Windows WMF Vulnerability Patch Released

Discussion in 'NZ Computing' started by Rob J, Jan 6, 2006.

  1. Rob J

    Rob J Guest

    http://www.microsoft.com/technet/security/bulletin/ms06-001.mspx

    Microsoft Security Bulletin MS06-001
    Vulnerability in Graphics Rendering Engine Could Allow Remote Code
    Execution (912919)
    Published: January 5, 2006

    Version: 1.0
    Summary

    Who should read this document: Customers who use Microsoft Windows

    Impact of Vulnerability: Remote Code Execution

    Maximum Severity Rating: Critical

    Recommendation: Customers should apply the update immediately.

    Security Update Replacement: None

    Tested Software and Security Update Download Locations:

    Affected Software:
    =3F

    Microsoft Windows 2000 Service Pack 4 =3F Download the update
    =3F

    Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service
    Pack 2 =3F Download the update
    =3F

    Microsoft Windows XP Professional x64 Edition =3F Download the update
    =3F

    Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service
    Pack 1 =3F Download the update
    =3F

    Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft
    Windows Server 2003 with SP1 for Itanium-based Systems =3F Download the
    update
    =3F

    Microsoft Windows Server 2003 x64 Edition =3F Download the update
    =3F

    Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and
    Microsoft Windows Millennium Edition (ME) =3F Review the FAQ section of
    this bulletin for details about these operating systems.
    Top of sectionTop of section
    =3F

    Note The security updates for Microsoft Windows Server 2003, Microsoft
    Windows Server 2003 Service Pack 1, and Microsoft Windows Server 2003
    x64 Edition also apply to Microsoft Windows Server 2003 R2.

    The software in this list has been tested to determine whether the
    versions are affected. Other versions either no longer include security
    update support or may not be affected. To determine the support life
    cycle for your product and version, visit the Microsoft Support
    Lifecycle Web site.
    General Information

    Executive Summary

    Executive Summary:

    This update resolves a newly-discovered, public vulnerability. The
    vulnerability is documented in the "Vulnerability Details" section of
    this bulletin.

    Note This vulnerability is currently being exploited and was previously
    discussed by Microsoft in Microsoft Security Advisory 912840.

    If a user is logged on with administrative user rights, an attacker who
    successfully exploited this vulnerability could take complete control of
    an affected system. An attacker could then install programs; view,
    change, or delete data; or create new accounts with full user rights.
    Users whose accounts are configured to have fewer user rights on the
    system could be less impacted than users who operate with administrative
    user rights.

    We recommend that customers apply the update immediately.

    Severity Ratings and Vulnerability Identifiers:
    Vulnerability Identifiers Impact of Vulnerability Windows 98,
    Windows 98 SE, and Windows ME Windows 2000 Windows XP Service Pack
    1 Windows XP Service Pack 2 Windows Server 2003 Windows
    Server 2003 Service Pack 1

    Graphics Rendering Engine Vulnerability - CVE-2005-4560


    Remote Code Execution


    Not Critical


    Critical


    Critical


    Critical


    Critical


    Critical

    This assessment is based on the types of systems that are affected by
    the vulnerability, their typical deployment patterns, and the effect
    that exploiting the vulnerability would have on them.

    Note The severity ratings for non-x86 operating system versions map to
    the x86 operating systems versions as follows:
    =3F

    The Microsoft Windows XP Professional x64 Edition severity rating is the
    same as the Windows XP Service Pack 2 severity rating.
    =3F

    The Microsoft Windows Server 2003 for Itanium-based Systems severity
    rating is the same as the Windows Server 2003 severity rating.
    =3F

    The Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
    severity rating is the same as the Windows Server 2003 Service Pack 1
    severity rating.
    =3F

    The Microsoft Windows Server 2003 x64 Edition severity rating is the
    same as the Windows Server 2003 Service Pack 1 severity rating.
    Top of sectionTop of section

    Frequently asked questions (FAQ) related to this security update

    Does this update contain any security-related changes to functionality?
    Yes. The change introduced to address this vulnerability removes the
    support for the SETABORTPROC record type from the META_ESCAPE record in
    a WMF image. This update does not remove support for ABORTPROC functions
    registered by application SetAbortProc() API calls.

