Posts Tagged ‘WMF’

Security Update for the Windows Meta File Vulnerability Available

Apparently, or accidentally as zdnet reported, Microsoft has released a patch to fix the WMF vulnerability in Windows, here is the bulletin Microsoft Security Bulletin MS06-001 Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution (912919). The date on this page is from yesterday, so, even if it got released by accident, it looks like they were going to release it early anyway.

This vulnerability is currently being exploited and was previously discussed by Microsoft in Microsoft Security Advisory 912840.

If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

We recommend that customers apply the update immediately.

We do too. Good move releasing this earlier than you first stated Microsoft, but still probably too late for some users.

From the Common Vulnerabilities and Exposures website, “The Windows Graphical Device Interface library (GDI32.DLL) in Microsoft Windows allows remote attackers to execute arbitrary code via a Windows Metafile (WMF) format image with a crafted SETABORTPROC GDI Escape function call, related to the Windows Picture and Fax Viewer (SHIMGVW.DLL), a different vulnerability than CVE-2005-2123 and CVE-2005-2124, and as originally discovered in the wild on unionseek.com.”

Note: This release says it is not critical for windows 98 or Windows ME users, noting that although Windows 98, Windows 98 Second Edition, and Windows Millennium Edition do contain the affected component, the vulnerability is not critical because an exploitable attack vector has not been identified that would yield a Critical severity rating for these versions. They will be releasing a patch for these operating systems later.

On the News.com website, they quoted Microsoft saying;

The software maker said Thursday it will deliver two updates on Tuesday, Jan. 10, as part of its scheduled monthly bulletin of security patches.

In response to customer pressure, the software maker on Thursday delivered a fix for a Windows flaw that lies in the way Windows renders Windows Meta File images. The flaw that has become a conduit for several attacks.

Next week, Microsoft plans to provide two additional security updates: one for Windows, and one for Microsoft Office and e-mail server software Exchange, the company said in a notice on its Web site.

Both updates will fix at least one flaw that the software maker deems critical, according to the notice. Microsoft rates as critical any security threat that could allow a malicious Internet worm to spread without any action required on the part of the user.

Be the first to comment - What do you think?  Posted by Jimmy Daniels - January 6, 2006 at 12:00 pm

Categories: Microsoft News, Tech News, Windows XP   Tags: , ,

Temporary Fix for the WMF Exploit

Since Microsoft has decided to wait until Tuesday to release it’s patch for the latest Windows exploit, the WMF security flaw, F-Secure has posted on their site about a fix released by the author of Interactive Disassembler and probably one of the best low level Windows experts in the world, Ilfak Guilfanov. The fix is here.

Ilfak Guilfanov has published a temporary fix which does not remove any functionality from the system (all pictures and thumbnails continue to work normally).

The fix works by injecting itself to all processes loading USER32.DLL. It patches the Escape() function in GDI32.DLL, revoking WMF’s SETABORT escape sequence that is the root of the problem.

This flaw has already spawned dozens of attacks from a MSN Messenger worm to spam that tries to get users to click on malicious web sites.

The vulnerability can be easily exploited in Windows XP with Service Pack 1 and 2, as well as Windows Server 2003, security experts said. Older versions of the operating system, including Windows 2000 and Windows ME, are also at risk, though in those cases the flaw is more difficult to exploit, said Mikko Hypponen, chief research officer at F-Secure.

“We have seen dozens of different attacks using this vulnerability since Dec. 27,” Hypponen said. “One exploits image files and tries to get users to click on them; another is an MSN Messenger worm that will send the worm to people on your buddy list, and we have seen several spam attacks.”

He added that some of the spam attacks have been targeted to select groups, such as one that purports to come from the U.S. Department of State. The malicious e-mail tries to lure the user to open a map attachment and will then download a Trojan horse. The exploit will open a backdoor on the user’s system and allow sensitive files to be viewed.

A chief researcher at F-Secure said,

“We are still far away from a massive virus,” he said. “Most people get attacked by this if they (search for something on the Internet) and get a million results. They may click on a link that goes to a malicious Web site or one that has been hacked, and then get infected.”

In an article from News.com posted today, an antivirus specialist stated that over a million pc’s have been compromised,

More than a million PCs have already been compromised, said Andreas Marx, an antivirus software specialist at the University of Magdeburg in Germany. He has found a hidden Web site that shows how many copies of a program that installs malicious software have been delivered to vulnerable PCs.

“I’m sure it’s just a matter of days until the first (self-propagating) WMF worm will appear,” he said. “A patch is urgently needed.”

So, with Microsoft waiting until Tuesday, attackers are going to have about a week with no worries to try to take advantage of this. So far, most of the attacks have involved installing spyware and adware to display pop up advertising on the infected pc’s.

Microsoft has completed a fix for the problem and is currently testing and localizing the update into 23 languages, the software maker said in its advisory, updated on Tuesday. “Microsoft’s goal is to release the update on Tuesday, Jan. 10, 2006, as part of its monthly release of security bulletins,” the company said.

To protect Windows users, Microsoft shouldn’t wait, but release the patch now, several critics said.

“The flaw is actively exploited on multiple sites, and antivirus provides only limited protection,” said Johannes Ullrich, the chief research officer at the SANS Institute. “Active use of an exploit without sufficient mitigating measures should warrant the early release of a patch, even a preliminary, not fully tested patch.”

Once again, we see a large company not really caring about the users and all they are doing is creating even more ill will.

Added: One of the F-Secure researches stated that one of their test machines became infected after downloading an infected file using the Wget command line tool, without even executing it.

It seems that Google Desktop creates an index of the metadata of all images too, and it issues an API call to the vulnerable Windows component SHIMGVW.DLL to extract this info. This is enough to invoke the exploit and infect the machine. This all happens in realtime as Google Desktop contains a file system filter and will index new files in realtime.

2 comments - What do you think?  Posted by Jimmy Daniels - January 4, 2006 at 11:39 am

Categories: Microsoft News, Spyware Info, Tech News, Virus Info   Tags: , , , , , ,