Title

Roxio Creator Image Parsing Integer Overflow Vulnerability (Cat II impact)

Discussion

A vulnerability has been identified in certain versions of Roxio Creator. Roxio Creator is a photo, video and audio editing program. To exploit this vulnerability, an attacker would create a malicious file and host on a web site or send via email and entice a user to access the file. If successfully exploited, this vulnerability would allow an attacker to execute arbitrary code in the context of the current user. Failed exploit attempts will result in a denial-of-service condition. At this time, there are no known exploits associated with this vulnerability; JTF-GNO is not aware of any DoD related incidents. Roxio Creator Image Rendering Integer Overflow Vulnerability - (CVE-2009-1566): The vulnerability is caused by an integer overflow error when allocating memory for an image based on its dimensions and can be exploited to corrupt memory via a specially crafted image.

Check Content

Download and apply the appropriate patches from the vendor. See the IAVM notice and vendor bulletin for additional information. Vulnerable Applications/Systems: Roxio Easy Media Creator 9.0.136 Roxio Creator 2010 prior to SP1 View Help, About from the application’s menu to determine version.

Fix Text

Additional Identifiers

Rule ID:

Vulnerability ID: V-22092

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.