.

  Impact of workaround. E-mail messages that are viewed in plain text format will not contain pictures, specialized fonts, animations, or other rich content. Additionally:

  • The changes are applied to the preview pane and to open messages.
  • Pictures become attachments so that they are not lost.
  • Because the message is still in Rich Text or HTML format in the store, the object model (custom code solutions) may behave unexpectedly.

What is the scope of the vulnerability? 
This is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

What causes the vulnerability? 
This vulnerability is caused by an unchecked buffer in the TIFF processing by GDI+.

What might an attacker use the vulnerability to do? 
An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

How could an attacker exploit the vulnerability? 
An attacker could host a specially crafted Web site that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the Web site. This can also include compromised Web sites and Web sites that accept or host user-provided content or advertisements. These Web sites could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or in an Instant Messenger request that takes users to the attacker's Web site. It could also be possible to display specially crafted Web content by using banner advertisements or by using other methods to deliver Web content to affected systems.

In an e-mail attack scenario, an attacker could exploit the vulnerability by sending Outlook users a specially crafted e-mail, or by sending a specially-crafted Office Document to the user and by convincing the user to open the file or read the message.

Attackers could also exploit this vulnerability by hosting a malicious image on a network share and then convincing a user to browse to the folder in Windows Explorer.

What systems are primarily at risk from the vulnerability? 
This vulnerability requires that a user is logged on and reading e-mail messages, visiting Web sites, or opening files from a network share for any malicious action to occur. Therefore, any systems where e-mail messages are read, where Internet Explorer is used frequently, or where users have network share access, such as workstations or terminal servers, are at the most risk from this vulnerability. Systems that are not typically used to visit Web sites, such as most server systems, are at a reduced risk.

What does the update do? 
The update removes the vulnerability by modifying the way that GDI+ allocates a buffer used when reading TIFF files.

When this security bulletin was issued, had this vulnerability been publicly disclosed? 
No. Microsoft received information about this vulnerability through responsible disclosure.

When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited? 
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.

Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:

• An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
• In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker’s Web site.
• By default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration. This mode sets the security level for the Internet zone to High. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone. See the FAQ subsection of this vulnerability section for more information about Internet Explorer Enhanced Security Configuration.

Workaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:

• Restrict access to gdiplus.dll

  1. Run the following commands from an elevated administrator command prompt

  for /F "tokens=*" %G IN ('dir /b /s %windir%\Microsoft.NET\Framework\gdiplus.dll') DO cacls %G /E /P everyone:N
for /F "tokens=*" %G IN ('dir /b /s %windir%\winsxs\gdiplus.dll') DO cacls %G /E /P everyone:N
for /F "tokens=*" %G IN ('dir /b /s ^"%windir%\Downloaded Program Files\gdiplus.dll^"') DO cacls %G /E /P everyone:N
for /F "tokens=*" %G IN ('dir /b /s ^"%programfiles%\microsoft office\gdiplus.dll^"') DO cacls "%G" /E /P everyone:N
for /F "tokens=*" %G IN ('dir /b /s ^"%programfiles^(86^)%\microsoft office\gdiplus.dll^"') DO cacls "%G" /E /P everyone:N
cacls "%programfiles%\Common Files\Microsoft Shared\VFP\gdiplus.dll" /E /P everyone:N
cacls "%programfiles(x86)%\Common Files\Microsoft Shared\VFP\gdiplus.dll" /E /P everyone:N
cacls "%programfiles%\Microsoft Visual FoxPro 8\gdiplus.dll" /E /P everyone:N
cacls "%programfiles(x86)%\Microsoft Visual FoxPro 8\gdiplus.dll" /E /P everyone:N
cacls "%programfiles%\Microsoft Visual FoxPro 9\gdiplus.dll" /E /P everyone:N
cacls "%programfiles(x86)%\Microsoft Visual FoxPro 9\gdiplus.dll" /E /P everyone:N
cacls "%programfiles%\Microsoft Digital Image 2006\gdiplus.dll" /E /P everyone:N
cacls "%programfiles(x86)%\Microsoft Digital Image 2006\gdiplus.dll" /E /P everyone:N
cacls "%programfiles%\Common Files\Microsoft shared\Works Shared\gdiplus.dll" /E /P everyone:N
cacls "%programfiles(x86)%\Common Files\Microsoft shared\Works Shared\gdiplus.dll" /E /P everyone:N
cacls "%programfiles%\Microsoft Works\gdiplus.dll" /E /P everyone:N
cacls "%programfiles(x86)%\Microsoft Works\gdiplus.dll" /E /P everyone:N
cacls "%programfiles%\Common Files\Microsoft Shared\VGX\vgx.dll" /E /P everyone:N
cacls "%programfiles(x86)%\Common Files\Microsoft Shared\VGX\vgx.dll" /E /P everyone:N

  2. Restart.

  Impact of workaround. Windows Picture and Fax Viewer (on editions prior to Windows Vista) and other applications that rely on GDI+ will not be able to view images. Also, thumbnails in Windows Explorer (on versions prior to Vista) will not display.

  How to undo the workaround.

