CVE-2008-3015

Name of the Vulnerable Software and Affected Versions GDI+ in Microsoft Office XP SP3 GDI+ in Microsoft Office 2003 SP2 and SP3 GDI+ in 2007 Microsoft Office System Gold and SP1 GDI+ in Visio 2002 SP2 GDI+ in PowerPoint Viewer 2003 GDI+ in Works 8 GDI+ in Digital Image Suite 2006 GDI+ in SQL Server 2000 Reporting Services SP2 GDI+ in SQL Server 2005 SP2 GDI+ in Report Viewer 2005 SP1 and 2008 GDI+ in Forefront Client Security 1.0

Description A remote code execution issue exists in the way GDI+ handles integer calculations, allowing attackers to execute arbitrary code via a specially crafted BMP image file. This could enable an attacker to gain complete control of an affected system, install programs, view, change, or delete data, or create new accounts with full user rights. Users with limited account privileges may be less affected than those operating with administrative rights.

Recommendations For GDI+ in Microsoft Office XP SP3, update to a newer version that includes a fix for this issue. For GDI+ in Microsoft Office 2003 SP2 and SP3, update to a newer version that includes a fix for this issue. For GDI+ in 2007 Microsoft Office System Gold and SP1, update to a newer version that includes a fix for this issue. For GDI+ in Visio 2002 SP2, update to a newer version that includes a fix for this issue. For GDI+ in PowerPoint Viewer 2003, update to a newer version that includes a fix for this issue. For GDI+ in Works 8, update to a newer version that includes a fix for this issue. For GDI+ in Digital Image Suite 2006, update to a newer version that includes a fix for this issue. For GDI+ in SQL Server 2000 Reporting Services SP2, update to a newer version that includes a fix for this issue. For GDI+ in SQL Server 2005 SP2, update to a newer version that includes a fix for this issue. For GDI+ in Report Viewer 2005 SP1 and 2008, update to a newer version that includes a fix for this issue. For GDI+ in Forefront Client Security 1.0, update to a newer version that includes a fix for this issue. As a temporary workaround, consider avoiding the use of specially crafted BMP image files until a patch is available.