Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > NZ Computing > Windows WMF Vulnerability Patch Released

Reply
Thread Tools

Windows WMF Vulnerability Patch Released

 
 
Rob J
Guest
Posts: n/a
 
      01-06-2006
http://www.microsoft.com/technet/sec.../ms06-001.mspx

Microsoft Security Bulletin MS06-001
Vulnerability in Graphics Rendering Engine Could Allow Remote Code
Execution (912919)
Published: January 5, 2006

Version: 1.0
Summary

Who should read this document: Customers who use Microsoft Windows

Impact of Vulnerability: Remote Code Execution

Maximum Severity Rating: Critical

Recommendation: Customers should apply the update immediately.

Security Update Replacement: None

Tested Software and Security Update Download Locations:

Affected Software:
=3F

Microsoft Windows 2000 Service Pack 4 =3F Download the update
=3F

Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service
Pack 2 =3F Download the update
=3F

Microsoft Windows XP Professional x64 Edition =3F Download the update
=3F

Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service
Pack 1 =3F Download the update
=3F

Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft
Windows Server 2003 with SP1 for Itanium-based Systems =3F Download the
update
=3F

Microsoft Windows Server 2003 x64 Edition =3F Download the update
=3F

Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and
Microsoft Windows Millennium Edition (ME) =3F Review the FAQ section of
this bulletin for details about these operating systems.
Top of sectionTop of section
=3F

Note The security updates for Microsoft Windows Server 2003, Microsoft
Windows Server 2003 Service Pack 1, and Microsoft Windows Server 2003
x64 Edition also apply to Microsoft Windows Server 2003 R2.

The software in this list has been tested to determine whether the
versions are affected. Other versions either no longer include security
update support or may not be affected. To determine the support life
cycle for your product and version, visit the Microsoft Support
Lifecycle Web site.
General Information

Executive Summary

Executive Summary:

This update resolves a newly-discovered, public vulnerability. The
vulnerability is documented in the "Vulnerability Details" section of
this bulletin.

Note This vulnerability is currently being exploited and was previously
discussed by Microsoft in Microsoft Security Advisory 912840.

If a user is logged on with administrative user rights, an attacker who
successfully exploited this vulnerability could take complete control of
an affected system. An attacker could then install programs; view,
change, or delete data; or create new accounts with full user rights.
Users whose accounts are configured to have fewer user rights on the
system could be less impacted than users who operate with administrative
user rights.

We recommend that customers apply the update immediately.

Severity Ratings and Vulnerability Identifiers:
Vulnerability Identifiers Impact of Vulnerability Windows 98,
Windows 98 SE, and Windows ME Windows 2000 Windows XP Service Pack
1 Windows XP Service Pack 2 Windows Server 2003 Windows
Server 2003 Service Pack 1

Graphics Rendering Engine Vulnerability - CVE-2005-4560


Remote Code Execution


Not Critical


Critical


Critical


Critical


Critical


Critical

This assessment is based on the types of systems that are affected by
the vulnerability, their typical deployment patterns, and the effect
that exploiting the vulnerability would have on them.

Note The severity ratings for non-x86 operating system versions map to
the x86 operating systems versions as follows:
=3F

The Microsoft Windows XP Professional x64 Edition severity rating is the
same as the Windows XP Service Pack 2 severity rating.
=3F

The Microsoft Windows Server 2003 for Itanium-based Systems severity
rating is the same as the Windows Server 2003 severity rating.
=3F

The Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
severity rating is the same as the Windows Server 2003 Service Pack 1
severity rating.
=3F

The Microsoft Windows Server 2003 x64 Edition severity rating is the
same as the Windows Server 2003 Service Pack 1 severity rating.
Top of sectionTop of section

Frequently asked questions (FAQ) related to this security update

Does this update contain any security-related changes to functionality?
Yes. The change introduced to address this vulnerability removes the
support for the SETABORTPROC record type from the META_ESCAPE record in
a WMF image. This update does not remove support for ABORTPROC functions
registered by application SetAbortProc() API calls.

How does the extended support for Windows 98, Windows 98 Second Edition,
and Windows Millennium Edition affect the release of security updates
for these operating systems?
For these versions of Windows, Microsoft will only release security
updates for critical security issues. Non-critical security issues are
not offered during this support period. For more information about the
Microsoft Support Lifecycle policies for these operating systems, visit
the following Web site.