    How does the extended support for Windows 98, Windows 98 Second Edition,
    and Windows Millennium Edition affect the release of security updates
    for these operating systems?
    For these versions of Windows, Microsoft will only release security
    updates for critical security issues. Non-critical security issues are
    not offered during this support period. For more information about the
    Microsoft Support Lifecycle policies for these operating systems, visit
    the following Web site.

    For more information about severity ratings, visit the following Web
    site.

    Are Windows 98, Windows 98 Second Edition, or Windows Millennium Edition
    critically affected by one or more of the vulnerabilities that are
    addressed in this security bulletin?
    No. Although Windows 98, Windows 98 Second Edition, and Windows
    Millennium Edition do contain the affected component, the vulnerability
    is not critical because an exploitable attack vector has not been
    identified that would yield a Critical severity rating for these
    versions. For more information about severity ratings, visit the
    following Web site.

    Extended security update support for Microsoft Windows NT Workstation
    4.0 Service Pack 6a and Windows 2000 Service Pack 2 ended on June 30,
    2004. Extended security update support for Microsoft Windows NT Server
    4.0 Service Pack 6a ended on December 31, 2004. Extended security update
    support for Microsoft Windows 2000 Service Pack 3 ended on June 30,
    2005. I=3Fm still using one of these operating systems, what should I do?
    Windows NT Workstation 4.0 Service Pack 6a, Windows NT Server 4.0
    Service Pack 6a, Windows 2000 Service Pack 2, and Windows 2000 Service
    Pack 3 have reached the end of their support life cycles. It should be a
    priority for customers who have these operating system versions to
    migrate to supported versions to prevent potential exposure to
    vulnerabilities. For more information about the Windows Product
    Lifecycle, visit the following Microsoft Support Lifecycle Web site. For
    more information about the extended security update support period for
    these operating system versions, visit the Microsoft Product Support
    Services Web site.

    Customers who require additional support for Windows NT 4.0 Service Pack
    6a and Windows 2000 Service Pack 3 must contact their Microsoft account
    team representative, their Technical Account Manager, or the appropriate
    Microsoft partner representative for custom support options. Customers
    without an Alliance, Premier, or Authorized Contract can contact their
    local Microsoft sales office. For contact information, visit the
    Microsoft Worldwide Information Web site, select the country, and then
    click Go to see a list of telephone numbers. When you call, ask to speak
    with the local Premier Support sales manager.

    For more information, see the Windows Operating System Product Support
    Lifecycle FAQ.

    Can I use the Microsoft Baseline Security Analyzer (MBSA) 1.2.1 to
    determine whether this update is required?
    Yes. MBSA 1.2.1 will determine whether this update is required. For more
    information about MBSA, visit the MBSA Web site.

    Can I use the Microsoft Baseline Security Analyzer (MBSA) 2.0 to
    determine whether this update is required?
    Yes. MBSA 2.0 will determine whether this update is required. MBSA 2.0
    can detect security updates for products that Microsoft Update supports.
    For more information about MBSA, visit the MBSA Web site.

    Can I use Systems Management Server (SMS) to determine whether this
    update is required?
    Yes. SMS can help detect and deploy this security update. For
    information about SMS, visit the SMS Web site.

    The Security Update Inventory Tool can be used by SMS for detecting
    security updates that are offered by Windows Update, that are supported
    by Software Update Services, and other security updates that are
    supported by MBSA 1.2.1. For more information about the Security Update
    Inventory Tool, see the following Microsoft Web site. For more
    information about the limitations of the Security Update Inventory Tool,
    see Microsoft Knowledge Base Article 306460.

    The SMS 2003 Inventory Tool for Microsoft Updates can be used by SMS for
    detecting security updates that are offered by Microsoft Update and that
    are supported by Windows Server Update Services. For more information
    about the SMS 2003 Inventory Tool for Microsoft Updates, see the
    following Microsoft Web site.

    For more information about SMS, visit the SMS Web site.
    Top of sectionTop of section

    Vulnerability Details

    Graphics Rendering Engine Vulnerability - CVE-2005-4560:

    A remote code execution vulnerability exists in the Graphics Rendering
    Engine because of the way that it handles Windows Metafile (WMF) images.
    An attacker could exploit the vulnerability by constructing a specially
    crafted WMF image that could potentially allow remote code execution if
    a user visited a malicious Web site or opened a specially crafted
    attachment in e-mail. An attacker who successfully exploited this
    vulnerability could take complete control of an affected system.

