AusCERT - AL-2005.0043 -- [Win] -- Unpatched flaw in WMF image file handling exploited in wild

HOME
About AusCERT
Membership
PKI Services
Training
Publications
Sec. Bulletins
Conferences
News & Media
Services
Web Log
Site Map
Site Help
Member login
AL-2005.0043 -- [Win] -- Unpatched flaw in WMF image file handling exploited in wild
Date: 29 December 2005
References: AU-2005.0023 AU-2006.0001

Click here for printable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
A  U  S  C  E  R  T                                           A  L  E  R  T

                       AL-2005.0043 -- AUSCERT ALERT
                                   [Win]
        Unpatched flaw in WMF image file handling exploited in wild
                             30 December 2005

===========================================================================

        AusCERT Alert Summary
        ---------------------

Operating System:  Windows
Impact:            Execute Arbitrary Code/Commands
Access:            Remote/Unauthenticated

Revision History:  December 30 2005: Impact updated: confirmed it does 
                                     not provide SYSTEM compromise
                   December 29 2005: Initial Release

OVERVIEW:

	An unpatched vulnerability exists in Windows allowing a remote 
	attacker to execute arbitrary code if a user opens a specially crafted
	WMF image file or visits a web site containing such an image.

	Exploit code is publicly available for this vulnerability and it is 
	being actively exploited in the wild.

IMPACT:

	A user opening a WMF image file in an application such as Internet
	Explorer, Mozilla Firefox or another process that processes WMF files
	may cause execution of arbitrary code.

MITIGATION:

	A patch from Microsoft to correct this vulnerability is currently 
	unavailable.  This vulnerability reportedly exists on a fully patched
	Windows XP system with Service Pack 2 installed.

	Reported mitigations include:

	- not opening WMF files from untrusted sources.
	- not browsing to untrusted web sites.
	- disabling Windows Picture and Fax Viewer.  Please note that this will
	  only block some known attack vectors, and is reported to not correct
	  the underlying vulnerability [3].
	- blocking WMF files at the perimeter.  However, it has also been
	  reported [2] that Windows will recognise and process WMF files with 
	  non-standard file extensions, so this mitigation may not be entirely
	  effective.
	- blocking sites known to be exploiting this vulnerability at the
	  perimeter.  F-Secure [1] lists the following known sites:
:
	  - Crackz .ws
	  - unionseek .com
	  - tfcco .com
	  - iframeurl .biz
	  - beehappyy .biz

          It is highly likely that this list will expand to include other 
	  malicious sites, so should not be relied upon as a complete 
	  mitigation.

	Please note that AusCERT has not verifed if these mitigations are
	effective or have other adverse affects on systems.

	As more information about this activity and further mitigations 
	becomes available, AusCERT will release further updates.

REFERENCES:

	[1] http://www.f-secure.com/weblog/#00000752
	[2] http://isc.sans.org/diary.php?storyid=975
	[3] http://www.ciac.org/ciac/bulletins/q-085.shtml

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBQ7TK3Sh9+71yA2DNAQKKiQP/b/4qVlkfDsGFTgAmiGrWw0vr6ppEKta4
Z+H4AKV0vvsg/jucU6d/bEdZp86BZz6pkZOLOGBUStptwQH25hsT9H219E8b9HTd
zftBsp0g5jcQa+16uAOAoz2ZxH9PJS9uDZaikMb0im+6S51uyv6JPh2pPe11gLsU
Rw1NajtYCpI=
=kIX2
-----END PGP SIGNATURE-----