For more information about severity ratings, visit the following Web
site.

Are Windows 98, Windows 98 Second Edition, or Windows Millennium Edition
critically affected by one or more of the vulnerabilities that are
addressed in this security bulletin?
No. Although Windows 98, Windows 98 Second Edition, and Windows
Millennium Edition do contain the affected component, the vulnerability
is not critical because an exploitable attack vector has not been
identified that would yield a Critical severity rating for these
versions. For more information about severity ratings, visit the
following Web site.

Extended security update support for Microsoft Windows NT Workstation
4.0 Service Pack 6a and Windows 2000 Service Pack 2 ended on June 30,
2004. Extended security update support for Microsoft Windows NT Server
4.0 Service Pack 6a ended on December 31, 2004. Extended security update
support for Microsoft Windows 2000 Service Pack 3 ended on June 30,
2005. I=3Fm still using one of these operating systems, what should I do?
Windows NT Workstation 4.0 Service Pack 6a, Windows NT Server 4.0
Service Pack 6a, Windows 2000 Service Pack 2, and Windows 2000 Service
Pack 3 have reached the end of their support life cycles. It should be a
priority for customers who have these operating system versions to
migrate to supported versions to prevent potential exposure to
vulnerabilities. For more information about the Windows Product
Lifecycle, visit the following Microsoft Support Lifecycle Web site. For
more information about the extended security update support period for
these operating system versions, visit the Microsoft Product Support
Services Web site.

Customers who require additional support for Windows NT 4.0 Service Pack
6a and Windows 2000 Service Pack 3 must contact their Microsoft account
team representative, their Technical Account Manager, or the appropriate
Microsoft partner representative for custom support options. Customers
without an Alliance, Premier, or Authorized Contract can contact their
local Microsoft sales office. For contact information, visit the
Microsoft Worldwide Information Web site, select the country, and then
click Go to see a list of telephone numbers. When you call, ask to speak
with the local Premier Support sales manager.

For more information, see the Windows Operating System Product Support
Lifecycle FAQ.

Can I use the Microsoft Baseline Security Analyzer (MBSA) 1.2.1 to
determine whether this update is required?
Yes. MBSA 1.2.1 will determine whether this update is required. For more
information about MBSA, visit the MBSA Web site.

Can I use the Microsoft Baseline Security Analyzer (MBSA) 2.0 to
determine whether this update is required?
Yes. MBSA 2.0 will determine whether this update is required. MBSA 2.0
can detect security updates for products that Microsoft Update supports.
For more information about MBSA, visit the MBSA Web site.

Can I use Systems Management Server (SMS) to determine whether this
update is required?
Yes. SMS can help detect and deploy this security update. For
information about SMS, visit the SMS Web site.

The Security Update Inventory Tool can be used by SMS for detecting
security updates that are offered by Windows Update, that are supported
by Software Update Services, and other security updates that are
supported by MBSA 1.2.1. For more information about the Security Update
Inventory Tool, see the following Microsoft Web site. For more
information about the limitations of the Security Update Inventory Tool,
see Microsoft Knowledge Base Article 306460.

The SMS 2003 Inventory Tool for Microsoft Updates can be used by SMS for
detecting security updates that are offered by Microsoft Update and that
are supported by Windows Server Update Services. For more information
about the SMS 2003 Inventory Tool for Microsoft Updates, see the
following Microsoft Web site.

For more information about SMS, visit the SMS Web site.
Top of sectionTop of section

Vulnerability Details

Graphics Rendering Engine Vulnerability - CVE-2005-4560:

A remote code execution vulnerability exists in the Graphics Rendering
Engine because of the way that it handles Windows Metafile (WMF) images.
An attacker could exploit the vulnerability by constructing a specially
crafted WMF image that could potentially allow remote code execution if
a user visited a malicious Web site or opened a specially crafted
attachment in e-mail. An attacker who successfully exploited this
vulnerability could take complete control of an affected system.

