NVD脆弱性詳細

CVE-2008-3013

概要	gdiplus.dll in GDI+ in Microsoft Internet Explorer 6 SP1, Windows XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, Server 2008, Office XP SP3, Office 2003 SP2 and SP3, 2007 Microsoft Office System Gold and SP1, Visio 2002 SP2, PowerPoint Viewer 2003, Works 8, Digital Image Suite 2006, SQL Server 2000 Reporting Services SP2, SQL Server 2005 SP2, Report Viewer 2005 SP1 and 2008, and Forefront Client Security 1.0 allows remote attackers to execute arbitrary code via a malformed GIF image file containing many extension markers for graphic control extensions and subsequent unknown labels, aka "GDI+ GIF Parsing Vulnerability."
概要	La biblioteca gdiplus.dll en GDI en Microsoft Internet Explorer versión 6 SP1, Windows XP SP2 y SP3, Server 2003 SP1 y SP2, Vista Gold y SP1, Server 2008, Office XP SP3, Office 2003 SP2 y SP3, 2007 Microsoft Office System Gold y SP1, Visio 2002 SP2, PowerPoint Viewer 2003, Works versión 8, Digital Image Suite 2006, SQL Server 2000 Reporting Services SP2, SQL Server 2005 SP2, Report Viewer 2005 SP1 y 2008, y Forefront Client Security versión 1.0, permite a los atacantes remotos ejecutar código arbitrario por medio de un archivo de imagen GIF malformado que contiene muchos marcadores de extensión para extensiones de control gráfico y etiquetas desconocidas posteriores, también se conoce como "GDI+ GIF Parsing Vulnerability."
公表日	2008年9月11日10:11
登録日	2021年1月29日13:38
最終更新日	2026年4月23日9:35

CVSS2.0 : HIGH
スコア	9.3
ベクター	AV:N/AC:M/Au:N/C:C/I:C/A:C
攻撃元区分(AV)	ネットワーク
攻撃条件の複雑さ(AC)	中
攻撃前の認証要否(Au)	不要
機密性への影響(C)	高
完全性への影響(I)	高
可用性への影響(A)	高
全ての特権を取得	はい
ユーザー権限を取得	いいえ
その他の権限を取得	いいえ
ユーザー操作が必要	はい

影響を受けるソフトウェアの構成

構成1	以上	以下	より上	未満
cpe:2.3:a:microsoft:digital_image_suite:2006:::::::*
cpe:2.3:a:microsoft:forefront_client_security:1.0:::::::*
cpe:2.3:a:microsoft:internet_explorer:6:sp1::::::
cpe:2.3:a:microsoft:office:2003:sp2::::::
cpe:2.3:a:microsoft:office:2003:sp3::::::
cpe:2.3:a:microsoft:office:2007::gold:::::
cpe:2.3:a:microsoft:office:2007:sp1::::::
cpe:2.3:a:microsoft:office:xp:sp3::::::
cpe:2.3:a:microsoft:powerpoint_viewer:2003:::::::*
cpe:2.3:a:microsoft:report_viewer:2005:sp1::::::
cpe:2.3:a:microsoft:report_viewer:2008:::::::*
cpe:2.3:a:microsoft:sql_server:2005:sp2::::::
cpe:2.3:a:microsoft:sql_server_reporting_services:2000:sp2::::::
cpe:2.3:a:microsoft:visio:2002:sp2::::::
cpe:2.3:a:microsoft:works:8.0:::::::*
cpe:2.3:o:microsoft:windows_server_2008:-:::::::*
cpe:2.3:o:microsoft:windows_vista::gold::::::*
cpe:2.3:o:microsoft:windows_vista::sp2::::::*
cpe:2.3:o:microsoft:windows_xp::sp2::::::*
cpe:2.3:o:microsoft:windows_xp::sp3::::::*

