Microsoft Windows Graphics Rendering Engine WMF/EMF Patch

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

awalker0878

Thread Starter
Removed by request
Joined
Dec 16, 2005
Messages
407
http://securityresponse.symantec.com/avcenter/security/Content/15352.html

Microsoft Windows Graphics Rendering Engine WMF/EMF Format Code Execution Vulnerability

Risk
High

Date Discovered
11-08-2005

Description
Microsoft Windows WMF/EMF graphics rendering engine is affected by a remote code execution vulnerability.

The problem presents itself when a user views a malicious WMF or EMF formatted file causing the affected engine to attempt to parse it. Exploitation of this issue can trigger an integer overflow that may facilitate heap memory corruption and arbitrary code execution.

Any code execution that occurs will be with SYSTEM privileges due to the nature of the affected engine. Successful exploitation can facilitate a remote compromise or local privilege escalation.

Symantec Enterprise Security Manager
Symantec Enterprise Security Manager posted an update to the OS Patch Policy that detects and reports systems that are not patched against this vulnerability. Click here for the advisory released November 10, 2005.

Symantec Enterprise Security Manager Network Assessment Module detects and reports this vulnerability. Click here for the advisory released November 11, 2005.

Symantec Vulnerability Assessment
Symantec Vulnerability Assessment detects and reports this vulnerability. Click here for the advisory released November 8, 2005.

Platforms Affected
Avaya DefinityOne Media Servers
Avaya IP600 Media Servers
Avaya S3400 Message Application Server
Avaya S8100 Media Servers

Components Affected
Microsoft Windows 2000 Advanced Server SP4
Microsoft Windows 2000 Advanced Server SP3
Microsoft Windows 2000 Advanced Server SP2
Microsoft Windows 2000 Advanced Server SP1
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server SP4
Microsoft Windows 2000 Datacenter Server SP3
Microsoft Windows 2000 Datacenter Server SP2
Microsoft Windows 2000 Datacenter Server SP1
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Professional SP4
Microsoft Windows 2000 Professional SP3
Microsoft Windows 2000 Professional SP2
Microsoft Windows 2000 Professional SP1
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server SP4
Microsoft Windows 2000 Server SP3
Microsoft Windows 2000 Server SP2
Microsoft Windows 2000 Server SP1
Microsoft Windows 2000 Server
Microsoft Windows Server 2003 Datacenter Edition SP1
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows Server 2003 Datacenter Edition 64-bit SP1
Microsoft Windows Server 2003 Datacenter Edition 64-bit
Microsoft Windows Server 2003 Datacenter x64 Edition
Microsoft Windows Server 2003 Enterprise Edition SP1
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Enterprise Edition 64-bit SP1
Microsoft Windows Server 2003 Enterprise Edition 64-bit
Microsoft Windows Server 2003 Enterprise x64 Edition
Microsoft Windows Server 2003 Standard Edition SP1
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Standard x64 Edition
Microsoft Windows Server 2003 Web Edition SP1
Microsoft Windows Server 2003 Web Edition
Microsoft Windows XP 64-bit Edition
Microsoft Windows XP Home SP2
Microsoft Windows XP Home SP1
Microsoft Windows XP Home
Microsoft Windows XP Media Center Edition SP2
Microsoft Windows XP Media Center Edition SP1
Microsoft Windows XP Media Center Edition
Microsoft Windows XP Professional SP2
Microsoft Windows XP Professional SP1
Microsoft Windows XP Professional
Microsoft Windows XP Tablet PC Edition SP2
Microsoft Windows XP Tablet PC Edition SP1
Microsoft Windows XP Tablet PC Edition

Recommendations
Permit local access for trusted individuals only. Where possible, use restricted environments and restricted shells.
Do not allow untrusted individuals to have local access to computers. This may limit exposure to local attack vectors.

Deploy network intrusion detection systems to monitor network traffic for malicious activity.
Deploy network intrusion detection systems to monitor all network traffic for signs of suspicious or anomalous activity. This may aid in detecting attempts to exploit latent vulnerabilities or in detecting malicious activity that occurs as a result of successful exploitation.

Do not accept or execute files from untrusted or unknown sources.
Users should not accept files from untrusted or unknown sources as they may be malicious in nature.

