Two vulnerabilities in Windows XP

Two newly detected vulnerabilities in Windows cause Windows Explorer to crash and restart repeatedly, effectively denying service to the system. The first bug is an integer-division-by-zero flaw related to the Windows GDI+ component (gdiplus.dll), activated by malformed ICO files and provoking an exception. According to the advisory, setting the value of the InfoHeader Height in an ICO file to zero is enough to crash an application that uses the graphics library. For Windows Explorer, opening a directory where a malformed file is stored will cause a crash. In addition to Windows Explorer, the Windows Image and Fax Viewer also uses the GDI+ component. No patch is provided for this vulnerability, which is not present in Vista. Deleting the file via the prompt helps to remedy the bug. According to the advisory, the flaw, which affects Windows XP, will not be fixed before the upcoming release of Service Pack 3.

The second bug is based on a vulnerability of Windows Explorer under Windows XP SP2 and occurs when two link files (*.lnk) reference each other. Opening a directory containing two such files causes Windows Explorer to crash. If the file is stored on the desktop, the crash will happen shortly after boot-up. The same occurs when the ICO DoS vulnerability is exploited. Microsoft has been informed on this bug; it is, however, unclear whether a patch will be provided or not.

To remove the files, users can, for instance, boot their system in safe mode and use the command prompt. The antivirus programs tested by heise in the 12/06 issue of c't within the magazine’s test of Internet security suites were able to handle such cross-links when searching directories.

See also:

• Microsoft Windows GDI+ Library ICO Header Handling Denial of Service Vulnerability, advisory by CSIS
• Windows XP Explorer: Vulnerability / DOS Attack Using Manipulated LNK files, advisory by Gunnar Ruhs

(mba)