Microsoft Windows Server 2003, XP, 2000, NT 4.0, Millennium Edition and Windows 98 contains two buffer overflow vulnerabilities in the LoadImage() function that could allow a remote attacker to execute arbitrary code on the affected system.
The first vulnerability (CAN-2004-1049) exists because LoadImage() does not properly validate data in the ImageSize field within user-supplied files. A remote attacker could exploit this vulnerability by supplying a specially crafted image file that triggers an integer overflow in the user32.dll library. Successful exploitation of this vulnerability causes a heap-based overflow and allows for the execution of arbitrary code with the privileges of the user.
This vulnerability can be exploited via a malicious web site or an e-mail message using a specially crafted icon, bitmap, cursor or animated cursor file.
The second vulnerability (CAN-2005-0416) exists because of a lack of bounds checking of values stored within the Length_of_AnimationHeader field. This vulnerability can be remotely exploited by supplying an inappropriate value within the AnimationHeaderBlock length field. Successful exploitation of this vulnerability causes a stack-based overflow and allows for the execution of arbitrary code with the privileges of the user.
Exploit code has been released.
Updates are available.