  1. Run the following commands from an elevated administrator command prompt

  for /F "tokens=*" %G IN ('dir /b /s %windir%\Microsoft.NET\Framework\gdiplus.dll') DO cacls %G /E /R everyone
for /F "tokens=*" %G IN ('dir /b /s %windir%\winsxs\gdiplus.dll') DO cacls %G /E /R everyone
for /F "tokens=*" %G IN ('dir /b /s ^"%windir%\Downloaded Program Files\gdiplus.dll^"') DO cacls %G /E /R everyone
for /F "tokens=*" %G IN ('dir /b /s ^"%programfiles%\microsoft office\gdiplus.dll^"') DO cacls "%G" /E /R everyone
for /F "tokens=*" %G IN ('dir /b /s ^"%programfiles^(86^)%\microsoft office\gdiplus.dll^"') DO cacls "%G" /E /R everyone
cacls "%programfiles%\Common Files\Microsoft Shared\VFP\gdiplus.dll" /E /R everyone
cacls "%programfiles(x86)%\Common Files\Microsoft Shared\VFP\gdiplus.dll" /E /R everyone
cacls "%programfiles%\Microsoft Visual FoxPro 8\gdiplus.dll" /E /R everyone
cacls "%programfiles(x86)%\Microsoft Visual FoxPro 8\gdiplus.dll" /E /R everyone
cacls "%programfiles%\Microsoft Visual FoxPro 9\gdiplus.dll" /E /R everyone
cacls "%programfiles(x86)%\Microsoft Visual FoxPro 9\gdiplus.dll" /E /R everyone
cacls "%programfiles%\Microsoft Digital Image 2006\gdiplus.dll" /E /R everyone
cacls "%programfiles(x86)%\Microsoft Digital Image 2006\gdiplus.dll" /E /R everyone
cacls "%programfiles%\Common Files\Microsoft shared\Works Shared\gdiplus.dll" /E /R everyone
cacls "%programfiles(x86)%\Common Files\Microsoft shared\Works Shared\gdiplus.dll" /E /R everyone
cacls "%programfiles%\Microsoft Works\gdiplus.dll" /E /R everyone
cacls "%programfiles(x86)%\Microsoft Works\gdiplus.dll" /E /R everyone
cacls "%programfiles%\ Common Files\Microsoft Shared\VGX\vgx.dll" /E /R everyone
cacls "%programfiles(x86)%\ Common Files\Microsoft Shared\VGX\vgx.dll" /E /R everyone

  2. Restart.

• Unregister vgx.dll

  1. Click Start, click Run, type "%SystemRoot%\System32\regsvr32.exe" -u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll", and then click OK.

  2. A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.

  Impact of workaround. Applications that render VML will no longer do so once vgx.dll has been unregistered.

  How to undo the workaround.

  1. Click Start, click Run, type "%SystemRoot%\System32\regsvr32.exe" "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll", and then click OK.

  2. A dialog box appears to confirm that the registration process has succeeded. Click OK to close the dialog box.

• Prevent RSClientPrint from running in Internet Explorer

  You can disable attempts to instantiate RSClientPrint in Internet Explorer by setting the kill bit for the control in the registry.

  Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

  For detailed steps that you can use to prevent a control from running in Internet Explorer, see Microsoft Knowledge Base Article 240797. Follow these steps in this article to create a Compatibility Flags value in the registry to prevent RSClientPrint from being instantiated in Internet Explorer.

  Paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension.

  Windows Registry Editor Version 5.00

  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{41861299-EAB2-4DCC-986C-802AE12AC499}]

  "Compatibility Flags"=dword:00000400

  [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{41861299-EAB2-4DCC-986C-802AE12AC499}]

  "Compatibility Flags"=dword:00000400

  You can apply this .reg file to individual systems by double-clicking it. You can also apply it across domains by using Group Policy. For more information about Group Policy, visit the following Microsoft Web sites:

  • Group Policy collection
  • What is Group Policy Object Editor?
  • Core Group Policy tools and settings

  Note You must restart Internet Explorer for your changes to take effect.

  Impact of workaround. There is no impact as long as the object is not intended to be used in Internet Explorer.

  How to undo the workaround.

  Paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension.

  Windows Registry Editor Version 5.00

  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{41861299-EAB2-4DCC-986C-802AE12AC499}]

  "Compatibility Flags"=-

  [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{41861299-EAB2-4DCC-986C-802AE12AC499}]

  "Compatibility Flags"=-

  You can apply this .reg file to individual systems by double-clicking it. You can also apply it across domains by using Group Policy. For more information about Group Policy, visit the following Microsoft Web sites:

  • Group Policy collection
  • What is Group Policy Object Editor?
  • Core Group Policy tools and settings

  Note You must restart Internet Explorer for your changes to take effect.

• Read e-mails in plain text

  To help protect yourself from the e-mail attack vector, read e-mail messages in plain text format.

  Microsoft Office Outlook 2002 users who have applied Office XP Service Pack 1 or a later version and Microsoft Office Outlook Express 6 users who have applied Internet Explorer 6 Service Pack 1 or a later version can enable this setting and view e-mail messages that are not digitally signed or e-mail messages that are not encrypted in plain text only.

  Digitally signed e-mail messages or encrypted e-mail messages are not affected by the setting and may be read in their original formats. For more information about how to enable this setting in Outlook 2002, see Microsoft Knowledge Base Article 307594.

