CVE-2015-0080

Name of the Vulnerable Software and Affected Versions Microsoft Windows Server 2003 SP2 Microsoft Windows Vista SP2 Microsoft Windows Server 2008 SP2 and R2 SP1 Microsoft Windows 7 SP1 Microsoft Windows 8 Microsoft Windows 8.1 Microsoft Windows Server 2012 Gold and R2 Microsoft Windows RT Gold and 8.1

Description The issue arises from improper initialization of memory when rendering malformed PNG images, allowing remote attackers to obtain sensitive information from process memory via a crafted website. An information disclosure vulnerability exists when the system fails to properly handle uninitialized memory while parsing specially crafted PNG image format files. This could enable an attacker to read data not intended for disclosure if a user visits a website containing specially crafted PNG images. The vulnerability does not allow code execution or direct user rights elevation but could be used to obtain information for further system compromise.

Recommendations For Microsoft Windows Server 2003 SP2, update to a version that properly initializes memory for PNG image rendering. For Microsoft Windows Vista SP2, apply a patch that corrects the handling of uninitialized memory for PNG images. For Microsoft Windows Server 2008 SP2 and R2 SP1, install an update that fixes the information disclosure vulnerability related to PNG image parsing. For Microsoft Windows 7 SP1, apply a security update that addresses the improper memory initialization for malformed PNG images. For Microsoft Windows 8, install a patch that properly handles uninitialized memory when parsing PNG images. For Microsoft Windows 8.1, update to a version that corrects the information disclosure issue related to specially crafted PNG images. For Microsoft Windows Server 2012 Gold and R2, apply a security fix that initializes memory correctly for PNG image rendering. For Microsoft Windows RT Gold and 8.1, install an update that addresses the vulnerability in handling uninitialized memory for PNG images.