Do not follow links provided by unknown or untrusted sources.
Users should avoid Web sites of questionable integrity and not follow links supplied by unknown or untrusted sources.

Do not accept communications that originate from unknown or untrusted sources.
Disabling client support for HTML email may limit exposure to this attack vector.

Implement multiple redundant layers of security.
As it may be possible that this issue will be leveraged to execute code, memory protection schemes are recommended. Memory protection schemes such as non-executable stack/heap configurations and randomly mapped memory segments will complicate exploitation of memory corruption vulnerabilities.

Microsoft has released a bulletin that includes fixes to address this issue for supported versions of the operating system.


Microsoft Windows 2000 Advanced Server SP4:

Microsoft Upgrade Security Update for Windows 2000 (KB896424)
http://www.microsoft.com/downloads/...CB-B273-47E7-BB15-BC9C27073446&displaylang=en


Microsoft Windows 2000 Advanced Server SP3:
Microsoft Windows 2000 Advanced Server SP2:
Microsoft Windows 2000 Advanced Server SP1:
Microsoft Windows 2000 Advanced Server :
Microsoft Windows 2000 Datacenter Server SP4:

Microsoft Upgrade Security Update for Windows 2000 (KB896424)
http://www.microsoft.com/downloads/...CB-B273-47E7-BB15-BC9C27073446&displaylang=en


Microsoft Windows 2000 Datacenter Server SP3:
Microsoft Windows 2000 Datacenter Server SP2:
Microsoft Windows 2000 Datacenter Server SP1:
Microsoft Windows 2000 Datacenter Server :
Microsoft Windows 2000 Professional SP4:

Microsoft Upgrade Security Update for Windows 2000 (KB896424)
http://www.microsoft.com/downloads/...CB-B273-47E7-BB15-BC9C27073446&displaylang=en


Microsoft Windows 2000 Professional SP3:
Microsoft Windows 2000 Professional SP2:
Microsoft Windows 2000 Professional SP1:
Microsoft Windows 2000 Professional :
Microsoft Windows 2000 Server SP4:

Microsoft Upgrade Security Update for Windows 2000 (KB896424)
http://www.microsoft.com/downloads/...CB-B273-47E7-BB15-BC9C27073446&displaylang=en


Microsoft Windows 2000 Server SP3:
Microsoft Windows 2000 Server SP2:
Microsoft Windows 2000 Server SP1:
Microsoft Windows 2000 Server :
Microsoft Windows Server 2003 Datacenter Edition SP1:

Microsoft Upgrade Security Update for Windows Server 2003 (KB896424)
http://www.microsoft.com/downloads/...3B-3C20-47A9-8BBD-1EA2FBB4AF96&displaylang=en


Microsoft Windows Server 2003 Datacenter Edition :

Microsoft Upgrade Security Update for Windows Server 2003 (KB896424)
http://www.microsoft.com/downloads/...3B-3C20-47A9-8BBD-1EA2FBB4AF96&displaylang=en


Microsoft Windows Server 2003 Datacenter Edition 64-bit SP1:

Microsoft Upgrade Security Update for Windows Server 2003 for Itanium-based systems (KB896424)
http://www.microsoft.com/downloads/...BB-ADC4-4974-813C-7721BDB842C0&displaylang=en


Microsoft Windows Server 2003 Datacenter Edition 64-bit :

Microsoft Upgrade Security Update for Windows Server 2003 for Itanium-based systems (KB896424)
http://www.microsoft.com/downloads/...BB-ADC4-4974-813C-7721BDB842C0&displaylang=en


Microsoft Windows Server 2003 Datacenter x64 Edition :

Microsoft Upgrade Security Update for Windows Server x64 Edition (KB896424)
http://www.microsoft.com/downloads/...E4-0A08-496C-B94C-A1B37178914A&displaylang=en


Microsoft Windows Server 2003 Enterprise Edition SP1:

Microsoft Upgrade Security Update for Windows Server 2003 (KB896424)
http://www.microsoft.com/downloads/...3B-3C20-47A9-8BBD-1EA2FBB4AF96&displaylang=en


Microsoft Windows Server 2003 Enterprise Edition :

Microsoft Upgrade Security Update for Windows Server 2003 (KB896424)
http://www.microsoft.com/downloads/...3B-3C20-47A9-8BBD-1EA2FBB4AF96&displaylang=en