  For information about this setting in Outlook Express 6, see Microsoft Knowledge Base Article 291387.

  Impact of workaround. E-mail messages that are viewed in plain text format will not contain pictures, specialized fonts, animations, or other rich content. Additionally:

  • The changes are applied to the preview pane and to open messages.
  • Pictures become attachments so that they are not lost.
  • Because the message is still in Rich Text or HTML format in the store, the object model (custom code solutions) may behave unexpectedly.

What is the scope of the vulnerability? 
This is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

What causes the vulnerability? 
This vulnerability is caused by an unchecked buffer in the TIFF processing by GDI+.

What might an attacker use the vulnerability to do? 
An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

How could an attacker exploit the vulnerability? 
An attacker could host a specially crafted Web site that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the Web site. This can also include compromised Web sites and Web sites that accept or host user-provided content or advertisements. These Web sites could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or in an Instant Messenger request that takes users to the attacker's Web site. It could also be possible to display specially crafted Web content by using banner advertisements or by using other methods to deliver Web content to affected systems.

In an e-mail attack scenario, an attacker could exploit the vulnerability by sending Outlook users a specially crafted e-mail, or by sending a specially-crafted Office Document to the user and by convincing the user to open the file or read the message.

Attackers could also exploit this vulnerability by hosting a malicious image on a network share and then convincing a user to browse to the folder in Windows Explorer.

What systems are primarily at risk from the vulnerability? 
This vulnerability requires that a user is logged on and reading e-mail messages, visiting Web sites, or opening files from a network share for any malicious action to occur. Therefore, any systems where e-mail messages are read, where Internet Explorer is used frequently, or where users have network share access, such as workstations or terminal servers, are at the most risk from this vulnerability. Systems that are not typically used to visit Web sites, such as most server systems, are at a reduced risk.

What does the update do? 
The update removes the vulnerability by modifying the way that GDI+ allocates a buffer used when reading TIFF files.

When this security bulletin was issued, had this vulnerability been publicly disclosed? 
No. Microsoft received information about this vulnerability through responsible disclosure.

When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited? 
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.

Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:

• It is very unlikely that an attacker could realistically influence a non-malicious .NET application to make the API calls to the vulnerable functions in the right way to trigger the vulnerability.
• An attacker who successfully exploited this vulnerability could gain the same user rights as the local user or ASP.NET account. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
• In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker’s Web site.
• By default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration. This mode sets the security level for the Internet zone to High. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone. See the FAQ subsection of this vulnerability section for more information about Internet Explorer Enhanced Security Configuration.
• The vulnerability could be exploited by an attacker who convinced a user to open a specially crafted file. There is no way for an attacker to force a user to open a specially crafted file.
• The vulnerability could not be exploited automatically through e-mail. For an attack to be successful a user must open an attachment this is sent in an e-mail message.

Workaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:

• Restrict access to gdiplus.dll

  1. Run the following commands from an elevated administrator command prompt

  for /F "tokens=*" %G IN ('dir /b /s %windir%\Microsoft.NET\Framework\gdiplus.dll') DO cacls %G /E /P everyone:N
for /F "tokens=*" %G IN ('dir /b /s %windir%\winsxs\gdiplus.dll') DO cacls %G /E /P everyone:N
for /F "tokens=*" %G IN ('dir /b /s ^"%windir%\Downloaded Program Files\gdiplus.dll^"') DO cacls %G /E /P everyone:N
for /F "tokens=*" %G IN ('dir /b /s ^"%programfiles%\microsoft office\gdiplus.dll^"') DO cacls "%G" /E /P everyone:N
for /F "tokens=*" %G IN ('dir /b /s ^"%programfiles^(86^)%\microsoft office\gdiplus.dll^"') DO cacls "%G" /E /P everyone:N
cacls "%programfiles%\Common Files\Microsoft Shared\VFP\gdiplus.dll" /E /P everyone:N
cacls "%programfiles(x86)%\Common Files\Microsoft Shared\VFP\gdiplus.dll" /E /P everyone:N
cacls "%programfiles%\Microsoft Visual FoxPro 8\gdiplus.dll" /E /P everyone:N
cacls "%programfiles(x86)%\Microsoft Visual FoxPro 8\gdiplus.dll" /E /P everyone:N
cacls "%programfiles%\Microsoft Visual FoxPro 9\gdiplus.dll" /E /P everyone:N
cacls "%programfiles(x86)%\Microsoft Visual FoxPro 9\gdiplus.dll" /E /P everyone:N
cacls "%programfiles%\Microsoft Digital Image 2006\gdiplus.dll" /E /P everyone:N
cacls "%programfiles(x86)%\Microsoft Digital Image 2006\gdiplus.dll" /E /P everyone:N
cacls "%programfiles%\Common Files\Microsoft shared\Works Shared\gdiplus.dll" /E /P everyone:N
cacls "%programfiles(x86)%\Common Files\Microsoft shared\Works Shared\gdiplus.dll" /E /P everyone:N
cacls "%programfiles%\Microsoft Works\gdiplus.dll" /E /P everyone:N
cacls "%programfiles(x86)%\Microsoft Works\gdiplus.dll" /E /P everyone:N
cacls "%programfiles%\Common Files\Microsoft Shared\VGX\vgx.dll" /E /P everyone:N
cacls "%programfiles(x86)%\Common Files\Microsoft Shared\VGX\vgx.dll" /E /P everyone:N

  2. Restart.

  Impact of workaround. Windows Picture and Fax Viewer (on editions prior to Windows Vista) and other applications that rely on GDI+ will not be able to view images. Also, thumbnails in Windows Explorer (on versions prior to Vista) will not display.

