Vulnerability Description
GDI+ in Microsoft Internet Explorer 6 SP1, Windows XP SP2 and SP3, Windows Server 2003 SP2, Office XP SP3, Office 2003 SP3, 2007 Microsoft Office System SP1 and SP2, Office Project 2002 SP1, Visio 2002 SP2, Office Word Viewer, Word Viewer 2003 Gold and SP3, Office Excel Viewer 2003 Gold and SP3, Office Excel Viewer, Office PowerPoint Viewer 2007 Gold, SP1, and SP2, Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2, Expression Web, Expression Web 2, Groove 2007 Gold and SP1, Works 8.5, SQL Server 2000 Reporting Services SP2, SQL Server 2005 SP2 and SP3, Report Viewer 2005 SP1, Report Viewer 2008 Gold and SP1, and Forefront Client Security 1.0 does not properly allocate an unspecified buffer, which allows remote attackers to execute arbitrary code via a crafted TIFF image file that triggers memory corruption, aka "GDI+ TIFF Memory Corruption Vulnerability."
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Microsoft | Windows 2003 Server | All versions |
| Microsoft | Windows Server 2008 | All versions |
| Microsoft | Windows Vista | All versions |
| Microsoft | Windows Xp | All versions |
| Microsoft | Windows 2000 | All versions |
| Microsoft | .Net Framework | 1.1 |
| Microsoft | Internet Explorer | 6 |
| Microsoft | Report Viewer | 2005 |
| Microsoft | Sql Server | 2005 |
| Microsoft | Sql Server Reporting Services | 2000 |
| Microsoft | Excel Viewer | 2003 |
| Microsoft | Expression Web | All versions |
| Microsoft | Office | 2003 |
| Microsoft | Office Compatibility Pack | 2007 |
| Microsoft | Office Excel Viewer | All versions |
| Microsoft | Office Groove | 2007 |
| Microsoft | Office Powerpoint Viewer | All versions |
| Microsoft | Office Word Viewer | All versions |
| Microsoft | Project | 2002 |
| Microsoft | Visio | 2002 |
Related Weaknesses (CWE)
References
- http://www.us-cert.gov/cas/techalerts/TA09-286A.htmlUS Government Resource
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-06
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3
- http://www.us-cert.gov/cas/techalerts/TA09-286A.htmlUS Government Resource
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-06
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3
FAQ
What is CVE-2009-2503?
CVE-2009-2503 is a vulnerability with a CVSS score of 9.3 (HIGH). GDI+ in Microsoft Internet Explorer 6 SP1, Windows XP SP2 and SP3, Windows Server 2003 SP2, Office XP SP3, Office 2003 SP3, 2007 Microsoft Office System SP1 and SP2, Office Project 2002 SP1, Visio 200...
How severe is CVE-2009-2503?
CVE-2009-2503 has been rated HIGH with a CVSS base score of 9.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2009-2503?
Check the references section above for vendor advisories and patch information. Affected products include: Microsoft Windows 2003 Server, Microsoft Windows Server 2008, Microsoft Windows Vista, Microsoft Windows Xp, Microsoft Windows 2000.