Microsoft Windows Enhanced Metafile (EMF) buffer overflow (Image_EMF_Long_Description)

About this signature or vulnerability

Proventia G-Series, Proventia Network IPS, Proventia Desktop, Proventia M-Series, BlackICE Server Protection, Proventia Server for Windows, BlackICE PC Protection, BlackICE Agent for Server, RealSecure Network Sensor, RealSecure Server Sensor:

Trigger if the description field in an Enhanced Metafile (emf) exceeds pam.content.emf.description.threshold which defaults to 128 bytes

Default risk level


Sensors that have this signature

Proventia G-Series: XPU 24.38, Proventia Network IPS: XPU 1.77, Proventia Desktop: 8.0.812.1770, Proventia M-Series: XPU 1.77, BlackICE Server Protection: 3.6.cpi, Proventia Server for Windows: 1.0.914.1770, BlackICE PC Protection: 3.6cpi, BlackICE Agent for Server: 3.6epi, RealSecure Network Sensor: XPU 24.38, RealSecure Server Sensor: XPU 24.38

Systems affected

Windows NT: 4.0 Server SP6a, Windows XP: 64-bit Edition SP1, Windows 2000: SP4, Windows Server 2003: Any version, Windows 2000: SP3, Windows XP: SP1, Windows NT: 4.0 Server TSE SP6, Windows XP: 64-bit Edition 2003, Windows Server 2003: 64-Bit Edition, Windows: 98 Second Edition, Windows: XP, Windows: Me, Windows: 98


Unauthorized Access Attempt

Vulnerability description

Multiple versions of Microsoft Windows are vulnerable to a buffer overflow, caused by improper bounds checking when handling Enhanced Metafile (EMF) image formats. By creating a specially-crafted EMF image file containing malicious script, a remote attacker could overflow a buffer and execute arbitrary code on the system with privileges of the victim, once the file is opened. An attacker could exploit this vulnerability by hosting the malicious file on a Web site or by sending it to a victim as an HTML email.

Note: This vulnerability is different than the vulnerability addressed in Microsoft Bulletin MS04-011.

How to remove this vulnerability

Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS04-032. See References.

For Windows Server 2003:
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS05-018. See References.

Microsoft originally provided a patch for this vulnerability in MS04-032, but it was superceded by the patch released with MS05-018.


Microsoft Security Bulletin MS04-032
Security Update for Microsoft Windows (840987)

CIAC Information Bulletin P-008
Microsoft Security Update for Microsoft Windows (840987)

Packet Storm Web site

Microsoft Security Bulletin MS05-018
Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege and Denial of Service (890859)

ISS X-Force
Microsoft Windows Enhanced Metafile (EMF) buffer overflow



Date/Time 2006-06-19 06:15:54 JST
Tag Name Image_EMF_Long_Description
Alert Name Image_EMF_Long_Description
Severity High
Observance Type Intrusion Detection
Combined Event Count 1
Cleared Flag false
Target IP Address
Target Object Name 34638
Target Object Type Target Port
Target Service unknown
Source IP Address
SourcePort Name 80
Sensor IP Address
Sensor Name Proventia_M-Series
:accessed yes
:code 200
:Description Length 65535
:protocol http
:Protocol Name TCP
:type attack
:URL /ms04032.wmf
:user-defined false
algorithm-id 2104039
Blocked false
IANAProtocolId 6
Namespace pam
POST Default