|
Brought to you by:
Suppliers of:
|
|
|
| |
| A remote code execution and denial of service vulnerabilities exists in the rendering of Windows Metafile (WMF) and Enhanced Metafile (EMF) image formats that could allow remote code execution or on an affected system. Any program that renders WMF or EMF images on the affected systems could be vulnerable to this attack. An attacker who successfully exploited this vulnerability could take complete control of an affected system. |
| |
Credit:
The original article can be found at: http://www.microsoft.com/technet/security/bulletin/MS05-053.mspx
|
| |
Affected Software:
* Microsoft Windows 2000 Service Pack 4 - Update
* Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2 - Update
* Microsoft Windows XP Professional x64 Edition - Update
* Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1 - Update
* Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems - Update
* Microsoft Windows Server 2003 x64 Edition - Update
Non-Affected Software:
* Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)
Graphics Rendering Engine - CAN-2005-2123:
A remote code execution vulnerability exists in the rendering of Windows Metafile (WMF) and Enhanced Metafile (EMF) image formats that could allow remote code execution on an affected system. Any program that renders WMF or EMF images on the affected systems could be vulnerable to this attack. An attacker who successfully exploited this vulnerability could take complete control of an affected system.
Mitigating Factors for Graphics Rendering Engine - CAN-2005-2123:
The vulnerability could be exploited by an attacker who persuaded a user to open a specially crafted file or to view a folder that contains the specially crafted image. There is no way for an attacker to force a user to open a malicious file, except potentially through previewing an email message.
In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site.
Workarounds for Graphics Rendering Engine - CAN-2005-2123:
Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.
* Read e-mail messages in plain text format if you are using Outlook 2002 or a later version, to help protect yourself from the HTML e-mail attack vector.
Microsoft Outlook 2002 users who have applied Office XP Service Pack 1 or a later version and Microsoft Outlook Express 6 users who have applied Internet Explorer 6 Service Pack 1 or a later version can enable this setting and view e-mail messages that are not digitally signed or e-mail messages that are not encrypted in plain text only.
Digitally signed e-mail messages or encrypted e-mail messages are not affected by the setting and may be read in their original formats. For more information about how to enable this setting in Outlook 2002, see Microsoft Knowledge Base Article 307594.
Impact of Workaround:
E-mail messages that are viewed in plain text format will not contain pictures, specialized fonts, animations, or other rich content. Additionally:
* The changes are applied to the preview pane and to open messages.
* Pictures become attachments so that they are not lost.
* Because the message is still in Rich Text or HTML format in the store, the object model (custom code solutions) may behave unexpectedly.
FAQ for Graphics Rendering Engine - CAN-2005-2123:
What is the scope of the vulnerability?
This is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could remotely take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. This vulnerability could also be used to attempt to perform a local elevation of privilege or a remote denial of service.
What causes the vulnerability?
An unchecked buffer in the rendering of Windows Metafile (WMF) and Enhanced Metafile (EMF) image formats.
What are Windows Metafile (WMF) and Enhanced Metafile (EMF) image formats?
A WMF image is a 16-bit metafile format that can contain both vector information and bitmap information. It is optimized for the Windows operating system.
An EMF image is a 32-bit format that can contain both vector information and bitmap information. This format is an improvement over the Windows Metafile Format and contains extended features.
For more information about image types and formats, see Microsoft Knowledge Base Article 320314. Additional information about these file formats is also available at the MSDN Library Web Site.
What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take complete control of the affected system.
How could an attacker exploit this vulnerability?
Any program that renders the affected image types could be vulnerable to this attack. Here are some examples of how an attacker could attempt to exploit this vulnerability:
* An attacker could host a malicious Web site that is designed to exploit this vulnerability through Internet Explorer and then persuade a user to view the Web site.
