Vulnerability in Graphics Rendering
Engine (WMF format) Could Allow Remote Code Execution
Last Updated: Jan 5, 2006 1:16PM -
Microsoft has released a patch
Overview
A new vulnerability in Microsoft Windows allows displaying
an image stored in Windows Metafile (WMF) format to compromise
your PC. Unfortunately, WMF files can be easily disguised
as commonly used image types such as jpg, gif, bmp, and tiff.
This makes it possible for a computer user to unintentionally
display a malicious file by simply looking at a web page or
an email message.
Recommendations
Windows 2000 and Windows XP users should apply the Microsoft
patch. Make sure you reboot after the patch is installed.
Widows
2000 patch
Windows
XP patch
Windows
2003 Server patch
Windows
XP/2003 x64 edition patch
Information about the patch can be found here: http://www.microsoft.com/technet/security/Bulletin/MS06-001.mspx
Although Windows 98, Windows 98 Second Edition, and Windows
Millennium Edition do contain the affected component, the
vulnerability is not critical because an exploitable attack
vector has not been identified that would yield a critical
severity rating for these versions.
The Windows NT 4 patch is only available for systems with
extended security update support. NT4 systems are strongly
urged to upgrade.
All Windows users (98/ME/NT/2000/XP) should follow the remaining
recommendations.
Try to confine browsing to assumed-safe and well known sites
such as CNN or other laboratories. Exploits have been seen
on many sites, especially blogging and adult web sites. Remember
the whole web site doesn't have to be compromised, the web
site only has to link to a malicious image. Windows users
must be extremely cautious about the websites they visit,
the links they click, the mail messages they read, and the
files they choose to accept from others.
Make sure you have antivirus installed and the virus definitions
are current. Antivirus vendors are doing a good job thus far
in keeping definitions updated for new variants of malicious
wmf files. LBNL has a site license for Symantec antivirus
which is available here.
Verify
An independent programmer (Ilfak Guilfanov) has written a
utility to check if you systems is vulnerable. This utility
can be found here.
Threats
The following section describes the common scenarios in which
an attacker would try to use the WMF vulnerability to compromise
your PC.
- In a Web-based attack scenario, an attacker would have
you view a web page that contains a malicious wmf file,
possibly disguised as some other image type. An attacker
would have to then persuade you to visit the web site, typically
by getting you to click a link, or place the malicious wmf
file on a website your frequent. The web based attack scenario
is similar to threats in the past where Internet Explorer
or Mozilla have unpatched flaws. Users should always be
careful about the website they visit, but especially so
with this new vulnerability.
- In an E-mail based attack, you would be persuaded to click
on a link within a malicious e-mail or open an attachment
in the email. While the LBNL virus wall protects you from
many of these attacks, there is still the threat of an email
virus not caught by the virus wall. Email viruses typically
come as zip and .exe attachments but this vulnerability
opens up attack from multiple graphic related file types,
including wmf, jpg, bmp, and tif. Users should always be
careful about opening email message attachments and using
links in email messages. If an email appears questionable,
please forward to virusmaster@lbl.gov
- In other attack scenarios, the attacker must get a malicious
file on your systems. This could be accomplished via p2p,
file sharing in instant messaging applications, open shares,
etc. The user then must open the file or it is purported
that indexing programs such as Google desktop could trigger
the malicious file. Like the web based attack scenario,
this is not a new threat. If an attacker can place a malicious
file on your system or trick you into getting a malicious
file via p2p or instant messaging file sharing your system
will be compromised.
Current Status
The following section lists the current status of this threat.
This section is updated as conditions change.
- Public exploit code is available
- No widespread outbreaks reported
- LBNL has had six instances where users have downloaded
malicious image files
- Symantec and ClamAV are detecting many variants of the
exploit (e.g. malformed wmf files)
- Microsoft has released a patch
Questions
If you have questions or comment please send them to cppm@lbl.gov.
If you require assistance getting the patch installed please
contact the help desk at x4357 or help@lbl.gov.
Links
The following are useful links for information about this
vulnerability.
<< Back
to Alerts Home
|