Microsoft Windows Server 2003 Enterprise Edition 64-bit SP1:

Microsoft Upgrade Security Update for Windows Server 2003 for Itanium-based systems (KB896424)
http://www.microsoft.com/downloads/...BB-ADC4-4974-813C-7721BDB842C0&displaylang=en


Microsoft Windows Server 2003 Enterprise Edition 64-bit :

Microsoft Upgrade Security Update for Windows Server 2003 for Itanium-based systems (KB896424)
http://www.microsoft.com/downloads/...BB-ADC4-4974-813C-7721BDB842C0&displaylang=en


Microsoft Windows Server 2003 Enterprise x64 Edition :

Microsoft Upgrade Security Update for Windows Server x64 Edition (KB896424)
http://www.microsoft.com/downloads/...E4-0A08-496C-B94C-A1B37178914A&displaylang=en


Microsoft Windows Server 2003 Standard Edition SP1:

Microsoft Upgrade Security Update for Windows Server 2003 (KB896424)
http://www.microsoft.com/downloads/...3B-3C20-47A9-8BBD-1EA2FBB4AF96&displaylang=en


Microsoft Windows Server 2003 Standard Edition :

Microsoft Upgrade Security Update for Windows Server 2003 (KB896424)
http://www.microsoft.com/downloads/...3B-3C20-47A9-8BBD-1EA2FBB4AF96&displaylang=en


Microsoft Windows Server 2003 Standard x64 Edition :

Microsoft Upgrade Security Update for Windows Server x64 Edition (KB896424)
http://www.microsoft.com/downloads/...E4-0A08-496C-B94C-A1B37178914A&displaylang=en


Microsoft Windows Server 2003 Web Edition SP1:

Microsoft Upgrade Security Update for Windows Server 2003 (KB896424)
http://www.microsoft.com/downloads/...3B-3C20-47A9-8BBD-1EA2FBB4AF96&displaylang=en


Microsoft Windows Server 2003 Web Edition :

Microsoft Upgrade Security Update for Windows Server 2003 (KB896424)
http://www.microsoft.com/downloads/...3B-3C20-47A9-8BBD-1EA2FBB4AF96&displaylang=en


Microsoft Windows XP 64-bit Edition :

Microsoft Upgrade Security Update for Windows XP x64 Edition (KB896424)
http://www.microsoft.com/downloads/...78-916C-4A4F-8CA8-A4C0E304FDA4&displaylang=en


Microsoft Windows XP Home SP2:

Microsoft Upgrade Security Update for Windows XP (KB896424)
http://www.microsoft.com/downloads/...B2-3BF6-4393-B9A4-F34248C8073E&displaylang=en


Microsoft Windows XP Home SP1:

Microsoft Upgrade Security Update for Windows XP (KB896424)
http://www.microsoft.com/downloads/...B2-3BF6-4393-B9A4-F34248C8073E&displaylang=en


Microsoft Windows XP Home :
Microsoft Windows XP Media Center Edition SP2:

Microsoft Upgrade Security Update for Windows XP (KB896424)
http://www.microsoft.com/downloads/...B2-3BF6-4393-B9A4-F34248C8073E&displaylang=en


Microsoft Windows XP Media Center Edition SP1:

Microsoft Upgrade Security Update for Windows XP (KB896424)
http://www.microsoft.com/downloads/...B2-3BF6-4393-B9A4-F34248C8073E&displaylang=en


Microsoft Windows XP Media Center Edition :
Microsoft Windows XP Professional SP2:

Microsoft Upgrade Security Update for Windows XP (KB896424)
http://www.microsoft.com/downloads/...B2-3BF6-4393-B9A4-F34248C8073E&displaylang=en


Microsoft Windows XP Professional SP1:

Microsoft Upgrade Security Update for Windows XP (KB896424)
http://www.microsoft.com/downloads/...B2-3BF6-4393-B9A4-F34248C8073E&displaylang=en


Microsoft Windows XP Professional :
Microsoft Windows XP Tablet PC Edition SP2:

Microsoft Upgrade Security Update for Windows XP (KB896424)
http://www.microsoft.com/downloads/...B2-3BF6-4393-B9A4-F34248C8073E&displaylang=en


Microsoft Windows XP Tablet PC Edition SP1:

Microsoft Upgrade Security Update for Windows XP (KB896424)
http://www.microsoft.com/downloads/...B2-3BF6-4393-B9A4-F34248C8073E&displaylang=en


Microsoft Windows XP Tablet PC Edition :

References
Source: Microsoft Security Bulletin MS05-053
URL: http://www.microsoft.com/technet/security/Bulletin/MS05-053.mspx

Source: Windows Metafile Multiple Heap Overflows
URL: http://www.eeye.com/html/research/advisories/AD20051108b.html

Credits
Discovery is credited to eEye Digital Security.

