The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Windows, IE: code execution via an AOL ART image

Synthesis of the vulnerability 

An attacker can create a malicious ART image leading to code execution.
Impacted systems: IE, Windows 2000, Windows 2003, Windows 98, Windows ME, Windows XP.
Severity of this alert: 4/4.
Creation date: 14/06/2006.
Références of this alert: 918439, BID-18394, CVE-2006-2378, iDefense Security Advisory 06.13.06, MS06-022, VIGILANCE-VUL-5909, VU#923236.

Description of the vulnerability 

The ART image format, developed by AOL, is implemented in jgdw400.dll and jgpl400.dll DLLs of Windows.

An attacker can create an ART image corrupting memory when rendered. This memory corruption leads to code execution with a probability of 75%.

An attacker can therefore invite user to go to a website, or send him an email, containing this image. Malicious code can then be executed on user's computer.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This cybersecurity alert impacts software or systems such as IE, Windows 2000, Windows 2003, Windows 98, Windows ME, Windows XP.

Our Vigil@nce team determined that the severity of this weakness is critical.

The trust level is of type confirmed by the editor, with an origin of document.

An attacker with a expert ability can exploit this security weakness.

Solutions for this threat 

Windows, IE: patch and workarounds for AOL ART.
A patch is available:
Windows XP SP1
  http://www.microsoft.com/downloads/details.aspx?FamilyId=F6328F82-457E-44CB-95FB-2DB0E8C9EE3C
Windows XP SP2
  http://www.microsoft.com/downloads/details.aspx?FamilyId=71022EA1-94CB-4FE9-B89E-46876D068B9A
Windows XP Professional x64
  http://www.microsoft.com/downloads/details.aspx?FamilyId=A386523E-96AB-43ED-B189-E13AF497B685
Windows Server 2003 Gold, SP1
  http://www.microsoft.com/downloads/details.aspx?FamilyId=56DF0CF2-9214-4B23-9034-C59E8B7126D6
Windows Server 2003 Itanium-based Gold, SP1
  http://www.microsoft.com/downloads/details.aspx?FamilyId=5E1B95C3-7E75-4468-829C-1DC7B4ECE5D0
Windows Server 2003 x64
  http://www.microsoft.com/downloads/details.aspx?FamilyId=4DC13B7C-01AB-4BB6-9766-0FE0D02E410D
Internet Explorer 5.01 SP4 - Windows 2000 SP4 + Windows 2000 AOL Image Support Update
  http://www.microsoft.com/downloads/details.aspx?FamilyId=AE6D8DA7-B170-416D-8812-265FFA757301
Internet Explorer 6 SP1 - Windows 2000 SP4 + Windows 2000 AOL Image Support Update
  http://www.microsoft.com/downloads/details.aspx?FamilyId=F6328F82-457E-44CB-95FB-2DB0E8C9EE3C
Microsoft's announce also indicates workarounds.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides software vulnerabilities bulletins. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system.