ITS Homepage Click here for text version of ITS homepage University at AlbanyUAlbany Site IndexUAlbany Search
alerts_tag
ITS Alert
Windows Image Rendering Exploit Affects All XP and 2003 Systems: Allows Remote Code Execution



ALARM Group ALERT ¿ click for a description of ALARM, The Computing Alert System
Alert Number:  122905-01
Alert Date:  12/29/05
Alert Title:  Windows Image Rendering Exploit Affects All XP and 2003
Systems: Allows Remote Code Execution
OS/Platform/Application:  All Windows XP and 2003 Systems
Category:  ALERT
Severity:  HIGH
Attention:  System Administrators, Desktop Support Personnel

Summary:  A flaw in the way Windows renders images allows maliciously coded Windows Meta Files (WMF) to compromise a system.  Additionally, files with other image extensions can be used to exploit the vulnerability.

Exploitation is trivial. Merely previewing images via the thumbnail option will trigger the exploit. Also, if you are running any kind of file indexing software such as the Google Desktop, you are immediately vulnerable. As soon as the infected file is written to your hard drive
and is indexed by the software, it triggers the exploit.

Microsoft has issued a workaround to disable the Windows Picture and Fax Viewer (shimgvw.dll) pending the issuing of a patch.

Currently, ITS has put DNS blocks in place to prevent viewing of websites that are distributing maliciously crafted WMFs.

 

Please see the CSCIS Advisory below for more details.

NEW YORK STATE OFFICE OF CYBER SECURITY AND CRITICAL INFRASTRUCTURE COORDINATION CYBER ADVISORY

CSCIC ADVISORY NUMBER:
2005-022 UPDATED

DATE ISSUED:
12/28/2005

12/29/2005 UPDATED

SUBJECT:  Public Exploitation of Unpatched WMF Vulnerability in Microsoft Windows

OVERVIEW:  An exploit has been made public for a newly discovered vulnerability in Windows XP Service Pack 2 and Windows 2003 Web Server Edition Service Pack 1 that affects even fully patched systems. The vulnerability is in the portion of Windows that processes a specific type of image file called Windows Meta File (WMF). WMF images are commonly used for Microsoft Office clipart and other pictures. If infected, various malicious programs will be downloaded and installed onto the infected system.  These malicious programs may include keystroke loggers and Trojans.

Currently, a user must visit a specific malicious web site to be exploited however the potential exists for other malicious web sites or malicious emails to take advantage of the vulnerability. Due to the concern that this vulnerability may be exploited via potential malicious sources such as emails, instant messaging file transfers, and other websites, this risk is rated medium to high.

DECEMBER 29 UPDATED INFORMATION:

F-Secure has enumerated a list of domains currently exploiting this vulnerability. In addition, the domain specified in the original advisory, unionseek.com, has been taken offline. Please note, this vulnerability can be triggered in Microsoft Internet Explorer by a malicious Windows Meta File that has been renamed with other file extensions, not just .wmf.  These extensions include, but are not limited to, .emf, .jpg, .jpeg, .gif, .tif, .tiff, .png, .bmp, and .rle.
Microsoft has issued a security advisory (912840) that provides additional details in regards to this vulnerability.

SYSTEMS AFFECTED:

Windows XP Service Pack 1 and 2
Windows 2003 Web Server Edition Service Pack1

DECEMBER 29 UPDATED SYSTEMS AFFECTED:

Windows 2000 SP4
Windows XP Professional x64
Windows Server 2003
Windows Server 2003 SP1
Windows Server 2003 Itanium
Windows Server 2003 Itanium SP1
Windows Server 2003 x64
Windows 98, 98 Second Edition (SE), Millennium Edition (ME)

RISK:
Government: 
Large and medium government entities: Medium
Small government entities: High

Businesses:
Large and medium business entities: Medium
Small business entities: High
Home users: High

DESCRIPTION:  A publicly available web page at unionseek.com contains a malicious Windows format Meta File (WMF) image within an iframe.  Upon navigating to this URL and opening this file, a vulnerable system will download and execute a Windows PE file.  This PE file will execute with SYSTEM-level privileges then download and install various malicious programs onto the infected system.  These malicious programs may include key stroke loggers and IRC-based remote-administration tools.