* An attacker could create an HTML e-mail message that has a specially crafted image attached. The specially crafted image could be designed to exploit this vulnerability through Microsoft Outlook or through Outlook Express 6. An attacker could persuade the user to view the HTML e-mail message.
* An attacker could embed a specially crafted image in an Office document and then persuade the user to view the document.
* An attacker could add a specially crafted image to the local file system or onto a network share and then persuade the user to preview the folder.
* If an attacker is able to log on locally, they could then run a specially-designed program that could exploit the vulnerability, and thereby gain complete control over the affected system.
An attacker could also access the affected component through another vector. For example, an attacker could log on to the system interactively or by using another program that passes parameters to the vulnerable component (locally or remotely). To locally exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially-designed application that could exploit the vulnerability, and thereby gain complete control over the affected system.
What systems are primarily at risk from the vulnerability?
The vulnerability could be exploited on the affected systems by an attacker who persuaded a user to open a specially crafted file or to view a folder that contains the specially crafted image. There is no way for an attacker to force a user to open a specially crafted file, except potentially through previewing an email message. Workstations and terminal servers are primarily at risk. Servers could be at more risk if users who do not have sufficient administrative permissions are given the ability to log on to servers and run programs or browse the Internet. However, best practices strongly discourage allowing this.
Could the vulnerability be exploited over the Internet?
Yes. An attacker could try to exploit this vulnerability through malicious Web sites or through email over the Internet.
What does the update do?
The update removes the vulnerability by modifying the way that the Graphics Rendering Engine processes Windows Metafile (WMF) and Enhanced Metafile (EMF) image formats.
When this security bulletin was issued, had this vulnerability been publicly disclosed?
No. Microsoft received information about this vulnerability through responsible disclosure. Microsoft had not received any information to indicate that this vulnerability had been publicly disclosed when this security bulletin was originally issued.
When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.
Windows Metafile Vulnerability - CAN-2005-2124:
A remote code execution vulnerability exists in the rendering of Windows Metafile (WMF) image format that could allow remote code execution on an affected system. Any program that renders WMF images on the affected systems could be vulnerable to this attack. An attacker who successfully exploited this vulnerability could take complete control of an affected system.
Mitigating Factors for Windows Metafile Vulnerability - CAN-2005-2124:
* The vulnerability could be exploited by an attacker who persuaded a user to open a specially crafted file or to view a folder that contains the specially crafted image. There is no way for an attacker to force a user to open a malicious file, except potentially through previewing an email message.
* In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site.
Workarounds for Windows Metafile Vulnerability - CAN-2005-2124:
Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.
* Read e-mail messages in plain text format if you are using Outlook 2002 or a later version, to help protect yourself from the HTML e-mail attack vector.
Microsoft Outlook 2002 users who have applied Office XP Service Pack 1 or a later version and Microsoft Outlook Express 6 users who have applied Internet Explorer 6 Service Pack 1 or a later version can enable this setting and view e-mail messages that are not digitally signed or e-mail messages that are not encrypted in plain text only.
Digitally signed e-mail messages or encrypted e-mail messages are not affected by the setting and may be read in their original formats. For more information about how to enable this setting in Outlook 2002, see Microsoft Knowledge Base Article 307594.
Impact of Workaround:
E-mail messages that are viewed in plain text format will not contain pictures, specialized fonts, animations, or other rich content. Additionally:
* The changes are applied to the preview pane and to open messages.
* Pictures become attachments so that they are not lost.
* Because the message is still in Rich Text or HTML format in the store, the object model (custom code solutions) may behave unexpectedly.
FAQ for Windows Metafile Vulnerability - CAN-2005-2124:
What is the scope of the vulnerability?
This is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could remotely take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. This vulnerability could also be used to attempt to perform a local elevation of privilege or a remote denial of service.
What causes the vulnerability?
An unchecked buffer in the rendering of Windows Metafile (WMF) image formats.
What are Windows Metafile (WMF) image formats?
