The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Vulnerability in Graphics Rendering Engine Allows Remote Code Execution
------------------------------------------------------------------------
SUMMARY
" <http://wvware.sourceforge.net/caolan/ora-wmf.html> Microsoft Windows
Metafile Format (WMF) files are used to store both vector and
bitmap-format graphical data in memory or in disk files. The vector data
stored in WMF files is described as Microsoft Windows Graphics Device
Interface (GDI) commands. In the Window environment these commands are
interpreted and played back on an output device using the Windows API
PlayMetaFile() function. Bitmap data stored in a WMF file may be stored in
the form of a Microsoft Device Dependent Bitmap (DDB), or Device
Independent Bitmap (DIB)."
Microsoft Windows is vulnerable to remote code execution via an error in
handling files using the Windows Metafile image format.
DETAILS
Vulnerable Systems:
* Microsoft Windows 2000 Service Pack 4
* Microsoft Windows XP Service Pack 1
* Microsoft Windows XP Service Pack 2
* Microsoft Windows XP Professional x64 Edition
* Microsoft Windows Server 2003
* Microsoft Windows Server 2003 for Itanium-based Systems
* Microsoft Windows Server 2003 Service Pack 1
* Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
* Microsoft Windows Server 2003 x64 Edition
* Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and
Microsoft Windows Millennium Edition (ME)
Microsoft is investigating new public reports of a vulnerability in
Windows. Microsoft is also aware of the public release of detailed exploit
code that could be used to exploit this vulnerability. Based on our
investigation, this exploit code could allow an attacker to execute
arbitrary code on the user's system by hosting a specially crafted Windows
Metafile (WMF) image on a malicious Web site. Microsoft is aware that this
vulnerability is being actively exploited.
Microsoft has determined that an attacker using this exploit would have no
way to force users to visit a malicious Web site. Instead, an attacker
would have to persuade them to visit the Web site, typically by getting
them to click a link that takes them to the attacker's Web site. In an
e-mail based attack, customers would have to be persuaded to click on a
link within a malicious e-mail or open an attachment that exploited the
vulnerability. In both the web and email based attacks, the code would
execute in the security context of the logged-on user. Users whose
accounts are configured to have fewer user rights on the system could be
less impacted than users who operate with administrative user rights.
Mitigating Factors:
* In a Web-based attack scenario, an attacker would have to host a Web
site that contains a Web page that is used to exploit this vulnerability.
An attacker would have no way to force users to visit a malicious Web
site. Instead, an attacker would have to persuade them to visit the Web
site, typically by getting them to click a link that takes them to the
attacker's Web site.
* In an E-mail based attack of the current exploit, customers would have
to be persuaded to click on a link within a malicious e-mail or open an
attachment that exploited the vulnerability.
* An attacker who successfully exploited this vulnerability could gain
the same user rights as the local user. Users whose accounts are
configured to have fewer user rights on the system could be less impacted
than users who operate with administrative user rights.
* By default, Internet Explorer on Windows Server 2003, on Windows Server
2003 Service Pack 1, on Windows Server 2003 with Service Pack 1 for
Itanium-based Systems, and on Windows Server 2003 x64 Edition runs in a
restricted mode that is known as
<http://msdn.microsoft.com/library/default.asp?url=/workshop/security/szone/overview/esc_changes.asp>
Enhanced Security Configuration This mode mitigates this vulnerability where
the e-mail vector is concerned although clicking on a link would still put
users at risk. In Windows Server 2003, Microsoft Outlook Express uses plain
text for reading and sending messages by default. When replying to an e-mail
message that is sent in another format, the response is formatted in plain
text. See the FAQ section of this vulnerability for more information about
Internet Explorer Enhanced Security Configuration.
Frequently Asked Questions:
What is the scope of the advisory?
Microsoft is aware of a new vulnerability report affecting the Graphics
Rendering Engine in Microsoft Windows. This vulnerability affects the
software that is listed in the Overview section.
Is this a security vulnerability that requires Microsoft to issue a
security update?
We are currently investigating the issue to determine the appropriate
course of action for customers. We will include the fix for this issue in
an upcoming security bulletin.
What causes the vulnerability?
A vulnerability exists in the way specially crafted Windows Metafile (WMF)
images are handled that could allow arbitrary code to be executed.
What is the Windows Metafile (WMF) image format?
A Windows Metafile (WMF) image is a 16-bit metafile format that can
contain both vector information and bitmap information. It is optimized
for the Windows operating system.
For more information about image types and formats, see
<http://support.microsoft.com/default.aspx?scid=kb;en-us;320314> Microsoft
Knowledge Base Article 320314. Additional information about these file
formats is also available at the
<http://msdn.microsoft.com/library/default.asp?url=/library/en-us/gdicpp/GDIPlus/AboutGDIPlus/ImagesBitmapsandMetafiles/Metafiles.asp>
MSDN Library Web site.
What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take
complete control of the affected system. In a Web-based attack scenario,
an attacker would host a Web site that exploits this vulnerability. An
attacker would have no way to force users to visit a malicious Web site.
Instead, an attacker would have to persuade them to visit the Web site,
typically by getting them to click a link that takes them to the
attacker's site. It could also be possible to display specially crafted
Web content by using banner advertisements or by using other methods to
deliver Web content to affected systems.
How could an attacker exploit the vulnerability?
An attacker could host a malicious Web site that is designed to exploit
this vulnerability through Internet Explorer and then persuade a user to
view the Web site.
I am reading e-mail in plain text, does this help mitigate the
vulnerability?
Yes. Reading e-mail in plain text does mitigate this vulnerability where
the e-mail vector is concerned although clicking on a link would still put
users at risk.