  How to undo the workaround.

  1. Run the following commands from an elevated administrator command prompt

  for /F "tokens=*" %G IN ('dir /b /s %windir%\Microsoft.NET\Framework\gdiplus.dll') DO cacls %G /E /R everyone
for /F "tokens=*" %G IN ('dir /b /s %windir%\winsxs\gdiplus.dll') DO cacls %G /E /R everyone
for /F "tokens=*" %G IN ('dir /b /s ^"%windir%\Downloaded Program Files\gdiplus.dll^"') DO cacls %G /E /R everyone
for /F "tokens=*" %G IN ('dir /b /s ^"%programfiles%\microsoft office\gdiplus.dll^"') DO cacls "%G" /E /R everyone
for /F "tokens=*" %G IN ('dir /b /s ^"%programfiles^(86^)%\microsoft office\gdiplus.dll^"') DO cacls "%G" /E /R everyone
cacls "%programfiles%\Common Files\Microsoft Shared\VFP\gdiplus.dll" /E /R everyone
cacls "%programfiles(x86)%\Common Files\Microsoft Shared\VFP\gdiplus.dll" /E /R everyone
cacls "%programfiles%\Microsoft Visual FoxPro 8\gdiplus.dll" /E /R everyone
cacls "%programfiles(x86)%\Microsoft Visual FoxPro 8\gdiplus.dll" /E /R everyone
cacls "%programfiles%\Microsoft Visual FoxPro 9\gdiplus.dll" /E /R everyone
cacls "%programfiles(x86)%\Microsoft Visual FoxPro 9\gdiplus.dll" /E /R everyone
cacls "%programfiles%\Microsoft Digital Image 2006\gdiplus.dll" /E /R everyone
cacls "%programfiles(x86)%\Microsoft Digital Image 2006\gdiplus.dll" /E /R everyone
cacls "%programfiles%\Common Files\Microsoft shared\Works Shared\gdiplus.dll" /E /R everyone
cacls "%programfiles(x86)%\Common Files\Microsoft shared\Works Shared\gdiplus.dll" /E /R everyone
cacls "%programfiles%\Microsoft Works\gdiplus.dll" /E /R everyone
cacls "%programfiles(x86)%\Microsoft Works\gdiplus.dll" /E /R everyone
cacls "%programfiles%\ Common Files\Microsoft Shared\VGX\vgx.dll" /E /R everyone
cacls "%programfiles(x86)%\ Common Files\Microsoft Shared\VGX\vgx.dll" /E /R everyone

  2. Restart.

• Disable XAML Browser Applications in Internet Explorer

  You can help protect against this vulnerability by changing your settings to prompt before running XAML Browser Applications or to disable XAML Browser Applications altogether in the Internet and Local intranet security zone. To do this, perform the following steps:

  1. In Internet Explorer, click Internet Options on the Tools menu.

  2. Click the Security tab.

  3. Click Internet, and then click Custom Level.

  4. Under Settings, in the .NET Framework section, under XAML browser applications, click Prompt or Disable, and then click OK.

  5. Click Local intranet, and then click Custom Level.

  6. Under Settings, in the .NET Framework section, under XAML browser applications, click Prompt or Disable, and then click OK.

  7. If you are prompted to confirm that you want to change these settings, click Yes.

  8. Click OK to return to Internet Explorer.

  Impact of workaround. XBAP applications will not run or will not run without a prompt.

  Note Disabling XAML Browser Applications in the Internet and Local intranet security zones may cause some Web sites to work incorrectly. If you have difficulty using a Web site after you change this setting, and you are sure the site is safe to use, you can add that site to your list of trusted sites. This will allow the site to work correctly.

  How to undo the workaround.

  1. In Internet Explorer, click Internet Options on the Tools menu.

  2. Click the Security tab.

  3. Click Internet, and then click Custom Level.

  4. Under Settings, in the .NET Framework section, under XAML browser applications, click Enable, and then click OK.

  5. Click Local intranet, and then click Custom Level.

  6. Under Settings, in the .NET Framework section, under XAML browser applications, click Enable, and then click OK.

  7. If you are prompted to confirm that you want to change these settings, click Yes.

  8. Click OK to return to Internet Explorer.

• Disable partially trusted .NET applications

  By preventing all .NET applications without full trust from running, this vulnerability is effectively shielded as .NET applications with full trust can already make any change to the system. To disable all .NET applications running at partial trust, run the following commands from an elevated administrator command prompt:

  caspol -pp off
caspol -m -resetlockdown
caspol -pp on

  Impact of workaround. Some .NET applications will not run.

  How to undo the workaround.

  To reset the .NET security policies to defaults, run the following commands from an elevated administrator command prompt:

  caspol -pp off
caspol -m -reset
caspol -pp on

• Prevent RSClientPrint from running in Internet Explorer

  You can disable attempts to instantiate RSClientPrint in Internet Explorer by setting the kill bit for the control in the registry.

  Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

  For detailed steps that you can use to prevent a control from running in Internet Explorer, see Microsoft Knowledge Base Article 240797. Follow these steps in this article to create a Compatibility Flags value in the registry to prevent RSClientPrint from being instantiated in Internet Explorer.

  Paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension.

  Windows Registry Editor Version 5.00

  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{41861299-EAB2-4DCC-986C-802AE12AC499}]

  "Compatibility Flags"=dword:00000400

  [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{41861299-EAB2-4DCC-986C-802AE12AC499}]

  "Compatibility Flags"=dword:00000400

  You can apply this .reg file to individual systems by double-clicking it. You can also apply it across domains by using Group Policy. For more information about Group Policy, visit the following Microsoft Web sites:

  • Group Policy collection
  • What is Group Policy Object Editor?
  • Core Group Policy tools and settings

  Note You must restart Internet Explorer for your changes to take effect.

  Impact of workaround. There is no impact as long as the object is not intended to be used in Internet Explorer.

  How to undo the workaround.

  Paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension.

  Windows Registry Editor Version 5.00

  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{41861299-EAB2-4DCC-986C-802AE12AC499}]

  "Compatibility Flags"=-

  [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{41861299-EAB2-4DCC-986C-802AE12AC499}]

  "Compatibility Flags"=-

  You can apply this .reg file to individual systems by double-clicking it. You can also apply it across domains by using Group Policy. For more information about Group Policy, visit the following Microsoft Web sites:

  • Group Policy collection
  • What is Group Policy Object Editor?
  • Core Group Policy tools and settings

  Note You must restart Internet Explorer for your changes to take effect.

What is the scope of the vulnerability? 
This is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could execute code either in the context of the currently logged on user, or in the context of the service account associated with an application pool identity.

What causes the vulnerability? 
This vulnerability is a result of an integer overflow in certain GDI+ APIs that are accessible from .NET Framework applications.

What is CAS? 
Code Access Security (CAS) is a mechanism that helps limit the access that code has to protected resources and operations. For more information about CAS, see MSDN article, Introduction to Code Access Security.

What is an XBAP? 
An XAML browser application (XBAP) combines features of both Web applications and rich-client applications. Like Web applications, XBAPs can be published to a Web server and launched from Internet Explorer. Like rich-client applications, XBAPs can take advantage of the capabilities of WPF. For more information about XBAPs, see MSDN article, Windows Presentation Foundation XAML Browser Applications Overview.

What might an attacker use the vulnerability to do? 
An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

In the Web hosting scenario, an attacker who successfully exploits this vulnerability could obtain the same permissions as the service account associated with the application pool identity of the application pool that a Microsoft .NET application is running under. Depending on Application Pool Isolation configuration and permissions granted to the service account, an attacker might be able to take control over other application pools on the Web server or be able to take complete control of the affected system. For more information about application pool identities and configuration, see TechNet article, Configure Application Pool Identity.

How could an attacker exploit the vulnerability? 
There are three scenarios possible for exploitation of this vulnerability: a Web browsing scenario, a Web hosting scenario, and a Microsoft .NET Framework application scenario. These scenarios are described below:

• Web browsing scenario
  An attacker could host a specially crafted Web site that contains a specially crafted XBAP (XAML Browser Application) that could exploit this vulnerability and then convince a user to view the Web site. The attacker could also take advantage of compromised Web sites and Web sites that accept or host user-provided content or advertisements. These Web sites could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or in an Instant Messenger message that takes users to the attacker's Web site. It could also be possible to display specially crafted Web content by using banner advertisements or by using other methods to deliver Web content to affected systems.
• Web hosting scenario
  If a web hosting environment allows users to upload custom ASP.NET applications, an attacker user could upload a malicious ASP.NET application that uses this vulnerability to break out of the CAS sandbox used by the hosting company to prevent ASP.NET code from performing harmful actions on the server system.
• Microsoft .NET Framework application scenario
  An attacker could place a malicious Microsoft .NET Framework application on a network share and lure users on that network to execute this application.

What systems are primarily at risk from the vulnerability? 
There are two types of systems at risk from this vulnerability, described below: systems that are using the Web browsing scenario, and systems that are using the Web hosting scenario.

• Web browsing scenario
  Successful exploitation of this vulnerability requires that a user is logged on and is visiting Web sites using a Web browser capable of instantiating XBAPs. Therefore, any systems where a Web browser is used frequently, such as workstations or terminal servers, are at the most risk from this vulnerability. Servers could be at more risk if administrators allow users to browse and read e-mail on servers. However, best practices strongly discourage allowing this.
• Web hosting scenario
  Web hosting sites that allow users to upload custom ASP.NET applications are at increased risk.

What does the update do? 
This update modifies the way that GDI+ manages buffers when certain .NET API calls are made.

When this security bulletin was issued, had this vulnerability been publicly disclosed? 
No. Microsoft received information about this vulnerability through responsible disclosure.

When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited? 
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.

Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:

• An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
• In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker’s Web site.
• By default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration. This mode sets the security level for the Internet zone to High. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone. See the FAQ subsection of this vulnerability section for more information about Internet Explorer Enhanced Security Configuration.
• The vulnerability could be exploited by an attacker who convinced a user to open a specially crafted file. There is no way for an attacker to force a user to open a specially crafted file.
• The vulnerability could not be exploited automatically through e-mail. For an attack to be successful a user must open an attachment this is sent in an e-mail message.

Workaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:

• Restrict access to gdiplus.dll

  1. Run the following commands from an elevated administrator command prompt

  for /F "tokens=*" %G IN ('dir /b /s %windir%\Microsoft.NET\Framework\gdiplus.dll') DO cacls %G /E /P everyone:N
for /F "tokens=*" %G IN ('dir /b /s %windir%\winsxs\gdiplus.dll') DO cacls %G /E /P everyone:N
for /F "tokens=*" %G IN ('dir /b /s ^"%windir%\Downloaded Program Files\gdiplus.dll^"') DO cacls %G /E /P everyone:N
for /F "tokens=*" %G IN ('dir /b /s ^"%programfiles%\microsoft office\gdiplus.dll^"') DO cacls "%G" /E /P everyone:N
for /F "tokens=*" %G IN ('dir /b /s ^"%programfiles^(86^)%\microsoft office\gdiplus.dll^"') DO cacls "%G" /E /P everyone:N
cacls "%programfiles%\Common Files\Microsoft Shared\VFP\gdiplus.dll" /E /P everyone:N
cacls "%programfiles(x86)%\Common Files\Microsoft Shared\VFP\gdiplus.dll" /E /P everyone:N
cacls "%programfiles%\Microsoft Visual FoxPro 8\gdiplus.dll" /E /P everyone:N
cacls "%programfiles(x86)%\Microsoft Visual FoxPro 8\gdiplus.dll" /E /P everyone:N
cacls "%programfiles%\Microsoft Visual FoxPro 9\gdiplus.dll" /E /P everyone:N
cacls "%programfiles(x86)%\Microsoft Visual FoxPro 9\gdiplus.dll" /E /P everyone:N
cacls "%programfiles%\Microsoft Digital Image 2006\gdiplus.dll" /E /P everyone:N
cacls "%programfiles(x86)%\Microsoft Digital Image 2006\gdiplus.dll" /E /P everyone:N
cacls "%programfiles%\Common Files\Microsoft shared\Works Shared\gdiplus.dll" /E /P everyone:N
cacls "%programfiles(x86)%\Common Files\Microsoft shared\Works Shared\gdiplus.dll" /E /P everyone:N
cacls "%programfiles%\Microsoft Works\gdiplus.dll" /E /P everyone:N
cacls "%programfiles(x86)%\Microsoft Works\gdiplus.dll" /E /P everyone:N
cacls "%programfiles%\Common Files\Microsoft Shared\VGX\vgx.dll" /E /P everyone:N
cacls "%programfiles(x86)%\Common Files\Microsoft Shared\VGX\vgx.dll" /E /P everyone:N

  2. Restart.

  Impact of workaround. Windows Picture and Fax Viewer (on editions prior to Windows Vista) and other applications that rely on GDI+ will not be able to view images. Also, thumbnails in Windows Explorer (on versions prior to Vista) will not display.

  How to undo the workaround.

  1. Run the following commands from an elevated administrator command prompt

  for /F "tokens=*" %G IN ('dir /b /s %windir%\Microsoft.NET\Framework\gdiplus.dll') DO cacls %G /E /R everyone
for /F "tokens=*" %G IN ('dir /b /s %windir%\winsxs\gdiplus.dll') DO cacls %G /E /R everyone
for /F "tokens=*" %G IN ('dir /b /s ^"%windir%\Downloaded Program Files\gdiplus.dll^"') DO cacls %G /E /R everyone
for /F "tokens=*" %G IN ('dir /b /s ^"%programfiles%\microsoft office\gdiplus.dll^"') DO cacls "%G" /E /R everyone
for /F "tokens=*" %G IN ('dir /b /s ^"%programfiles^(86^)%\microsoft office\gdiplus.dll^"') DO cacls "%G" /E /R everyone
cacls "%programfiles%\Common Files\Microsoft Shared\VFP\gdiplus.dll" /E /R everyone
cacls "%programfiles(x86)%\Common Files\Microsoft Shared\VFP\gdiplus.dll" /E /R everyone
cacls "%programfiles%\Microsoft Visual FoxPro 8\gdiplus.dll" /E /R everyone
cacls "%programfiles(x86)%\Microsoft Visual FoxPro 8\gdiplus.dll" /E /R everyone
cacls "%programfiles%\Microsoft Visual FoxPro 9\gdiplus.dll" /E /R everyone
cacls "%programfiles(x86)%\Microsoft Visual FoxPro 9\gdiplus.dll" /E /R everyone
cacls "%programfiles%\Microsoft Digital Image 2006\gdiplus.dll" /E /R everyone
cacls "%programfiles(x86)%\Microsoft Digital Image 2006\gdiplus.dll" /E /R everyone
cacls "%programfiles%\Common Files\Microsoft shared\Works Shared\gdiplus.dll" /E /R everyone
cacls "%programfiles(x86)%\Common Files\Microsoft shared\Works Shared\gdiplus.dll" /E /R everyone
cacls "%programfiles%\Microsoft Works\gdiplus.dll" /E /R everyone
cacls "%programfiles(x86)%\Microsoft Works\gdiplus.dll" /E /R everyone
cacls "%programfiles%\ Common Files\Microsoft Shared\VGX\vgx.dll" /E /R everyone
cacls "%programfiles(x86)%\ Common Files\Microsoft Shared\VGX\vgx.dll" /E /R everyone

  2. Restart.

• Unregister vgx.dll

  1. Click Start, click Run, type "%SystemRoot%\System32\regsvr32.exe" -u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll", and then click OK.