    Mitigating Factors for Graphics Rendering Engine Vulnerability - CVE-
    2005-4560:
    =3F

    In a Web-based attack scenario, an attacker could host a Web site that
    contains a Web page that is used to exploit this vulnerability. Also,
    Web sites that accept or host user-provided content or advertisements,
    and compromised Web sites, may contain malicious content that could
    exploit this vulnerability. In all cases, however, an attacker would
    have no way to force users to visit these Web sites. Instead, an
    attacker would have to persuade users to visit the Web site, typically
    by getting them to click a link in an e-mail or Instant Messenger
    request that takes users to the attacker's Web site.
    =3F

    An attacker who successfully exploited this vulnerability could gain the
    same user rights as the local user. Users whose accounts are configured
    to have fewer user rights on the system could be less impacted than
    users who operate with administrative user rights.
    Top of sectionTop of section

    Workarounds for Graphics Rendering Engine Vulnerability - CVE-2005-4560:

    Microsoft has tested the following workaround. While this workaround
    will not correct the underlying vulnerability, it will help block known
    attack vectors.
    =3F

    Unregister the Windows Picture and Fax Viewer (Shimgvw.dll) on Windows
    XP Service Pack 1; Windows XP Service Pack 2; Windows Server 2003 and
    Windows Server 2003 Service Pack 1

    Microsoft has tested the following workaround. While this workaround
    will not correct the underlying vulnerability, it helps block known
    attack vectors. When a workaround reduces functionality, it is
    identified in the following section.

    Note This workaround is intended to help protect against Web based
    exploit vectors and is not effective against exploits that have Windows
    Metafile images embedded in Word documents and other similar attack
    vectors.

    Note The following steps require Administrative privileges. We recommend
    that you restart the computer after you apply this workaround.
    Alternatively, you can log out and log back in after you apply the
    workaround. However, we do recommend that you restart the computer.

    To un-register Shimgvw.dll, follow these steps:

    1.


    Click Start, click Run, type "regsvr32 -u %windir%\system32
    \shimgvw.dll" (without the quotation marks), and then click OK.

    2.


    When a dialog box appears that confirms that the process has been
    successful, click OK.

    Impact of Workaround: The Windows Picture and Fax Viewer will no longer
    start when users click a link to an image type that is associated with
    the Windows Picture and Fax Viewer.

    To undo this workaround after the security update has been deployed,
    reregister Shimgvw.dll. To do this, use this same procedure, but replace
    the text in step 1 with =3Fregsvr32 %windir%\system32\shimgvw.dll=3F
    (without the quotation marks).
    Top of sectionTop of section

    FAQ for Graphics Rendering Engine Vulnerability - CVE-2005-4560:

    What is the scope of the vulnerability?
    This is a remote code execution vulnerability. If a user is logged on
    with administrative user rights, an attacker who successfully exploited
    this vulnerability could take complete control of an affected system. An
    attacker could then install programs; view, change, or delete data; or
    create new accounts with full user rights. Users whose accounts are
    configured to have fewer user rights on the system could be less
    impacted than users who operate with administrative user rights.

    What causes the vulnerability?
    A vulnerability exists in the way that the Graphics Rendering Engine
    handles specially crafted WMF images that could allow arbitrary code to
    be executed.

    What is the Windows Metafile (WMF) image format?
    A Windows Metafile (WMF) image is a 16-bit metafile format that can
    contain both vector information and bitmap information. It is optimized
    for the Windows operating system.

    For more information about image types and formats, see Microsoft
    Knowledge Base Article 320314 or visit the MSDN Library Web site.

    What might an attacker use the vulnerability to do?
    An attacker who successfully exploited this vulnerability could take
    complete control of the affected system.

    How could an attacker exploit the vulnerability?
    An attacker could exploit this vulnerability by creating a malicious Web
    page or a specially crafted attachment in e-mail and then persuading the
    user to visit the page or open the attachment. If the user visited the
    page or opened the attachment, the attacker could cause malicious code
    to run in the security context of the locally logged on user. It could
    also be possible to display specially crafted Web content by using
    banner advertisements or by using other methods to deliver Web content
    to affected systems.

    An attacker could also attempt to exploit this vulnerability by
    embedding a specially crafted Windows Metafile (WMF) image within other
    files such as Word documents and convince a user to open this document.

