__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Microsoft Windows Metafile File (WMF) Handling Vulnerability [US-CERT Vulnerability Note VU#181038] December 28, 2005 17:00 GMT Number Q-085 [REVISED 29 Dec 2005] [REVISED 3 Jan 2006] [REVISED 4 Jan 2006] [REVISED 5 Jan 2006] [REVISED 25 Jan 2006] ______________________________________________________________________________ PROBLEM: A vulnerability in Microsoft Windows WMF image format handling was discovered. Exploit code has been publicly posted. PLATFORM: Microsoft Windows 2000 Service Pack 4 Microsoft Windows XP Service Pack 1 Microsoft Windows XP Service Pack 2 Microsoft Windows XP Professional x64 Edition Microsoft Windows Server 2003 Microsoft Windows Server 2003 for Itanium-based Systems Microsoft Windows Server 2003 Service Pack 1 Microsoft Windows Server 2003 with SP1 for Itanium-based Systems Microsoft Windows Server 2003 x64 Edition Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME) Wine Debian GNU/Linux 3.1 alias sarge DAMAGE: A remote, unauthenticated attacker may be able to execute arbitrary code if the user is persuaded to view a specially crafted WMF file. SOLUTION: No practical workaround available. Exploitation occurs by accessing a specially crafted WMF file (typically .wmf). By only accessing WMF files from trusted or known sources, the chances of exploitation are reduced. Additionally, SANS notes that enabling DEP to cover all programs (in XP SP2), results in a warning message and does not run the file automatically. Microsoft Technet (http://www.microsoft.com/technet/security/ prodtech/windowsxp/depcnfxp.mspx) article offers more details. ______________________________________________________________________________ VULNERABILITY The risk is HIGH. A remote attacker may execute arbitrary code. ASSESSMENT: ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/q-085.shtml ORIGINAL BULLETIN: http://www.kb.cert.org/vuls/id/181038 ADDITIONAL LINKS: SANS Handler's Diary http://isc.sans.org/diary.php?rss&storyid=975 Secunia SA18255 http://secunia.com/advisories/18255/ Microsoft Security Advisory (912840) http://www.microsoft.com/technet/security/advisory/912840.mspx US-CERT Technical Cyber Security Alert TA05-362A http://www.us-cert.gov/cas/techalerts/TA05-362A.html Debian Security Advisory DSA-954-1 http://www.debian.org/security/2006/dsa-954 ______________________________________________________________________________ REVISION HISTORY: 12/29/2005 - added a link to Microsoft's Security Advisory (912840). Revised 'Platform' section to reflect Microsoft's list of related software (added Windows 2000 SP4 and Windows 98, 98 SE and ME.) Also added a link to US-CERT's Technical Cyber Security Alert TA05-362A. 01/03/2006 - revised to include a link to Microsoft's Security Advisory (912840). Microsoft has added information to the beginning of the advisory as well as the FAQ section to provide updated information about the state of the investigation. 01/04/2006 - revised to reflect a clarification Microsoft made in their Microsoft Security Advisory 912840 where they added information to the Mitigating factors section at the beginning of the advisory and added a FAQ to address pre-released Microsoft Security Update. 01/05/2006 - revised to reflect where Microsoft added FAQ with information on Windows 98, Windows 98 Second Edition and Windows Millennium, FAQ concerning embedded images in Office documents were updated, and a workaround was updated with information about re-registering the Windows Fax and Image Viewer (Shimgvw.dll). 01/25/2006 - revised to add a link to Debian Security Advisory DSA-954-1 for Wine Debian GNU/Linux 3.1 alias sarge. Please see CIAC Q-108 for more info. [***** Start US-CERT Vulnerability Note VU#181038 *****] Vulnerability Note VU#181038 Microsoft Windows may be vulnerable to buffer overflow via specially crafted WMF file rendered with Windows Picture and Fax Viewer Overview Microsoft Windows is reported to be vulnerable to remote code execution via an error in the Windows Metafile image format handling. Exploit code has been publicly posted that is reported to work against fully-patched Windows XP SP2 systems. I. Description Windows Metafile (WMF) format images are graphical files that can contain both vector and bitmap-based picture information. Microsoft Windows contains routines for displaying WMF files. However, a lack of input validation in one of these routines may allow a buffer overflow to occur, and in turn may allow remote arbitrary code execution. This new reported vulnerability may be similar to one Microsoft released patches for in Microsoft Security Bulletin MS05-053 (VU#433341). However, publicly available exploit code has been discovered that reportedly affects systems updated with MS05-053. The known exploits may use the Windows Picture and Fax Viewer as an attack vector affecting both users of Internet Explorer and Firefox on Windows systems. While disabling Windows Picture and Fax Viewer may mitigate against these known attack vectors, it is unclear at this time if the underlying vulnerability is also remediated. II. Impact A remote, unauthenticated attacker may be able to execute arbitrary code if the user is persuaded to view a specially crafted WMF file. III. Solution We are currently unaware of a practical solution to this problem. Do not access WMF files from untrusted sources Exploitation occurs by accessing a specially crafted WMF file (typically .wmf). By only accessing WMF files from trusted or known sources, the chances of exploitation are reduced. Attackers may host malicious WMF files on a web site. In order to convince users to visit their sites, those attackers often use URL encoding, IP address variations, long URLs, intentional misspellings, and other techniques to create misleading links. Do not click on unsolicited links received in email, instant messages, web forums, or internet relay chat (IRC) channels. Type URLs directly into the browser to avoid these misleading links. While these are generally good security practices, following these behaviors will not prevent exploitation of this vulnerability in all cases, particularly if a trusted site has been compromised or allows cross-site scripting. Systems Affected Vendor Status Date Updated Microsoft Corporation Unknown 28-Dec-2005 Mozilla, Inc. Unknown 28-Dec-2005 References http://isc.sans.org/diary.php?rss&storyid=972 http://secunia.com/advisories/18255/ http://www.securityfocus.com/bid/16074 http://vil.mcafeesecurity.com/vil/content/v_137760.htm http://www.f-secure.com/weblog/archives/archive-122005.html#00000753 Credit This document was written by Jeffrey S. Havrilla. Other Information Date Public 12/27/2005 Date First Published 12/28/2005 11:59:50 AM Date Last Updated 12/28/2005 CERT Advisory CVE Name Metric 45.60 Document Revision 9 If you have feedback, comments, or additional information about this vulnerability, please send us email. [***** End US-CERT Vulnerability Note VU#181038 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of US-CERT for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) Q-074: Cumulative Security Update for Internet Explorer Q-075: Vulnerability in Windows Kernel Q-076: Sober.X (Y) To Download New Code On or After Jan. 6 Q-077: Citrix Vulnerability in Program Neighborhood Client Q-078: cURL Security Update Q-079: HP-UX Running Software Distributor Remote Unauthorized Access Q-081: netpbm Security Update Q-082: perl Security Update Q-083: perl Security Update for Red Hat (v.3) Q-084: Cisco Security Notice: Response to DoS in Cisco Clean Access