Check Point Advisories

Microsoft Windows Canonical Display Driver Denial Of Service (CVE-2009-3678)

Vulnerability
Protection

Check Point Reference:	CPAI-2010-083
Date Published:	20 May 2010
Severity:	High
Last Updated:	Thursday 20 May, 2010
Source:
Industry Reference:	CVE-2009-3678
Protection Provided by:	Security Gateway R81, R80, R77, R75, R71, R70
Who is Vulnerable?
Vulnerability Description	The Canonical Display Driver (cdd.dll) is used by desktop composition to blend GDI and DirectX drawing. CDD emulates the interface of a Windows XP display driver for interactions with the Win32k GDI graphics engine. A remote code execution vulnerability has been reported in Microsoft Windows Canonical Display Driver (cdd.dll). The vulnerability is due to an error in the Windows Canonical Display Driver that fails to properly parse information copied from user mode to kernel mode. A remote attacker may exploit this issue by convincing a user to view a specially crafted image file with an affected application. Only applications that use the APIs for GDI for rendering images are affected by this issue. Successful exploitation of this vulnerability could cause the affected system to stop responding and automatically restart.

Protection Overview

This protection will detect and block attempts to exploit this vulnerability.

In order for the protection to be activated, update your Security Gateway product to the latest IPS update. For information on how to update IPS, go to SBP-2006-05, click on Protection tab and select the version of your choice.

Security Gateway R80 / R77 / R75 / R71 / R70

In the IPS tab, click Protections and find the Microsoft Windows Canonical Display Driver Denial Of Service protection using the Search tool and Edit the protection's settings.
Install policy on all Security Gateways.

This protection's log will contain the following information:

Attack Name: Content Protection Violation.
Attack Information: Microsoft Windows canonical display driver denial of service