    What systems are primarily at risk from the vulnerability?
    This vulnerability requires that a user is logged on and reading e-mail
    or visiting Web sites for any malicious action to occur. Therefore, any
    systems where e-mail is read or where Internet Explorer is used
    frequently, such as workstations or terminal servers, are at the most
    risk from this vulnerability. Systems that are not typically used to
    read e-mail or to visit Web sites, such as most server systems, are at a
    reduced risk.

    Does this vulnerability affect image formats other than Windows Metafile
    (WMF)?
    The only image format that is affected is the Windows Metafile (WMF)
    format. It is possible, however, that an attacker could rename the file
    name extension of a WMF file to that of a different image format. In
    this situation, it is likely that the Graphics Rendering Engine would
    detect and render the file as a WMF image, which could allow
    exploitation.

    If I block files that use the .wmf file name extension, can this protect
    me against attempts to exploit this vulnerability?
    No. The Graphics Rendering Engine does not determine file types by the
    file name extensions that they use. Therefore, if an attacker alters the
    file name extension of a WMF file, the Graphics Rendering Engine could
    still render the file in a way that could exploit the vulnerability.

    Does the workaround in this bulletin protect me from attempts to exploit
    this vulnerability through WMF images with changed extensions?
    Yes. The workaround in this bulletin help protect against WMF images
    with changed extensions. This workaround is only effective in scenarios
    where the Windows Picture and Fax Viewer (Shimgvw.dll) would have been
    opened. This workaround is intended to help protect against Web based
    exploit vectors and is not effective against exploits that have Windows
    Metafile images embedded in Word documents and other similar attack
    vectors.

    What systems are primarily at risk from the vulnerability?
    Workstations and terminal servers are primarily at risk. Servers could
    be at more risk if users who do not have sufficient administrative
    permissions are given the ability to log on to servers and to run
    programs. However, best practices strongly discourage allowing this.

    Are Windows 98, Windows 98 Second Edition or Windows Millennium Edition
    critically affected by this vulnerability?
    No. Although Windows Millennium Edition does contain the affected
    component, the vulnerability is not critical. For more information about
    severity ratings, visit the following Web site.

    What does the update do?
    The update removes the vulnerability by modifying the way that Windows
    Metafile (WMF) images are handled.

    Specifically, the change introduced to address this vulnerability
    removes the support for the SETABORTPROC record type from the
    META_ESCAPE record in a WMF image. This update does not remove support
    for ABORTPROC functions registered by application SetAbortProc() API
    calls.

    When this security bulletin was issued, had this vulnerability been
    publicly disclosed?
    Yes. This vulnerability has been publicly disclosed. It has been
    assigned Common Vulnerability and Exposure number CVE-2005-4560.

    When this security bulletin was issued, had Microsoft received any
    reports that this vulnerability was being exploited?
    Yes. When the security bulletin was released, Microsoft had received
    information that this vulnerability was being exploited.

    Does applying this security update help protect customers from the code
    that has been published publicly that attempts to exploit this
    vulnerability?
    Yes. This security update addresses the vulnerability that is currently
    being exploited. The vulnerability that has been addressed has been
    assigned the Common Vulnerability and Exposure number CVE-2005-4560.

    What=3Fs Microsoft=3Fs response to the availability of third party patches
    for the WMF vulnerability?
    Microsoft recommends that customers download and deploy the security
    update associated with this security bulletin.

    As a general rule, it is a best practice to obtain security updates for
    software vulnerabilities from the original vendor of the software. With
    Microsoft software, Microsoft carefully reviews and tests security
    updates to ensure that they are of high quality and have been evaluated
    thoroughly for application compatibility. In addition, Microsoft=3Fs
    security updates are offered in 23 languages for all affected versions
    of the software simultaneously.

    Microsoft cannot provide similar assurance for independent third party
    security updates.

    How does this vulnerability relate to the vulnerabilities that were
    corrected by MS05-053?
    Both vulnerabilities were in the Graphics Rendering Engine. However,
    this update addresses a new vulnerability that was not addressed as part
    of MS05-053. MS05-053 helps protect against the vulnerability that is
    discussed in that bulletin, but does not address this new vulnerability.
    This update does not replace MS05-053. You must install this update and
    the update that is provided as part of the MS05-053 security bulletin to
    help protect your system against both vulnerabilities.

    <snip>
     
    Rob J, Jan 6, 2006
    #1
    1. Advertising

  2. Rob J

    Ralph Fox Guest

    On Sat, 7 Jan 2006 00:36:19 +1300, in message
     <>, Rob J wrote:

    > Subject: Windows WMF Vulnerability Patch Released


    But not for Win9x/Me users.



