CVE-2014-6355

Name of the Vulnerable Software and Affected Versions Microsoft Windows Server 2003 SP2 Microsoft Windows Vista SP2 Microsoft Windows Server 2008 SP2 and R2 SP1 Microsoft Windows 7 SP1 Microsoft Windows 8 Microsoft Windows 8.1 Microsoft Windows Server 2012 Gold and R2 Microsoft Windows RT Gold and 8.1

Description The Microsoft Graphics Component does not properly process JPEG images, making it easier for remote attackers to bypass the Address Space Layout Randomization (ASLR) protection mechanism via a crafted web site. An information disclosure vulnerability exists in the Microsoft Graphics Component, allowing an attacker to more reliably predict the memory offsets of specific instructions in a given call stack. This is caused by the improper handling of JPEG image decoding in memory. The vulnerability by itself does not allow arbitrary code execution but could be used in conjunction with another vulnerability to bypass security features such as ASLR.

Recommendations For Microsoft Windows Server 2003 SP2, update to a version that includes the fix for the Graphics Component Information Disclosure issue. For Microsoft Windows Vista SP2, update to a version that includes the fix for the Graphics Component Information Disclosure issue. For Microsoft Windows Server 2008 SP2 and R2 SP1, update to a version that includes the fix for the Graphics Component Information Disclosure issue. For Microsoft Windows 7 SP1, update to a version that includes the fix for the Graphics Component Information Disclosure issue. For Microsoft Windows 8, update to a version that includes the fix for the Graphics Component Information Disclosure issue. For Microsoft Windows 8.1, update to a version that includes the fix for the Graphics Component Information Disclosure issue. For Microsoft Windows Server 2012 Gold and R2, update to a version that includes the fix for the Graphics Component Information Disclosure issue. For Microsoft Windows RT Gold and 8.1, update to a version that includes the fix for the Graphics Component Information Disclosure issue.