Mitigating Factors for Graphics Rendering Engine Vulnerability - CVE-
2005-4560:
=3F

In a Web-based attack scenario, an attacker could host a Web site that
contains a Web page that is used to exploit this vulnerability. Also,
Web sites that accept or host user-provided content or advertisements,
and compromised Web sites, may contain malicious content that could
exploit this vulnerability. In all cases, however, an attacker would
have no way to force users to visit these Web sites. Instead, an
attacker would have to persuade users to visit the Web site, typically
by getting them to click a link in an e-mail or Instant Messenger
request that takes users to the attacker's Web site.
=3F

An attacker who successfully exploited this vulnerability could gain the
same user rights as the local user. Users whose accounts are configured
to have fewer user rights on the system could be less impacted than
users who operate with administrative user rights.
Top of sectionTop of section

Workarounds for Graphics Rendering Engine Vulnerability - CVE-2005-4560:

Microsoft has tested the following workaround. While this workaround
will not correct the underlying vulnerability, it will help block known
attack vectors.
=3F

Unregister the Windows Picture and Fax Viewer (Shimgvw.dll) on Windows
XP Service Pack 1; Windows XP Service Pack 2; Windows Server 2003 and
Windows Server 2003 Service Pack 1

Microsoft has tested the following workaround. While this workaround
will not correct the underlying vulnerability, it helps block known
attack vectors. When a workaround reduces functionality, it is
identified in the following section.

Note This workaround is intended to help protect against Web based
exploit vectors and is not effective against exploits that have Windows
Metafile images embedded in Word documents and other similar attack
vectors.

Note The following steps require Administrative privileges. We recommend
that you restart the computer after you apply this workaround.
Alternatively, you can log out and log back in after you apply the
workaround. However, we do recommend that you restart the computer.

To un-register Shimgvw.dll, follow these steps:

1.


Click Start, click Run, type "regsvr32 -u %windir%\system32
\shimgvw.dll" (without the quotation marks), and then click OK.

2.


When a dialog box appears that confirms that the process has been
successful, click OK.

Impact of Workaround: The Windows Picture and Fax Viewer will no longer
start when users click a link to an image type that is associated with
the Windows Picture and Fax Viewer.

To undo this workaround after the security update has been deployed,
reregister Shimgvw.dll. To do this, use this same procedure, but replace
the text in step 1 with =3Fregsvr32 %windir%\system32\shimgvw.dll=3F
(without the quotation marks).
Top of sectionTop of section

FAQ for Graphics Rendering Engine Vulnerability - CVE-2005-4560:

What is the scope of the vulnerability?
This is a remote code execution vulnerability. If a user is logged on
with administrative user rights, an attacker who successfully exploited
this vulnerability could take complete control of an affected system. An
attacker could then install programs; view, change, or delete data; or
create new accounts with full user rights. Users whose accounts are
configured to have fewer user rights on the system could be less
impacted than users who operate with administrative user rights.

What causes the vulnerability?
A vulnerability exists in the way that the Graphics Rendering Engine
handles specially crafted WMF images that could allow arbitrary code to
be executed.

What is the Windows Metafile (WMF) image format?
A Windows Metafile (WMF) image is a 16-bit metafile format that can
contain both vector information and bitmap information. It is optimized
for the Windows operating system.

For more information about image types and formats, see Microsoft
Knowledge Base Article 320314 or visit the MSDN Library Web site.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take
complete control of the affected system.

How could an attacker exploit the vulnerability?
An attacker could exploit this vulnerability by creating a malicious Web
page or a specially crafted attachment in e-mail and then persuading the
user to visit the page or open the attachment. If the user visited the
page or opened the attachment, the attacker could cause malicious code
to run in the security context of the locally logged on user. It could
also be possible to display specially crafted Web content by using
banner advertisements or by using other methods to deliver Web content
to affected systems.

An attacker could also attempt to exploit this vulnerability by
embedding a specially crafted Windows Metafile (WMF) image within other
files such as Word documents and convince a user to open this document.

What systems are primarily at risk from the vulnerability?
This vulnerability requires that a user is logged on and reading e-mail
or visiting Web sites for any malicious action to occur. Therefore, any
systems where e-mail is read or where Internet Explorer is used
frequently, such as workstations or terminal servers, are at the most
risk from this vulnerability. Systems that are not typically used to
read e-mail or to visit Web sites, such as most server systems, are at a
reduced risk.

