FYI - Warning. New Windows vulnerabilty.

You may have heard about this already but just in case :

http://www.microsoft.com/technet/sec...ry/912840.mspx

http://securityresponse.symantec.com...xploit.56.html

What is the scope of the advisory?
Microsoft is aware of a new vulnerability report affecting the Graphics
Rendering Engine in Microsoft Windows.

Is this a security vulnerability that requires Microsoft to issue a security
update?
We are currently investigating the issue to determine the appropriate course
of action for customers. We will include the fix for this issue in an
upcoming security bulletin.

What causes the vulnerability?
A vulnerability exists in the way specially crafted Windows Metafile (WMF)
images are handled that could allow arbitrary code to be executed.

What is the Windows Metafile (WMF) image format?
A Windows Metafile (WMF) image is a 16-bit metafile format that can contain
both vector information and bitmap information. It is optimized for the
Windows operating system.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take
complete control of the affected system. In a Web-based attack scenario, an
attacker would host a Web site that exploits this vulnerability. An attacker
would have no way to force users to visit a malicious Web site. Instead, an
attacker would have to persuade them to visit the Web site, typically by
getting them to click a link that takes them to the attacker's site. It
could also be possible to display specially crafted Web content by using
banner advertisements or by using other methods to deliver Web content to
affected systems.

How could an attacker exploit the vulnerability?
An attacker could host a malicious Web site that is designed to exploit this
vulnerability through Internet Explorer and then persuade a user to view the
Web site.

I am reading e-mail in plain text, does this help mitigate the
vulnerability?
Yes. Reading e-mail in plain text does mitigate this vulnerability where the
e-mail vector is concerned although clicking on a link would still put users
at risk.

Does this vulnerability affect image formats other than Windows Metafile
(WMF)?
At this point, the only image format affected is the Windows Metafile (WMF)
format. It is possible however than an attacker could rename the file
extension of a WMF file to that of a different image format. In this
situation, it is likely that the Graphic Rendering engine would detect and
render the file as a WMF image which could allow exploitation.


John L Rice

On Mon, 2 Jan 2006 14:01:19 -0800, "John L Rice"
wrote:

You may have heard about this already but just in case :

http://www.microsoft.com/technet/sec...ry/912840.mspx

http://securityresponse.symantec.com...xploit.56.html


snip

Does this vulnerability affect image formats other than Windows Metafile
(WMF)?
At this point, the only image format affected is the Windows Metafile (WMF)
format. It is possible however than an attacker could rename the file
extension of a WMF file to that of a different image format. In this
situation, it is likely that the Graphic Rendering engine would detect and
render the file as a WMF image which could allow exploitation.

Unless something specific is done to stop it the GRE *will* attempt to
render the file as a WMF which *will* allow exploitation.

Using text only mail, and a good firewall will help, but only
disabling the GRE, which can be done will prevent the malicious site
from infecting the computer.

There is one unoficial fix available, but I'll not point any one to an
unoficial fix. Check with the Inforworld site, or other professional
sites.

Roger Halstead (K8RI & ARRL life member)
(N833R, S# CD-2 Worlds oldest Debonair)
www.rogerhalstead.com




John L Rice