A WMF image is a 16-bit metafile format that can contain both vector information and bitmap information. It is optimized for the Windows operating system.
For more information about image types and formats, see Microsoft Knowledge Base Article 320314. Additional information about these file formats is also available at the MSDN Library Web Site.
What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take complete control of the affected system.
How could an attacker exploit this vulnerability?
Any program that renders the affected image types could be vulnerable to this attack. Here are some examples of how an attacker could attempt to exploit this vulnerability:
* An attacker could host a malicious Web site that is designed to exploit this vulnerability through Internet Explorer and then persuade a user to view the Web site.
* An attacker could create an HTML e-mail message that has a specially crafted image attached. The specially crafted image could be designed to exploit this vulnerability through Microsoft Outlook or through Outlook Express 6. An attacker could persuade the user to view the HTML e-mail message.
* An attacker could embed a specially crafted image in an Office document and then persuade the user to view the document.
* An attacker could add a specially crafted image to the local file system or onto a network share and then persuade the user to preview the folder.
* An attacker could locally log on to the system. An attacker could then run a specially-designed program that could exploit the vulnerability, and thereby gain complete control over the affected system.
* An attacker could also access the affected component through another vector. For example, an attacker could log on to the system interactively or by using another program that passes parameters to the vulnerable component (locally or remotely). To locally exploit this vulnerability, an attacker would first have to log on to the system.
* An attacker could then run a specially-designed application that could exploit the vulnerability, and thereby gain complete control over the affected system.
What systems are primarily at risk from the vulnerability?
The vulnerability could be exploited on the affected systems by an attacker who persuaded a user to open a specially crafted file or to view a folder that contains the specially crafted image. There is no way for an attacker to force a user to open a specially crafted file, except potentially through previewing an email message. Workstations and terminal servers are primarily at risk. Servers could be at more risk if users who do not have sufficient administrative permissions are given the ability to log on to servers and run programs or browse the Internet. However, best practices strongly discourage allowing this.
Could the vulnerability be exploited over the Internet?
Yes. An attacker could try to exploit this vulnerability through malicious Web sites or through email over the Internet.
What does the update do?
The update removes the vulnerability by modifying the way that the affected operating system versions validate the length of a message before it passes the message to the allocated buffer.
When this security bulletin was issued, had this vulnerability been publicly disclosed?
No. Microsoft received information about this vulnerability through responsible disclosure. Microsoft had not received any information to indicate that this vulnerability had been publicly disclosed when this security bulletin was originally issued.
When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.
Enhanced Metafile Vulnerability - CAN-2005-0803:
A denial of service vulnerability exists in the rendering of Enhanced Metafile (EMF) image format that could allow any program that renders EMF images to be vulnerable to attack. An attacker who successfully exploited this vulnerability could cause the affected programs to stop responding.
Mitigating Factors for Enhanced Metafile Vulnerability - CAN-2005-0803:
* The vulnerability could be exploited by an attacker who persuaded a user to open a specially crafted file or to view a folder that contains the specially crafted image. There is no way for an attacker to force a user to open a malicious file, except potentially through previewing an email message.
* In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site.
Workarounds for Enhanced Metafile Vulnerability - CAN-2005-0803:
Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.
* Read e-mail messages in plain text format if you are using Outlook 2002 or a later version, to help protect yourself from the HTML e-mail attack vector.
Microsoft Outlook 2002 users who have applied Office XP Service Pack 1 or a later version and Microsoft Outlook Express 6 users who have applied Internet Explorer 6 Service Pack 1 or a later version can enable this setting and view e-mail messages that are not digitally signed or e-mail messages that are not encrypted in plain text only.
Digitally signed e-mail messages or encrypted e-mail messages are not affected by the setting and may be read in their original formats. For more information about how to enable this setting in Outlook 2002, see Microsoft Knowledge Base Article 307594.
