INFORMATION BULLETIN
INFORMATION BULLETIN
| PROBLEM: | A vulnerability in Microsoft Windows WMF image format handling was discovered. Exploit code has been publicly posted. |
| PLATFORM: | Microsoft Windows 2000 Service Pack 4 Microsoft Windows XP Service Pack 1 Microsoft Windows XP Service Pack 2 Microsoft Windows XP Professional x64 Edition Microsoft Windows Server 2003 Microsoft Windows Server 2003 for Itanium-based Systems Microsoft Windows Server 2003 Service Pack 1 Microsoft Windows Server 2003 with SP1 for Itanium-based Systems Microsoft Windows Server 2003 x64 Edition Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME) Wine Debian GNU/Linux 3.1 alias sarge |
| DAMAGE: | A remote, unauthenticated attacker may be able to execute arbitrary code if the user is persuaded to view a specially crafted WMF file. |
| SOLUTION: | No practical workaround available. Exploitation occurs by accessing a specially crafted WMF file (typically .wmf). By only accessing WMF files from trusted or known sources, the chances of exploitation are reduced. Additionally, SANS notes that enabling DEP to cover all programs (in XP SP2), results in a warning message and does not run the file automatically. Microsoft Technet article offers more details. |
| VULNERABILITY ASSESSMENT: |
The risk is HIGH. A remote attacker may execute arbitrary code. |
| LINKS: | |
| CIAC BULLETIN: | http://www.ciac.org/ciac/bulletins/q-085.shtml |
| ORIGINAL BULLETIN: | http://www.kb.cert.org/vuls/id/181038 |
| ADDITIONAL LINKS: | SANS Handler's Diary http://isc.sans.org/diary.php?rss&storyid=975 Secunia SA18255 http://secunia.com/advisories/18255/ Microsoft Security Advisory (912840) http://www.microsoft.com/technet/security/advisory/912840.mspx US-CERT Technical Cyber Security Alert TA05-362A http://www.us-cert.gov/cas/techalerts/TA05-362A.html |
| Debian Security Advisory DSA-954-1 | |
| http://www.debian.org/security/2006/dsa-954 | |
REVISION HISTORY:
12/29/2005 - added a link to Microsoft's Security Advisory (912840).
Revised 'Platform' section to reflect Microsoft's list of related
software (added Windows 2000 SP4 and Windows 98, 98 SE and ME.)
Also added a link to US-CERT's Technical Cyber Security Alert
TA05-362A.
01/03/2006 - revised to include a link to Microsoft's Security Advisory (912840).
Microsoft has added information to the beginning of the advisory as
well as the FAQ section to provide updated information about the
state of the investigation.
01/04/2006 - revised to reflect a clarification Microsoft made in their Microsoft
Security Advisory 912840 where they added information to the Mitigating
factors section at the beginning of the advisory and added a FAQ
to address pre-released Microsoft Security Update.
01/05/2006 - revised to reflect where Microsoft added FAQ with information on Windows
98, Windows 98 Second Edition and Windows Millennium, FAQ concerning
embedded images in Office documents were updated, and a workaround was
updated with information about re-registering the Windows Fax and Image
Viewer (Shimgvw.dll).
01/25/2006 - revised to add a link to Debian Security Advisory DSA-954-1 for Wine
Debian GNU/Linux 3.1 alias sarge. Please see CIAC Q-108 for more info.
[***** Start US-CERT Vulnerability Note VU#181038 *****]
This new reported vulnerability may be similar to one Microsoft released patches for in Microsoft Security Bulletin MS05-053 (VU#433341). However, publicly available exploit code has been discovered that reportedly affects systems updated with MS05-053. The known exploits may use the Windows Picture and Fax Viewer as an attack vector affecting both users of Internet Explorer and Firefox on Windows systems. While disabling Windows Picture and Fax Viewer may mitigate against these known attack vectors, it is unclear at this time if the underlying vulnerability is also remediated.
Do not access WMF files from untrusted sources
Exploitation occurs by accessing a specially crafted WMF file (typically .wmf). By only accessing WMF files from trusted or known sources, the chances of exploitation are reduced.
Attackers may host malicious WMF files on a web site. In order to convince users to visit their sites, those attackers often use URL encoding, IP address variations, long URLs, intentional misspellings, and other techniques to create misleading links. Do not click on unsolicited links received in email, instant messages, web forums, or internet relay chat (IRC) channels. Type URLs directly into the browser to avoid these misleading links. While these are generally good security practices, following these behaviors will not prevent exploitation of this vulnerability in all cases, particularly if a trusted site has been compromised or allows cross-site scripting.
| Vendor | Status | Date Updated |
|---|---|---|
| Microsoft Corporation | Unknown | 28-Dec-2005 |
| Mozilla, Inc. | Unknown | 28-Dec-2005 |
http://isc.sans.org/diary.php?rss&storyid=972
http://secunia.com/advisories/18255/
http://www.securityfocus.com/bid/16074
http://vil.mcafeesecurity.com/vil/content/v_137760.htm
http://www.f-secure.com/weblog/archives/archive-122005.html#00000753
This document was written by Jeffrey S. Havrilla.
| Date Public | 12/27/2005 |
| Date First Published | 12/28/2005 11:59:50 AM |
| Date Last Updated | 12/28/2005 |
| CERT Advisory | |
| CVE Name | |
| Metric | 45.60 |
| Document Revision | 9 |
If you have feedback, comments, or additional information about this vulnerability, please send us email.
[***** End US-CERT Vulnerability Note VU#181038 *****]
Voice: +1 925-422-8193 (7 x 24)
FAX: +1 925-423-8002
STU-III: +1 925-423-2604
E-mail: ciac@ciac.org
World Wide Web: http://www.ciac.org/
Anonymous FTP: ftp.ciac.org