    --
    Cheers,
    Ralph

    "Curiosity skilled the cat."
     
    Ralph Fox, Jan 6, 2006
    #2
    1. Advertising

  3. Rob J

    E. Scrooge Guest

    "Ralph Fox" <> wrote in message
    news:...
    > On Sat, 7 Jan 2006 00:36:19 +1300, in message
    > <>, Rob J wrote:
    >
    >> Subject: Windows WMF Vulnerability Patch Released

    >
    > But not for Win9x/Me users.
    >
    >
    >
    > --
    > Cheers,
    > Ralph


    Yes, to not support those users is pretty damn irresponsible, and there's no
    excuses for it when it comes to security issues.
    As far as any other improvements for the old software goes, no problems with
    that support being ended like it has.
    No reason why XP won't last on PCs of today from year 2000 for at least 10
    years.

    The day will come when Microsoft no longer cares about XP any more than it
    does for those who still use W95 & W98 etc.

    E. Scrooge
     
    E. Scrooge, Jan 6, 2006
    #3
  4. Rob J

    Dave Doe Guest

    In article <>, lid
    says...
    > On Sat, 7 Jan 2006 00:36:19 +1300, in message
    >  <>, Rob J wrote:
    >
    > > Subject: Windows WMF Vulnerability Patch Released

    >
    > But not for Win9x/Me users.


    Are Windows 98, Windows 98 Second Edition, or Windows Millennium Edition
    critically affected by one or more of the vulnerabilities that are
    addressed in this security bulletin?
    No. Although Windows 98, Windows 98 Second Edition, and Windows
    Millennium Edition do contain the affected component, the vulnerability
    is not critical because an exploitable attack vector has not been
    identified that would yield a Critical severity rating for these
    versions. For more information about severity ratings, visit the
    following Web site.


    --
    Duncan
     
    Dave Doe, Jan 6, 2006
    #4
  5. Rob J

    Ralph Fox Guest

    On Sat, 7 Jan 2006 12:25:59 +1300, in message
     <>, Dave Doe wrote:

    > Although Windows 98, Windows 98 Second Edition, and Windows
    > Millennium Edition do contain the affected component, the vulnerability
    > is not critical because an exploitable attack vector has not been
    > identified that would yield a Critical severity rating for these
    > versions.


    Microsoft use a different definition of "critical" for Win9x/Me.



    --
    Cheers,
    Ralph

    "Curiosity skilled the cat."
     
    Ralph Fox, Jan 7, 2006
    #5
  6. Rob J

    Rob J Guest

    In article <>, lid
    says...
    > On Sat, 7 Jan 2006 00:36:19 +1300, in message
    >  <>, Rob J wrote:
    >
    > > Subject: Windows WMF Vulnerability Patch Released

    >
    > But not for Win9x/Me users.


    That's right. You're running ancient crap OSs, out of support.
     
    Rob J, Jan 7, 2006
    #6
  7. Rob J

    Rob J Guest

    In article <>, lid
    says...
    > On Sat, 7 Jan 2006 12:25:59 +1300, in message
    >  <>, Dave Doe wrote:
    >
    > > Although Windows 98, Windows 98 Second Edition, and Windows
    > > Millennium Edition do contain the affected component, the vulnerability
    > > is not critical because an exploitable attack vector has not been
    > > identified that would yield a Critical severity rating for these
    > > versions.

    >
    > Microsoft use a different definition of "critical" for Win9x/Me.


    These ancient obsolete products are in extended support phase.
     
    Rob J, Jan 7, 2006
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Peter
    Replies:
    5
    Views:
    1,262
  2. Replies:
    48
    Views:
    1,403
    Bill Tuthill
    Jan 10, 2006
  3. Dave Lear
    Replies:
    5
    Views:
    467
    Dave Lear
    Jan 6, 2006
  4. M. Murcek

    WMF flaw patch released early...

    M. Murcek, Jan 5, 2006, in forum: Windows 64bit
    Replies:
    2
    Views:
    456
    Randy
    Jan 6, 2006
  5. Dianthus Mimulus

    Patch issued for OpenOffice.org WMF vulnerability

    Dianthus Mimulus, Jan 5, 2007, in forum: NZ Computing
    Replies:
    0
    Views:
    472
    Dianthus Mimulus
    Jan 5, 2007
Loading...

Share This Page