Copyright (c) 2006 by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from [email protected].

Disclaimer
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

Symantec, Symantec products, Symantec Security Response, and SymSecurity are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.
 

awalker0878

Thread Starter
Removed by request
Joined
Dec 16, 2005
Messages
407
Unauthorized Patch For Microsoft WMF Bug Sparks Controversy

Sober worm may hit tomorrow, but businesses are more concerned about the WFM vulnerability and Microsoft's inability to produce a patch this week. Some are choosing an alternative that could lead to other problems.

By Larry Greenemeier
InformationWeek

Jan 4, 2006 01:00 PM

Concerns over the lack of a Microsoft-issued patch have pushed the Windows Metafile/Zero-Day bug to top of mind, surpassing even tomorrow's much-anticipated Sober worm attack.

The lag time between the Dec. 27 discovery of the WMF vulnerability and Microsoft's planned Jan. 10 patch availability has forced IT security departments to find alternative means for protecting their systems and prompted a non-Microsoft developer to create a patch that others could use.

All of this serves to damage Microsoft's reputation as a company that can secure its own products—a reputation that only recently was beginning to improve after years of being dragged through the mud. Experts are divided over whether it's wise to use Ilfak Guilfanov's Hexblog patch to fix the WMF vulnerability, which could allow attackers to use WMF images to execute malicious code on their victims' computers. Some say it's a necessary measure to protect systems until the official Microsoft patch arrives; others say it's not worth the extra work to patch twice or to take the risk of using a third-party fix.

"We're advising against this third-party patch," says Gartner VP and research fellow John Pescatore. Even if the patch works perfectly, users will have to modify their Windows environments when they deploy the patch, and then uninstall the patch by next Tuesday, leaving two opportunities for something to go wrong. Gartner advises that companies should employ workarounds that ensure that their URL-blocking capabilities are up to date, that all WMF files are blocked, and that they expedite testing and deployment of Microsoft's patch when it becomes available.

But the SANS Institute's Internet Storm Center recommended Tuesday that users not wait for Microsoft's fix, but unregister a vulnerable Dynamic Link Library, or DLL, executable program modules in Windows and apply Guilfanov's patch.

Either way, the WMF vulnerability has been widely acknowledged as a major security threat. The vulnerability is already being exploited, and Symantec has raised its ThreatCon to a Level 3, out of four. The company, which last placed a ThreatCon Level 3 in July 2004 because of MyDoom.M, has expressed concern over the window of time Microsoft has allowed between discovery of the vulnerability and the planned issuance of a patch. Symantec recommends that companies instruct their users to avoid opening unknown or unexpected E-mail attachments or following Web links from unknown or unverified sources, and turn off preview features on E-mail programs to prevent infection from HTML E-mails. The WMF vulnerability affects a number of different versions of Windows XP, Server 2003, ME, 98, and 2000, as well as some versions of Lotus Notes.

Microsoft claims, via its Security Response Center blog, that the company is continuing to work on finalizing a security update for the vulnerability in WMF. In the blog, Security Response Center operations manager Mike Reavey acknowledges that in Microsoft's effort to "put this security fix on a fast track, a pre-release version of the update was briefly and inadvertently posted on a security community site." Microsoft is recommending its customers disregard the posting and wait until a fully tested patch is issued next week.

Microsoft's response to the vulnerability has been particularly poor, says the assistant VP of IT security for a global financial-services firm. While Microsoft has chosen to patch the WMF vulnerability during its normal Patch Tuesday download, this comes well after it should have. "They have historically released patches on special occasions, and this is clearly one of those occasions," she says, preferring to speak anonymously on the topic of an unpatched vulnerability. She added that her company has "wasted countless man-hours" to mitigate the chance of being hit by an exploit, but that no amount of workarounds can fully replace a patch from the vendor.

