Date: 29 December 2005
References: AU-2005.0023 AU-2006.0001
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
A U S C E R T A L E R T
AL-2005.0043 -- AUSCERT ALERT
[Win]
Unpatched flaw in WMF image file handling exploited in wild
30 December 2005
===========================================================================
AusCERT Alert Summary
---------------------
Operating System: Windows
Impact: Execute Arbitrary Code/Commands
Access: Remote/Unauthenticated
Revision History: December 30 2005: Impact updated: confirmed it does
not provide SYSTEM compromise
December 29 2005: Initial Release
OVERVIEW:
An unpatched vulnerability exists in Windows allowing a remote
attacker to execute arbitrary code if a user opens a specially crafted
WMF image file or visits a web site containing such an image.
Exploit code is publicly available for this vulnerability and it is
being actively exploited in the wild.
IMPACT:
A user opening a WMF image file in an application such as Internet
Explorer, Mozilla Firefox or another process that processes WMF files
may cause execution of arbitrary code.
MITIGATION:
A patch from Microsoft to correct this vulnerability is currently
unavailable. This vulnerability reportedly exists on a fully patched
Windows XP system with Service Pack 2 installed.
Reported mitigations include:
- not opening WMF files from untrusted sources.
- not browsing to untrusted web sites.
- disabling Windows Picture and Fax Viewer. Please note that this will
only block some known attack vectors, and is reported to not correct
the underlying vulnerability [3].
- blocking WMF files at the perimeter. However, it has also been
reported [2] that Windows will recognise and process WMF files with
non-standard file extensions, so this mitigation may not be entirely
effective.
- blocking sites known to be exploiting this vulnerability at the
perimeter. F-Secure [1] lists the following known sites:
:
- Crackz .ws
- unionseek .com
- tfcco .com
- iframeurl .biz
- beehappyy .biz
It is highly likely that this list will expand to include other
malicious sites, so should not be relied upon as a complete
mitigation.
Please note that AusCERT has not verifed if these mitigations are
effective or have other adverse affects on systems.
As more information about this activity and further mitigations
becomes available, AusCERT will release further updates.
REFERENCES:
[1] http://www.f-secure.com/weblog/#00000752
[2] http://isc.sans.org/diary.php?storyid=975
[3] http://www.ciac.org/ciac/bulletins/q-085.shtml
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBQ7TK3Sh9+71yA2DNAQKKiQP/b/4qVlkfDsGFTgAmiGrWw0vr6ppEKta4
Z+H4AKV0vvsg/jucU6d/bEdZp86BZz6pkZOLOGBUStptwQH25hsT9H219E8b9HTd
zftBsp0g5jcQa+16uAOAoz2ZxH9PJS9uDZaikMb0im+6S51uyv6JPh2pPe11gLsU
Rw1NajtYCpI=
=kIX2
-----END PGP SIGNATURE-----
|