CVE-2009-2501

Name of the Vulnerable Software and Affected Versions Microsoft Internet Explorer version 6 SP1 Windows XP versions SP2 and SP3 Office XP version SP3 Office 2003 version SP3 2007 Microsoft Office System versions SP1 and SP2 Office Project 2002 version SP1 Visio 2002 version SP2 Office Word Viewer Word Viewer 2003 versions Gold and SP3 Office Excel Viewer 2003 versions Gold and SP3 Office Excel Viewer Office PowerPoint Viewer 2007 versions Gold, SP1, and SP2 Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats versions SP1 and SP2 Expression Web Expression Web 2 Groove 2007 versions Gold and SP1 Works version 8.5 SQL Server 2000 Reporting Services version SP2 SQL Server 2005 versions SP2 and SP3 Report Viewer 2005 version SP1 Report Viewer 2008 versions Gold and SP1 Forefront Client Security version 1.0

Description A remote code execution issue exists due to the way GDI+ allocates memory. This could allow remote code execution if a user opens a specially crafted PNG image file. An attacker who successfully exploits this issue could take complete control of an affected system, then install programs, view, change, or delete data, or create new accounts with full user rights. Users with fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Recommendations For Microsoft Internet Explorer version 6 SP1, update to a newer version to mitigate the risk. For Windows XP versions SP2 and SP3, apply the patch provided by Microsoft. For Office XP version SP3, update to a newer version to mitigate the risk. For Office 2003 version SP3, apply the patch provided by Microsoft. For 2007 Microsoft Office System versions SP1 and SP2, update to a newer version to mitigate the risk. For Office Project 2002 version SP1, apply the patch provided by Microsoft. For Visio 2002 version SP2, update to a newer version to mitigate the risk. For Office Word Viewer, avoid opening specially crafted PNG image files until a patch is available. For Word Viewer 2003 versions Gold and SP3, apply the patch provided by Microsoft. For Office Excel Viewer 2003 versions Gold and SP3, update to a newer version to mitigate the risk. For Office Excel Viewer, avoid opening specially crafted PNG image files until a patch is available. For Office PowerPoint Viewer 2007 versions Gold, SP1, and SP2, update to a newer version to mitigate the risk. For Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats versions SP1 and SP2, apply the patch provided by Microsoft. For Expression Web, update to a newer version to mitigate the risk. For Expression Web 2, apply the patch provided by Microsoft. For Groove 2007 versions Gold and SP1, update to a newer version to mitigate the risk. For Works version 8.5, avoid opening specially crafted PNG image files until a patch is available. For SQL Server 2000 Reporting Services version SP2, apply the patch provided by Microsoft. For SQL Server 2005 versions SP2 and SP3, update to a newer version to mitigate the risk. For Report Viewer 2005 version SP1, apply the patch provided by Microsoft. For Report Viewer 2008 versions Gold and SP1, update to a newer version to mitigate the risk. For Forefront Client Security version 1.0, avoid opening specially crafted PNG image files until a patch is available.