Note In Windows Server 2003, Microsoft Outlook Express uses plain text for
reading and sending messages by default. When replying to an e-mail
message that is sent in another format, the response is formatted in plain
text.
I have DEP enabled on my system, does this help mitigate the
vulnerability?
Software based DEP does not mitigate the vulnerability. However, Hardware
based DEP may work when enabled: please consult with your hardware
manufacturer for more information on how to enable this and whether it can
provide mitigation.
Does this vulnerability affect image formats other than Windows Metafile
(WMF)?
At this point, the only image format affected is the Windows Metafile
(WMF) format. It is possible however than an attacker could rename the
file extension of a WMF file to that of a different image format. In this
situation, it is likely that the Graphic Rendering engine would detect and
render the file as a WMF image which could allow exploitation.
Windows Metafile (WMF) images can be embedded in other files such as Word
documents. Am I vulnerable to an attack from this vector?
No. While we are investigating the public postings which seek to utilize
specially crafted WMF files through IE, we are looking thoroughly at all
instances of WMF handling as part of our investigation. While we're not
aware of any attempts to embed specially crafted WMF files in, for example
Microsoft Word documents, our advice is to accept files only from trusted
source would apply to any such attempts.
If I block .wmf files by extension, can this protect me against attempts
to exploit this vulnerability?
No. Because the Graphics Rendering Engine determines file type by means
other than just looking at the file extensions, it is possible for WMF
files with changed extensions to still be rendered in a way that could
exploit the vulnerability.
Does the workaround in this advisory protect me from attempts to exploit
this vulnerability through WMF files with changed extensions?
Yes. Microsoft has tested and can confirm the workaround in this advisory
help protect against WMF files with changed extensions.
It has been reported that malicious files indexed by MSN Desktop Search
could lead to exploitation of the vulnerability. Is this true?
We have received reports and are investigating them thoroughly as part of
our ongoing investigation. We are not aware at this time of issues around
the MSN Desktop Indexer, but we are continuing to investigate.
Is this issue related to Microsoft Security Bulletin MS05-053 -
Vulnerabilities in Graphics Rendering Engine Could Allow Code Execution
(896424) which was released in November?
No, these are different and separate issues.
Are there any third party Intrusion Detection Systems (IDS) that would
help protect against attempts to exploit this vulnerability?
While we don't know of specific products or services that currently scan
or detect for attempts to render specially crafted WMF files, we are
working with our partners through industry programs like VIA to provide
information as we have it. Customers should contact their IDS provider to
determine if it offers protection from this vulnerability.
Will my anti-virus software protect me from exploitation of this
vulnerability?
As of the latest update to this advisory the following members of the
<http://www.microsoft.com/technet/security/alerts/info/via.mspx> Virus
Information Alliance have indicated that their anti-virus software
provides protection from exploitation of Windows Metafile (WMF) files
using the vulnerability discussed in this advisory.
* <http://www.symantec.com/> Symantec
* <http://www.ca.com/> Computer Associates
* <http://www.mcafee.com/> McAfee
* <http://www.fsecure.com/> F-Secure Corporation
* <http://www.pandasoftware.com/> Panda Software International
* <http://www.nod32.com/> Eset Software
In addition Microsoft is providing heuristic protection against
exploitation of this vulnerability through Windows Metafile (WMF) files in
our new <http://www.windowsonecare.com/> Windows OneCare Live Beta.
As currently known attacks can change, the level of protection offered by
anti-virus vendors at any time may vary. Customers are advised to contact
their preferred anti-virus vendor with any questions they may have or to
confirm additional information regarding their vendor s method of
protection against exploitation of this vulnerability.
When this security advisory was issued, had Microsoft received any reports
that this vulnerability was being exploited?
Yes. When the security advisory was released, Microsoft had received
information that this vulnerability was being actively exploited.
Suggested Actions:
Un-register the Windows Picture and Fax Viewer (Shimgvw.dll) on Windows XP
Service Pack 1; Windows XP Service Pack 2; Windows Server 2003 and Windows
Server 2003 Service Pack 1
Microsoft has tested the following workaround. While this workaround will
not correct the underlying vulnerability, it helps block known attack
vectors. When a workaround reduces functionality, it is identified in the
following section.
Note The following steps require Administrative privileges. It is
recommended that the machine be restarted after applying this workaround.
It is also possible to log out and log back in after applying the
workaround. However, the recommendation is to restart the machine.
To un-register Shimgvw.dll, follow these steps:
1. Click Start, click Run, type "regsvr32 -u
%windir%\system32\shimgvw.dll" (without the quotation marks), and then
click OK.
2. A dialog box appears to confirm that the un-registration process has
succeeded. Click OK to close the dialog box.
Impact of Workaround: The Windows Picture and Fax Viewer will no longer be
started when users click on a link to an image type that is associated
with the Windows Picture and Fax Viewer.
To undo this change, re-register Shimgvw.dll by following the above steps.
Replace the text in Step 1 with regsvr32 %windir%\system32\shimgvw.dll
(without the quotation marks).
* Microsoft encourages users to exercise caution when they open e-mail
and links in e-mail from untrusted sources. For more information about
Safe Browsing, visit the
<http://www.microsoft.com/security/incident/settings.mspx> Trustworthy
Computing Web site.
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4560>
CVE-2005-4560
ADDITIONAL INFORMATION
The information has been provided by Microsoft Security.
The original article can be found at:
<http://www.microsoft.com/technet/security/advisory/912840.mspx>
http://www.microsoft.com/technet/security/advisory/912840.mspx
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