  2. A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.

  Impact of workaround. Applications that render VML will no longer do so once vgx.dll has been unregistered.

  How to undo the workaround.

  1. Click Start, click Run, type "%SystemRoot%\System32\regsvr32.exe" "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll", and then click OK.

  2. A dialog box appears to confirm that the registration process has succeeded. Click OK to close the dialog box.

• Prevent RSClientPrint from running in Internet Explorer

  You can disable attempts to instantiate RSClientPrint in Internet Explorer by setting the kill bit for the control in the registry.

  Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

  For detailed steps that you can use to prevent a control from running in Internet Explorer, see Microsoft Knowledge Base Article 240797. Follow these steps in this article to create a Compatibility Flags value in the registry to prevent RSClientPrint from being instantiated in Internet Explorer.

  Paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension.

  Windows Registry Editor Version 5.00

  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{41861299-EAB2-4DCC-986C-802AE12AC499}]

  "Compatibility Flags"=dword:00000400

  [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{41861299-EAB2-4DCC-986C-802AE12AC499}]

  "Compatibility Flags"=dword:00000400

  You can apply this .reg file to individual systems by double-clicking it. You can also apply it across domains by using Group Policy. For more information about Group Policy, visit the following Microsoft Web sites:

  • Group Policy collection
  • What is Group Policy Object Editor?
  • Core Group Policy tools and settings

  Note You must restart Internet Explorer for your changes to take effect.

  Impact of workaround. There is no impact as long as the object is not intended to be used in Internet Explorer.

  How to undo the workaround.

  Paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension.

  Windows Registry Editor Version 5.00

  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{41861299-EAB2-4DCC-986C-802AE12AC499}]

  "Compatibility Flags"=-

  [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{41861299-EAB2-4DCC-986C-802AE12AC499}]

  "Compatibility Flags"=-

  You can apply this .reg file to individual systems by double-clicking it. You can also apply it across domains by using Group Policy. For more information about Group Policy, visit the following Microsoft Web sites:

  • Group Policy collection
  • What is Group Policy Object Editor?
  • Core Group Policy tools and settings

  Note You must restart Internet Explorer for your changes to take effect.

What is the scope of the vulnerability? 
This is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

What causes the vulnerability? 
This vulnerability is caused by incorrect calculation of the memory required for parsing a PNG processed by GDI+.

What might an attacker use the vulnerability to do? 
An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

How could an attacker exploit the vulnerability? 
An attacker could host a specially crafted Web site that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the Web site. This can also include compromised Web sites and Web sites that accept or host user-provided content or advertisements. These Web sites could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or in an Instant Messenger request that takes users to the attacker's Web site. It could also be possible to display specially crafted Web content by using banner advertisements or by using other methods to deliver Web content to affected systems.

What systems are primarily at risk from the vulnerability? 
This vulnerability requires that a user is logged on and reading e-mail messages, visiting Web sites, or opening files from a network share for any malicious action to occur. Therefore, any systems where e-mail messages are read, where Internet Explorer is used frequently, or where users have network share access, such as workstations or terminal servers, are at the most risk from this vulnerability. Systems that are not typically used to visit Web sites, such as most server systems, are at a reduced risk.

What does the update do? 
The update removes the vulnerability by modifying the way that GDI+ calculates the required size of a buffer while parsing a PNG image.

When this security bulletin was issued, had this vulnerability been publicly disclosed? 
No. Microsoft received information about this vulnerability through responsible disclosure.

When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited? 
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.

Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:

• An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
• In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker’s Web site.
• The vulnerability could not be exploited automatically through e-mail. For an attack to be successful a user must open an attachment this is sent in an e-mail message.

Workaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:

• Do not open Office files that you receive from untrusted sources or that you receive unexpectedly from trusted sources. This vulnerability could be exploited when a user opens a specially crafted file.

What is the scope of the vulnerability? 
This is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system remotely. An attacker could then install programs or view, change, or delete data; or create new accounts with full user rights.

What causes the vulnerability? 
The vulnerability exists in the way that Microsoft Office parses Office Art Property Tables when opening a specially crafted Office document.

What might an attacker use the vulnerability to do? 
An attacker who successfully exploited this vulnerability could run arbitrary code as the logged-on user. If a user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

How could an attacker exploit the vulnerability? 
This vulnerability requires that a user open a specially crafted Office document with an affected version of Microsoft Office.

What systems are primarily at risk from the vulnerability? 
Systems where Microsoft Office is used, including workstations and terminal servers, are primarily at risk. Servers could be at more risk if administrators allow users to log on to servers and to run programs. However, best practices strongly discourage allowing this.

