Vigil@nce - Windows: information disclosure via JXR
March 2015 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can invite the victim the display a malicious PNG
image, to read a memory fragment of Windows, in order to obtain
sensitive information.
Impacted products: Windows 2008 R0, Windows 2008 R2, Microsoft
Windows 2012, Windows 7, Windows 8, Windows RT, Windows Vista
Severity: 2/4
Creation date: 10/03/2015
DESCRIPTION OF THE VULNERABILITY
The Windows system analyzes JXR (JPEG XR) images before displaying
them.
However, it does not initialize a memory area before returning it
to the user.
An attacker can therefore invite the victim the display a
malicious JXR image, to read a memory fragment of Windows, in
order to obtain sensitive information.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Windows-information-disclosure-via-JXR-16373