The following information is provided from the Symantec DeepSight Threat Management System:

The existence of this vulnerability has not yet been corroborated by another party, or the affected vendor (Microsoft). However, the DeepSight Threat Analyst Team has verified that this exploit functions as designed on a full patched Windows XP Service Pack 2 machine, as well as a Windows 2003 Web Server Edition Service Pack 1 machine.

Although the only known exploit at this time requires the user to visit the malicious web site above, other malicious sites may start employing this exploit.  In addition, other potential attack vectors include sending a malicious WMF image in an email or embedding a WMF image in a Microsoft Office document.

DECEMBER 29 UPDATED DESCRIPTION:

Although the domain unionseek.com is currently offline, F-Secure has identified additional malicious sites exploiting this vulnerability. The potential exists for additional public web sites to exploit this vulnerability.  Microsoft has corroborated the existence of this vulnerability and has enumerated the affected systems in the Microsoft Security Advisory (912840).

RECOMMENDATIONS:

CSCIC recommends the following actions be taken:

Block access to the unionseek.com domain for the short term until this malicious site is removed.

Update your anti-virus software as soon as a signature for this specific exploit is released. Symantec, McAfee and F-Secure have all released new signatures within the last 12 hours to detect the Trojans installed by this exploit.

If possible, limit user access to trusted Web sites only if possible.

Filter all incoming Windows format Meta File (WMF) content at email gateways and proxy servers if possible until patches have been released and applied to all vulnerable systems. Note that WMF images are not typically used on web sites or to send images via email therefore blocking them should have little business impact.


DECEMBER 29 UPDATED RECOMMENDATIONS:
The domain, unionseek.com is no longer available. F-Secure
(http://www.f-secure.com/weblog/) has provided a list of malicious web sites that you may consider blocking for the short term. Please keep in mind that, the potential exists for additional public domains to contain this exploit.

REFERENCES:
Security Focus:
http://www.securityfocus.com/bid/16074

SANS:
http://isc.sans.org/diary.php

Secunia:
http://secunia.com/advisories/18255/

FrSIRT:
http://www.frsirt.com/english/advisories/2005/3086

F-Secure:
http://www.f-secure.com/weblog/

McAfee:
http://vil.mcafeesecurity.com/vil/content/v_137760.htm

Symantec:
http://www.symantec.com/avcenter/venc/data/bloodhound.exploit.56.html

DECEMBER 29 UPDATED REFERENCES:

Microsoft:
http://www.microsoft.com/technet/security/advisory/912840.mspx

US-CERT:
http://www.us-cert.gov/current/current_activity.html#0dayWMF

WEBSENSE Security Labs:
http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=385

CIAC:
http://www.ciac.org/ciac/bulletins/q-085.shtml

NYS Cyber Security & Critical Infrastructure Coordination
30 South Pearl Street, Suite P2
Albany, NY 12207

(518) 474-0865

7x24 CSAC 1-866-787-4722

CSCIC PGP Public Keys are available at:
http://www.cscic.state.ny.us/security/incident_reporting/public_keys/index.htm
 

BLANKABCDEFGHIJKLMBLANK
BLANKNOPQRSTUVWXYZBLANK
CHOOSE FROM the ITS Site Index

GO TO an ITS Group

Information Technology Services
University at Albany, SUNY
1400 Washington Avenue
Albany, NY 12222
ITS Service Centers:  518-442-4000
  		University at Albany Home Page
Contact UAlbany | Directories | Calendars | Visitors | Site Index | Search
Admissions | Academics | Research | IT Services | Libraries | Athletics
Internet Privacy Policy              IT Policies