Impact of Workaround:
E-mail messages that are viewed in plain text format will not contain pictures, specialized fonts, animations, or other rich content. Additionally:
* The changes are applied to the preview pane and to open messages.
* Pictures become attachments so that they are not lost.
* Because the message is still in Rich Text or HTML format in the store, the object model (custom code solutions) may behave unexpectedly.
FAQ for Enhanced Metafile Vulnerability - CAN-2005-0803:
What is the scope of the vulnerability?
This is a denial of service vulnerability. An attacker who exploited this vulnerability could cause the affected program to stop responding. The program could be restarted in order to return to normal operation. Note that the denial of service vulnerability would not allow attackers to execute code or elevate their privileges, but it could cause the affected program to stop responding.
What causes the vulnerability?
An unchecked buffer in the rendering of Enhanced Metafile (EMF) image formats.
What are Enhanced Metafile (EMF) image formats?
An EMF image is a 32-bit format that can contain both vector information and bitmap information. This format is an improvement over the Windows Metafile Format and contains extended features.
For more information about image types and formats, see Microsoft Knowledge Base Article 320314. Additional information about these file formats is also available at the MSDN Library Web Site.
What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could cause a program to stop responding.
How could an attacker exploit this vulnerability?
Any program that renders the affected image types could be vulnerable to this attack. Here are some examples of how an attacker could attempt to exploit this vulnerability:
* An attacker could host a malicious Web site that is designed to exploit this vulnerability through Internet Explorer and then persuade a user to view the Web site.
* An attacker could create an HTML e-mail message that has a specially crafted image attached. The specially crafted image could be designed to exploit this vulnerability through Microsoft Outlook or through Outlook Express 6. An attacker could persuade the user to view the HTML e-mail message.
* An attacker could embed a specially crafted image in an Office document and then persuade the user to view the document.
* An attacker could add a specially crafted image to the local file system or onto a network share and then persuade the user to preview the folder.
* An attacker could locally log on to the system. An attacker could then run a specially-designed program that could exploit the vulnerability.
* An attacker could also access the affected component through another vector. For example, an attacker could log on to the system interactively or by using another program that passes parameters to the vulnerable component (locally or remotely). To locally exploit this vulnerability, an attacker would first have to log on to the system.
What systems are primarily at risk from the vulnerability?
The vulnerability could be exploited on the affected systems by an attacker who persuaded a user to open a specially crafted file or to view a folder that contains the specially crafted image. There is no way for an attacker to force a user to open a specially crafted file, except potentially through previewing an email message. Workstations and terminal servers are primarily at risk. Servers could be at more risk if users who do not have sufficient administrative permissions are given the ability to log on to servers and run programs or browse the Internet. However, best practices strongly discourage allowing this.
Could the vulnerability be exploited over the Internet?
Yes. An attacker could try to exploit this vulnerability through malicious Web sites or through email over the Internet.
What does the update do?
The update removes the vulnerability by modifying the way that the affected operating system versions validate the length of a message before it passes the message to the allocated buffer.
When this security bulletin was issued, had this vulnerability been publicly disclosed?
Yes. This vulnerability has been publicly disclosed. It has been assigned Common Vulnerability and Exposure number CAN-2005-0803.
When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft had seen examples of proof of concept code published publicly but had not received any information to indicate that this vulnerability had been publicly used to attack customers when this security bulletin was originally issued.
Does applying this security update help protect customers from the code that has been published publicly that attempts to exploit this vulnerability?
Yes. This security update addresses the vulnerability that is currently being exploited. The vulnerability that has been addressed has been assigned the Common Vulnerability and Exposure number CAN-2005-0803.
Vulnerabilities reported by:
* eEye Digital Security reported the Metafile Vulnerability (CAN-2005-2123).
* Venustech AdDLab, eEye Digital Security and Peter Ferrie of Symantec Security Response reported the Windows Metafile Vulnerability (CAN-2005-2124).
|
|
|
|
|