Does this vulnerability affect image formats other than Windows Metafile
(WMF)?
The only image format that is affected is the Windows Metafile (WMF)
format. It is possible, however, that an attacker could rename the file
name extension of a WMF file to that of a different image format. In
this situation, it is likely that the Graphics Rendering Engine would
detect and render the file as a WMF image, which could allow
exploitation.

If I block files that use the .wmf file name extension, can this protect
me against attempts to exploit this vulnerability?
No. The Graphics Rendering Engine does not determine file types by the
file name extensions that they use. Therefore, if an attacker alters the
file name extension of a WMF file, the Graphics Rendering Engine could
still render the file in a way that could exploit the vulnerability.

Does the workaround in this bulletin protect me from attempts to exploit
this vulnerability through WMF images with changed extensions?
Yes. The workaround in this bulletin help protect against WMF images
with changed extensions. This workaround is only effective in scenarios
where the Windows Picture and Fax Viewer (Shimgvw.dll) would have been
opened. This workaround is intended to help protect against Web based
exploit vectors and is not effective against exploits that have Windows
Metafile images embedded in Word documents and other similar attack
vectors.

What systems are primarily at risk from the vulnerability?
Workstations and terminal servers are primarily at risk. Servers could
be at more risk if users who do not have sufficient administrative
permissions are given the ability to log on to servers and to run
programs. However, best practices strongly discourage allowing this.

Are Windows 98, Windows 98 Second Edition or Windows Millennium Edition
critically affected by this vulnerability?
No. Although Windows Millennium Edition does contain the affected
component, the vulnerability is not critical. For more information about
severity ratings, visit the following Web site.

What does the update do?
The update removes the vulnerability by modifying the way that Windows
Metafile (WMF) images are handled.

Specifically, the change introduced to address this vulnerability
removes the support for the SETABORTPROC record type from the
META_ESCAPE record in a WMF image. This update does not remove support
for ABORTPROC functions registered by application SetAbortProc() API
calls.

When this security bulletin was issued, had this vulnerability been
publicly disclosed?
Yes. This vulnerability has been publicly disclosed. It has been
assigned Common Vulnerability and Exposure number CVE-2005-4560.

When this security bulletin was issued, had Microsoft received any
reports that this vulnerability was being exploited?
Yes. When the security bulletin was released, Microsoft had received
information that this vulnerability was being exploited.

Does applying this security update help protect customers from the code
that has been published publicly that attempts to exploit this
vulnerability?
Yes. This security update addresses the vulnerability that is currently
being exploited. The vulnerability that has been addressed has been
assigned the Common Vulnerability and Exposure number CVE-2005-4560.

What=3Fs Microsoft=3Fs response to the availability of third party patches
for the WMF vulnerability?
Microsoft recommends that customers download and deploy the security
update associated with this security bulletin.

As a general rule, it is a best practice to obtain security updates for
software vulnerabilities from the original vendor of the software. With
Microsoft software, Microsoft carefully reviews and tests security
updates to ensure that they are of high quality and have been evaluated
thoroughly for application compatibility. In addition, Microsoft=3Fs
security updates are offered in 23 languages for all affected versions
of the software simultaneously.

Microsoft cannot provide similar assurance for independent third party
security updates.

How does this vulnerability relate to the vulnerabilities that were
corrected by MS05-053?
Both vulnerabilities were in the Graphics Rendering Engine. However,
this update addresses a new vulnerability that was not addressed as part
of MS05-053. MS05-053 helps protect against the vulnerability that is
discussed in that bulletin, but does not address this new vulnerability.
This update does not replace MS05-053. You must install this update and
the update that is provided as part of the MS05-053 security bulletin to
help protect your system against both vulnerabilities.

<snip>
 
Reply With Quote
 
 
 
 
Ralph Fox
Guest
Posts: n/a
 
      01-06-2006
On Sat, 7 Jan 2006 00:36:19 +1300, in message
*<(E-Mail Removed)> , Rob J wrote:

> Subject: Windows WMF Vulnerability Patch Released


But not for Win9x/Me users.



--
Cheers,
Ralph

"Curiosity skilled the cat."
 