What does the update do? 
This update removes the vulnerability by changing the way that Microsoft Office opens specially crafted Office Documents.

When this security bulletin was issued, had this vulnerability been publicly disclosed? 
No. Microsoft received information about this vulnerability through responsible disclosure.

When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited? 
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.

Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:

• An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
• In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker’s Web site.

Workaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:

• Do not open Office files that you receive from untrusted sources or that you receive unexpectedly from trusted sources

  This vulnerability could be exploited when a user opens a specially crafted file.

• Read e-mails in plain text

  To help protect yourself from the e-mail attack vector, read e-mail messages in plain text format.

  Microsoft Office Outlook 2002 users who have applied Office XP Service Pack 1 or a later version and Microsoft Office Outlook Express 6 users who have applied Internet Explorer 6 Service Pack 1 or a later version can enable this setting and view e-mail messages that are not digitally signed or e-mail messages that are not encrypted in plain text only.

  Digitally signed e-mail messages or encrypted e-mail messages are not affected by the setting and may be read in their original formats. For more information about how to enable this setting in Outlook 2002, see Microsoft Knowledge Base Article 307594.

  For information about this setting in Outlook Express 6, see Microsoft Knowledge Base Article 291387.

  Impact of workaround. E-mail messages that are viewed in plain text format will not contain pictures, specialized fonts, animations, or other rich content. Additionally:

  • The changes are applied to the preview pane and to open messages.
  • Pictures become attachments so that they are not lost.
  • Because the message is still in Rich Text or HTML format in the store, the object model (custom code solutions) may behave unexpectedly.

What is the scope of the vulnerability? 
This is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

What causes the vulnerability? 
When a user opens a specially crafted Office file containing a specially crafted BMP, it may corrupt system memory in such a way that an attacker could execute arbitrary code.

What might an attacker use the vulnerability to do? 
An attacker who successfully exploited this vulnerability could run arbitrary code as the logged on user. If a user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

How could an attacker exploit the vulnerability? 
In an e-mail attack scenario, an attacker could exploit the vulnerability by sending Outlook users a specially crafted e-mail, or by sending a specially-crafted Office Document to the user and by convincing the user to open the file or read the message.

In a Web-based attack scenario, an attacker would have to host a Web site that contains an Office Document that is used to attempt to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability. An attacker would have no way to force users to visit a specially crafted Web site. Instead, an attacker would have to convince them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site.

What systems are primarily at risk from the vulnerability? 
Systems where the affected software is used, including workstations and terminal servers, are primarily at risk. Servers could be at more risk if administrators allow users to log on to servers and to run programs. However, best practices strongly discourage allowing this.

What does the update do? 
The update removes the vulnerability by modifying the way that Microsoft Office opens specially crafted files.

When this security bulletin was issued, had this vulnerability been publicly disclosed? 
No. Microsoft received information about this vulnerability through responsible disclosure.

When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited? 
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.

Reference Table

The following table contains the security update information for this software. You can find additional information in the subsection, Deployment Information, in this section.

Reference Table

The following table contains the security update information for this software. You can find additional information in the subsection, Deployment Information, in this section.

Note For supported versions of Windows XP Professional x64 Edition, this security update is the same as supported versions of the Windows Server 2003 x64 Edition security update.

Reference Table

The following table contains the security update information for this software. You can find additional information in the subsection, Deployment Information, in this section.

Reference Table

The following table contains the security update information for this software. You can find additional information in the subsection, Deployment Information, in this section.

Reference Table

The following table contains the security update information for this software. You can find additional information in the subsection, Deployment Information, in this section.

Reference Table

The following table contains the security update information for this software. You can find additional information in the subsection, Deployment Information, in this section.

Reference Table

The following table contains the security update information for this software. You can find additional information in the subsection, Deployment Information, in this section.

Reference Table

The following table contains the security update information for this software. You can find additional information in the subsection, Deployment Information, in this section.

Reference Table

The following table contains the security update information for this software. You can find additional information in the subsection, Deployment Information, in this section.

Reference Table

The following table contains the security update information for this software. You can find additional information in the subsection, Deployment Information, in this section.

Reference Table

The following table contains the security update information for this software. You can find additional information in the subsection, Deployment Information, in this section.

Reference Table

The following table contains the security update information for this software. You can find additional information in the subsection, Deployment Information, in this section.

Reference Table

The following table contains the security update information for this software. You can find additional information in the subsection, Deployment Information, in this section.

Reference Table

The following table contains the security update information for this software. You can find additional information in the subsection, Deployment Information, in this section.

Reference Table

The following table contains the security update information for this software. You can find additional information in the subsection, Deployment Information, in this section.

Reference Table

The following table contains the security update information for this software. You can find additional information in the subsection, Deployment Information, in this section.

Reference Table

The following table contains the security update information for this software. You can find additional information in the subsection, Deployment Information, in this section.

Reference Table

The following table contains the security update information for this software. You can find additional information in the subsection, Deployment Information, in this section.

Reference Table

The following table contains the security update information for this software. You can find additional information in the subsection, Deployment Information, in this section.

Reference Table

The following table contains the security update information for this software. You can find additional information in the subsection, Deployment Information, in this section.