Secunia Advisory: SA10968
Release Date: 2004-02-25
Critical: Moderately critical
Impact: Privilege escalation
DoS
System access
Where: From remote
OS: Microsoft Windows XP Home Edition
Microsoft Windows XP Professional
Description:
A vulnerability has been reported in Windows XP, which potentially can be exploited by malicious people to compromise a user's system.
The vulnerability is caused due to boundary errors (possibly in "shimgvw.dll") when processing Enhanced Metafiles (".emf"). The problem is that memory is allocated based on size information in the file's header.
This can be exploited to cause heap overflows by specifying a "Size" field, which is smaller (e.g. 1 byte) than the actual size of the file and header. The vulnerability will be triggered by either viewing a malicious file or by navigating to a directory, which contains a malicious file and displays it as a thumbnail.
Successful exploitation crashes "explorer.exe" but may reportedly also allow execution of arbitrary code.
NOTE: Windows Metafiles (".wmf") with malformed "Size" fields will also impact functionality somewhat by consuming 99% CPU resources.
Solution:
Grant only trusted users access to affected systems. Don't view untrusted ".emf" files. Don't display the contents of directories as thumbnails.
http://secunia.com/advisories/10968/

Chowhound
Comic Vine
GameFAQs
GameSpot
Giant Bomb
TechRepublic