関連情報、対策とツール

No	URL	refsource
1	http://ifsec.blogspot.com/2008/09/windows-gdi-gif-memory-corruption.html	secure@microsoft.com
2	http://marc.info/?l=bugtraq&m=122235754013992&w=2	secure@microsoft.com
3	http://secunia.com/advisories/32154	secure@microsoft.com
4	http://www.securityfocus.com/archive/1/496154/100/0/threaded	secure@microsoft.com
5	http://www.securityfocus.com/bid/31020	secure@microsoft.com
6	http://www.securitytracker.com/id?1020836	secure@microsoft.com
7	http://www.us-cert.gov/cas/techalerts/TA08-253A.html	secure@microsoft.com
8	http://www.vupen.com/english/advisories/2008/2520	secure@microsoft.com
9	http://www.vupen.com/english/advisories/2008/2696	secure@microsoft.com
10	http://www.zerodayinitiative.com/advisories/ZDI-08-056	secure@microsoft.com
11	http://www.zerodayinitiative.com/advisories/ZDI-08-056/	secure@microsoft.com
12	https://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-052	secure@microsoft.com
13	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5986	secure@microsoft.com
14	http://ifsec.blogspot.com/2008/09/windows-gdi-gif-memory-corruption.html	af854a3a-2127-422b-91ae-364da2661108
15	http://marc.info/?l=bugtraq&m=122235754013992&w=2	af854a3a-2127-422b-91ae-364da2661108
16	http://secunia.com/advisories/32154	af854a3a-2127-422b-91ae-364da2661108
17	http://www.securityfocus.com/archive/1/496154/100/0/threaded	af854a3a-2127-422b-91ae-364da2661108
18	http://www.securityfocus.com/bid/31020	af854a3a-2127-422b-91ae-364da2661108
19	http://www.securitytracker.com/id?1020836	af854a3a-2127-422b-91ae-364da2661108
20	http://www.us-cert.gov/cas/techalerts/TA08-253A.html	af854a3a-2127-422b-91ae-364da2661108
21	http://www.vupen.com/english/advisories/2008/2520	af854a3a-2127-422b-91ae-364da2661108
22	http://www.vupen.com/english/advisories/2008/2696	af854a3a-2127-422b-91ae-364da2661108
23	http://www.zerodayinitiative.com/advisories/ZDI-08-056	af854a3a-2127-422b-91ae-364da2661108
24	http://www.zerodayinitiative.com/advisories/ZDI-08-056/	af854a3a-2127-422b-91ae-364da2661108
25	https://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-052	af854a3a-2127-422b-91ae-364da2661108
26	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5986	af854a3a-2127-422b-91ae-364da2661108

共通脆弱性一覧

No	CWE	名前	URL
1	CWE-399	リソース管理の問題	https://cwe.mitre.org/data/definitions/399.html

構成1	以上	以下	より上	未満
cpe:2.3:a:microsoft:digital_image_suite:2006:::::::*
cpe:2.3:a:microsoft:forefront_client_security:1.0:::::::*
cpe:2.3:a:microsoft:internet_explorer:6:sp1::::::
cpe:2.3:a:microsoft:office:2003:sp2::::::
cpe:2.3:a:microsoft:office:2003:sp3::::::
cpe:2.3:a:microsoft:office:2007::gold:::::
cpe:2.3:a:microsoft:office:2007:sp1::::::
cpe:2.3:a:microsoft:office:xp:sp3::::::
cpe:2.3:a:microsoft:powerpoint_viewer:2003:::::::*
cpe:2.3:a:microsoft:report_viewer:2005:sp1::::::
cpe:2.3:a:microsoft:report_viewer:2008:::::::*
cpe:2.3:a:microsoft:sql_server:2005:sp2::::::
cpe:2.3:a:microsoft:sql_server_reporting_services:2000:sp2::::::
cpe:2.3:a:microsoft:visio:2002:sp2::::::
cpe:2.3:a:microsoft:works:8.0:::::::*
cpe:2.3:o:microsoft:windows_server_2008:-:::::::*
cpe:2.3:o:microsoft:windows_vista::gold::::::*
cpe:2.3:o:microsoft:windows_vista::sp2::::::*
cpe:2.3:o:microsoft:windows_xp::sp2::::::*
cpe:2.3:o:microsoft:windows_xp::sp3::::::*