Third-party patches are not a new concept, but the one issued for the WMF vulnerability is particularly troubling because it raises the question of why Microsoft couldn't issue its own patch in a timely fashion. In fact, the availability of Guilfanov's Hexblog patch makes Microsoft look even worse, the financial-services assistant VP of IT security says. "If a third party can put out a stable patch, Microsoft should have been able to," she adds. "It shames Microsoft."

While the popular Hexblog patch—Guilfanov's Web site was down on Wednesday morning, possibly because of bandwidth issues—is by all appearances a solid piece of coding, the financial-services firm won't download the patch because of the risk of implementing a patch that's not been properly tested, "which it isn't because it's not coming from Microsoft," the assistant VP adds.

As long as Windows systems remain unpatched, companies are at risk for WMF exploits whenever their employees browse the Internet. "There's no way for you to know whether a site is dangerous for a WMF exploit," says Ken Dunham, director of VeriSign iDefense's rapid response team. Even if companies set their defenses to strip out all executable files from incoming E-mails and instant messages, attackers can disguise their executables to look like a JPG or GIF file.

As of Jan. 2, VeriSign iDefense had found at least 67 hostile sites containing exploits against the WMF vulnerability, and the company is investigating another 100 sites. When users visit these malicious sites, their computers can be infected with Trojans, adware, spyware, or files that use them as a base for sending out spam to other computers.

Unlike the Sober worm, which spreads spam with politically charged messages but tends not to damage systems, WMF vulnerability-inspired spam is much more malicious. VeriSign iDefense captured a WMF culprit on Dec. 28 that used the output.gif file to spam messages over the Internet from a company called Smallcap-Investors, which promote a Chinese pharmaceutical company called Habin Pingchuan Pharmaceutical. The spam message was sent out as a GIF file in an apparent attempt to evade spam filters. Using spam as the underpinning of a stock "pump and dump" scheme, Smallcap encouraged users to buy cheap stocks. As is typical in such a ruse, once the fraudster has raised the value of the stock, he or she sells off the stock, making it worthless to the victims who've been duped into investing.

Another WMF exploit came in the form of the HappyNY.a worm, which looks to a user like a JPG file but is actually a malicious WMF file. The HappyNY.a worm contains Nascene.C code, which attempts to exploit the WMF vulnerability and fully compromise a user's computer.

If users come to depend too much on third-party patches to avoid such scams, it could set a dangerous precedent for security. "You'll see phishing E-mails that say they offer volunteer patches," Pescatore says. "If people starting using these sites that are not from a vendor, this could be a whole new problem."

Concerns over the proliferation of Microsoft-based phishing scams come as an Iowa man recently pleaded guilty to computer fraud charges arising from a phishing scheme conducted from January 2003 through June 2004 on Microsoft's MSN Internet service. The scam involved sending E-mail falsely claiming that MSN customers would receive a 50% credit toward their next bill.

Meanwhile, the buzz around the WMF vulnerability has helped eclipse concerns over the upcoming Sober worm threat. "All of the antivirus guys have put out their signature updates" for the latest incarnation of Sober, and "the payload has been analyzed, so you know what DNS servers it's going to call," Pescatore says. The most important things for IT security professionals to realize is that there is a patch for Sober and that, while the attacks will start by Jan. 5, there will likely be new variants of Sober each subsequent week.

On Jan. 5, the code contained in the Sober worm will start updating and sending itself out to thousands, if not millions, of computers, adds Dunham. So far, the Sober attacks have been more motivated at spreading political and social messages rather than delivering malicious payloads. "Sober has the ability to download code, but the attackers haven't done this," he adds. "Instead, they use it to send spam and clog E-mail servers and promote their agenda."

Signature-based antivirus programs won't have any problems detecting known variants of Sober. New variants will prove a bit trickier, and companies should make sure executable and JPG attachments are stripped out of E-mails traversing their networks, says Shane Coursen, a senior technical consultant for antivirus software maker Kaspersky Lab. For this latest generation of Sober, companies will rely less on signature-based antivirus defenses and more on those that employ heuristic routines that flag strange behavior on the network.
 

Attachments

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top