CVE-2014-1818

Name of the Vulnerable Software and Affected Versions GDI+ in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT Gold and 8.1 Office 2007 SP3 and 2010 SP1 and SP2 Live Meeting 2007 Console Lync 2010 and 2013 Lync 2010 Attendee Lync Basic 2013

Description A remote code execution issue exists in the way GDI+ handles validation of specially crafted images. The issue could allow remote code execution if a user opens a specially crafted image. An attacker who successfully exploits this issue could take complete control of an affected system, then install programs, view, change, or delete data, or create new accounts with full user rights. Users with limited system rights are less impacted than those operating with administrative user rights.

Recommendations For Microsoft Windows Server 2003 SP2, update to a newer version to mitigate the risk. For Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT Gold and 8.1, update to a newer version to mitigate the risk. For Office 2007 SP3 and 2010 SP1 and SP2, update to a newer version to mitigate the risk. For Live Meeting 2007 Console, Lync 2010 and 2013, Lync 2010 Attendee, and Lync Basic 2013, update to a newer version to mitigate the risk. As a temporary workaround, consider restricting the use of GDI+ until a patch is available.