[K5pbem] The Zone???

[Jeff Skagen]

----- Original Message ----- 
From: "Mike Surbrook" <susano at guisarme.net>
To: <k5pbem at devermore.net>
Sent: Thursday, March 16, 2006 12:31 PM
Subject: [K5pbem] The Zone???


Hey guys, be aware that as soon as I started to access the website, my
Norton Antivirus popped-up to warn me it had blocked an attempt to download
a worm onto my system from the site. I strongly suggest you don't click the
link if you haven't already.


Details: Attempted Intrusion "ICC Profile TagData Overflow" against your
machine was detected and blocked.
Intruder: oboylephoto.com(70.103.189.86)(http(80)).
Risk Level: High.


And the following info is from the Symantec Website:


ICC Profile TagData Overflow
Severity: High

This attack could pose a serious security threat. You should take immediate
action to stop any damage or prevent further damage from happening.


Description

This signature detects an attempt to exploit a vulnerability in Windows
Color Management Module.


Additional Information

Microsoft Windows provides an implementation for the ICC (International
Color Management) standard through the Color Management Module. The ICC
standard is a cross-platform, cross-format color consistency specification.
The purpose of ICC is to allow for colors to be rendered uniformly across
different devices and platforms. Many image and document formats support
inclusion of ICC data in the form of color profiles that are embedded in the
files themselves.

Microsoft Windows is prone to a buffer overflow vulnerability in the Color
Management Module. The issue is due to a boundary condition error related to
the parsing of ICC (International Color Consortium) Profile tags in various
supported image and document formats.

The specific vulnerability is due to a memory copy operation in the
'mscms.dll' (Microsoft Color Management System) library. ICC XYZType (rXYZ,
gXYZ, bXYZ) tag data from within the file is copied into a static
stack-based buffer of 224 bytes, which is declared in the 'icm32.dll'
(Integrated Color Managament) library. The Microsoft GDI library calls both
of these libraries when a supported file type with embedded ICC data is
rendered.

Memory corruption resulting from this vulnerability may allow an attacker to
overwrite sensitive variables in memory such as a return address or
Structured Exception Handler (SEH), allowing the attacker to influence
program execution flow. This is sufficient for an attacker to execute
arbitrary code.

ICC Profile data may possibly be embedded in various file formats, including
JPEG, GIF, EXIF, TIFF, PNG, PICT, PDF, PostScript, SVG, JDF, and CSS3. Some
of these formats may not provide an attack vector, especially if Microsoft
does not provide native support or does not call the vulnerable
functionality when handling certain formats. Formats that may not be
affected due to lack of native support are PDF, PICT, and PostScript, though
this has not been confirmed.

Successful exploitation may result in execution of arbitrary code in the
context of the currently logged in user. This vulnerability could be
exploited through a Web site that hosts a malicious document, by previewing
or opening malicious content in email, or through other means that will
allow an attacker to send the victim a malicious document.

There is also a risk that other Microsoft or third-party applications that
rely on the affected functionality may be vulnerable. A number of
third-party applications may ship with vulnerable libraries, so may remain
vulnerable despite having applied the Microsoft patch. Symantec is not aware
of any such vendors at the time of writing.


Possible False Positives

There are no known false positives associated with this signature.

________________
Jeff Skagen
jeff.skagen at verizon.net