Reply With Quote
 
 
 
 
E. Scrooge
Guest
Posts: n/a
 
      01-06-2006

"Ralph Fox" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> On Sat, 7 Jan 2006 00:36:19 +1300, in message
> <(E-Mail Removed)> , Rob J wrote:
>
>> Subject: Windows WMF Vulnerability Patch Released

>
> But not for Win9x/Me users.
>
>
>
> --
> Cheers,
> Ralph


Yes, to not support those users is pretty damn irresponsible, and there's no
excuses for it when it comes to security issues.
As far as any other improvements for the old software goes, no problems with
that support being ended like it has.
No reason why XP won't last on PCs of today from year 2000 for at least 10
years.

The day will come when Microsoft no longer cares about XP any more than it
does for those who still use W95 & W98 etc.

E. Scrooge


 
Reply With Quote
 
Dave Doe
Guest
Posts: n/a
 
      01-06-2006
In article <(E-Mail Removed)>, http://www.velocityreviews.com/forums/(E-Mail Removed)lid
says...
> On Sat, 7 Jan 2006 00:36:19 +1300, in message
> *<(E-Mail Removed)> , Rob J wrote:
>
> > Subject: Windows WMF Vulnerability Patch Released

>
> But not for Win9x/Me users.


Are Windows 98, Windows 98 Second Edition, or Windows Millennium Edition
critically affected by one or more of the vulnerabilities that are
addressed in this security bulletin?
No. Although Windows 98, Windows 98 Second Edition, and Windows
Millennium Edition do contain the affected component, the vulnerability
is not critical because an exploitable attack vector has not been
identified that would yield a Critical severity rating for these
versions. For more information about severity ratings, visit the
following Web site.


--
Duncan
 
Reply With Quote
 
Ralph Fox
Guest
Posts: n/a
 
      01-07-2006
On Sat, 7 Jan 2006 12:25:59 +1300, in message
*<(E-Mail Removed) >, Dave Doe wrote:

> Although Windows 98, Windows 98 Second Edition, and Windows
> Millennium Edition do contain the affected component, the vulnerability
> is not critical because an exploitable attack vector has not been
> identified that would yield a Critical severity rating for these
> versions.


Microsoft use a different definition of "critical" for Win9x/Me.



--
Cheers,
Ralph

"Curiosity skilled the cat."



 
Reply With Quote
 
Rob J
Guest
Posts: n/a
 
      01-07-2006
In article <(E-Mail Removed)>, (E-Mail Removed)lid
says...
> On Sat, 7 Jan 2006 00:36:19 +1300, in message
> *<(E-Mail Removed)> , Rob J wrote:
>
> > Subject: Windows WMF Vulnerability Patch Released

>
> But not for Win9x/Me users.


That's right. You're running ancient crap OSs, out of support.
 
Reply With Quote
 
Rob J
Guest
Posts: n/a
 
      01-07-2006
In article <(E-Mail Removed)>, (E-Mail Removed)lid
says...
> On Sat, 7 Jan 2006 12:25:59 +1300, in message
> *<(E-Mail Removed) >, Dave Doe wrote:
>
> > Although Windows 98, Windows 98 Second Edition, and Windows
> > Millennium Edition do contain the affected component, the vulnerability
> > is not critical because an exploitable attack vector has not been
> > identified that would yield a Critical severity rating for these
> > versions.

>
> Microsoft use a different definition of "critical" for Win9x/Me.


These ancient obsolete products are in extended support phase.
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Render WMF, EMF into Raster Graphics Format & Convert WMF to PNG sherazam Java 0 10-21-2010 10:04 AM
Patch issued for OpenOffice.org WMF vulnerability Dianthus Mimulus NZ Computing 0 01-05-2007 01:21 AM
SVG-WMF or PNG-WMF conversion Ganesh Palaniappan ASP .Net 1 04-13-2006 11:44 AM
WMF Vulnerability patch for win98 etc., REALTIME LOG Peter Computer Security 5 01-21-2006 12:06 PM
Microsoft Security Bulletin MS06-001 (combatting WMF vulnerability) to be released 05/01/2006 Dave Lear Computer Support 5 01-06-2006 12:29 AM



Advertisments