{"vuid":"VU#189754","idnumber":"189754","name":"Microsoft Internet Explorer buffer overflow in PNG image rendering component","keywords":["Microsoft Internet Explorer","buffer overflow","PNG arbitrary code"],"overview":"A buffer overflow in the PNG image rendering component of Microsoft Internet Explorer (IE) may allow a remote attacker to execute code on a vulnerable system.","clean_desc":"The Portable Network Graphics (PNG) image format is used as an alternative to other image formats such as the Graphics Interchange Format (GIF). Microsoft Internet Explorer supports PNG image format. The PNG image rendering component of  Microsoft Internet Explorer (pngfilt.dll) does not properly handle PNG image files, potentially allowing a buffer overflow to occur. If a remote attacker can persuade a user to access a specially crafted PNG image with IE, that attacker may be able to trigger the buffer overflow. For more information about affected components, please refer to MS05-025. Please note that Microsoft has reported this issue is distinct from those previously reported in VU#817368 and VU#388984 (CAN-2004-0597).","impact":"If a user opens a specially crafted PNG image using a vulnerable version of Internet Explorer, an attacker may be able execute arbitrary code with the privileges of the user or cause Internet Explorer to terminate.","resolution":"Apply an update\nMicrosoft has addressed this issue in Microsoft Security Bulletin MS05-025.","workarounds":"Microsoft Security Bulletin MS05-025 suggests the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. Disable PNG rendering Until the patch can be applied, you may wish to disable the PNG rendering in IE. To disable the PNG rendering , follow these steps: Click Start, click Run, type \"regsvr32 /u pngfilt.dll\" (without the quotation marks), and then click OK. A dialog box appears to confirm that the unregistration process has succeeded. Click OK to close the dialog box. Close Internet Explorer, and reopen it for the changes to take effect.. In addition, the following techniques may reduce the likelihood of exploitation: Read and send email in plain text format Outlook 2003, Outlook 2002 SP1, and Outlook 6 SP1 can be configured to view email messages in text format. Consider the security of fellow Internet users and send email in plain text format when possible. Note that reading and sending email in plain text will not necessarily prevent exploitation of this vulnerability. Do not follow unsolicited links To convince users to visit their sites, attackers often use URL encoding, IP address variations, long URLs, intentional misspellings, and other techniques to create misleading links. Do not click on unsolicited links received in email, instant messages, web forums, or internet relay chat (IRC) channels. Type URLs directly into the browser to avoid these misleading links. While these are generally good security practices, following these behaviors will not prevent exploitation of this vulnerability in all cases, particularly if a trusted site has been compromised or allows cross-site scripting.","sysaffected":"","thanks":"This vulnerability was reported in Microsoft Security Bulletin \nMS05-025\n. Microsoft credits \nMark Dowd of \nISS X-Force\n for providing information regarding this vulnerability.","author":"This document was written by Jeff Gennari.","public":["h","t","t","p",":","/","/","w","w","w",".","m","i","c","r","o","s","o","f","t",".","c","o","m","/","t","e","c","h","n","e","t","/","s","e","c","u","r","i","t","y","/","b","u","l","l","e","t","i","n","/","m","s","0","5","-","0","2","5",".","m","s","p","x"],"cveids":["CVE-2005-1211"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2005-06-14T22:50:37Z","publicdate":"2005-06-14T00:00:00Z","datefirstpublished":"2005-06-14T23:33:07Z","dateupdated":"2005-06-27T12:22:36Z","revision":50,"vrda_d1_directreport":"0","vrda_d1_population":"3","vrda_d1_impact":"3","cam_widelyknown":"15","cam_exploitation":"0","cam_internetinfrastructure":"15","cam_population":"20","cam_impact":"20","cam_easeofexploitation":"10","cam_attackeraccessrequired":"10","cam_scorecurrent":"22.5","cam_scorecurrentwidelyknown":"26.25","cam_scorecurrentwidelyknownexploited":"41.25","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":22.5,"vulnote":null}