| Microsoft Windows Metafile Handling Buffer Overflow |
| Sunday, January 02, 2005 | |
|
This Alert is being sent to notify you of a new vulnerability found in the Windows graphics system leveraging the WMF file type. The following bulletin is meant to provide you with information about the vulnerability and the steps that Perimeter eSecurity has taken to protect its customer base. About the Windows Metafile Handling Buffer Overflow Systems Affected: Systems running Microsoft Windows Impact: A remote, unauthenticated attacker may be able to execute arbitrary code if the user is persuaded to view a specially crafted Windows Metafile. Description: Microsoft Windows is vulnerable to remote code execution via an error in handling files using the Windows Metafile image format. Exploit code has been publicly posted and used to successfully attack fully-patched Windows XP SP2 systems. However, other versions of the Windows operating system may be at risk as well. Microsoft Windows Metafiles are image files that can contain both vector and bitmap-based picture information. Microsoft Windows contains routines for displaying various Windows Metafile formats. However, a lack of input validation in one of these routines may allow a buffer overflow to occur, and in turn may allow remote arbitrary code execution. Not all anti-virus software products are currently able to detect all known variants of exploits for this vulnerability. However, US-CERT recommends updating anti-virus signatures as frequently as practical to provide maximum protection as new variants appear. This new vulnerability may be similar to one Microsoft released patches for in Microsoft Security Bulletin MS05-053. However, publicly available exploit code is known to affect systems updated with the MS05-053 patches. End User Protection Un-register the Windows Picture and Fax Viewer (Shimgvw.dll) Microsoft has tested the following workaround. While this workaround will not correct the underlying vulnerability, it helps block known attack vectors. When a workaround reduces functionality, it is identified in the following section. Note The following steps require Administrative privileges. It is recommended that the machine be restarted after applying this workaround. It is also possible to log out and log back in after applying the workaround. However, the recommendation is to restart the machine. To un-register Shimgvw.dll, follow these steps:
To undo this change, re-register Shimgvw.dll by following the above steps. Replace the text in Step 1 with “regsvr32 %windir%\system32\shimgvw.dll” (without the quotation marks).
Steps taken by Perimeter to Protect Customers Desktop AV Customers: All Desktop AV clients that subscribe to Trend's Services have been applied updates that will detect known applications that are attempting to exploit this vulnerability. Gateway Defender Customers: Perimeter has applied new IDS signatures to detect attempted exploits of the Microsoft Windows Metafile Handling Buffer Overflow. Perimeter has also blocked all known malicious sites associated with this vulnerability on the Internet firewalls. SMTP Customers: Perimeter is blocking all *.wmf files coming into the SMTP servers until further notice and performing deep inspection on all other file attachments. Customer Premise (CP) Location Firewall with AV Customers - Customer’s subscribing to Perimeter’s customer premise managed firewall with AV services received updates to their devices that would quarantine known activity associate with this vulnerability. Patch Management Customers – Customer’s that subscribe to Perimeter’s patch management service will be forced the update to fix this vulnerability as soon as a release is made available by Microsoft. Initial reports is that a release will be available no later than January 10th as it is currently undergoing testing in Microsoft labs. It is recommended in the meantime to follow the instructions in the end user protection section above. Web/Gateway AV Service – Typical attacks from this exploit include spyware Web pages containing image files that drop and execute certain Trojans and Spyware components upon visiting the site, as well as infected pop-up windows opening when visiting referral sites or visiting sites containing embedded infected banner ads. Perimeter Web/Gateway AV service is set to inspect potentially infected images from all sites users browse and will quarantine any known malicious content associated with this exploit. URL Filtering Service – Perimeter’s URL filtering service continues to collect and block sites that are known offenders or are hosting infected code as a result of this exploit. Since many of the involved sites appear to promote pornography, drugs and pharmaceuticals, they have already been prevented with the existing filters in place. This alert is provided to you for information purposes as to the controls Perimeter has enabled to continually protect its customer base. Any end user action stated in this bulletin should adhere to your own internal policies and procedures for testing and making changes to production equipment. If you have any questions about this security bulletin please feel free to contact our command center at …. Sincerely, Tom Neclerio, CISSP VP of Security Perimeter Internetworking |
