An attacker could exploit the vulnerability in several ways, each requiring user interaction. The attacker could convince a user, likely by providing a link, to visit a website hosting a malicious image. The attacker could convince a user to view an image embedded within a separate document. The attacker could also provide images directly to a user and convince the user to view the image. Another attack vector could be through e-mail. Outlook and Outlook Express automatically display images when the user opens an e-mail with an embedded image inside. In all cases, a successful exploit could allow the attacker to execute arbitrary code with the privileges of the user.
Systems that restrict user privileges may be less at risk in the event of an exploit. However, an exploit against a system on which users hold Administrator privileges could allow the attacker to execute code resulting in a complete system compromise.
The Cisco Applied Intelligence team has created an Applied Mitigation Bulletin to address vulnerabilities that Microsoft disclosed in the August 2008 security bulletin release. This Cisco bulletin, which assists administrators in identifying or mitigating these vulnerabilities using Cisco devices, is available at the following link: Cisco Applied Mitigation Bulletin: Microsoft Security Bulletin for August 2008
Microsoft has corrected the vulnerability by performing boundary checking of image color information.