SUBJECT: Unpatched WMF Vulnerability in Microsoft Windows
OVERVIEW:
A new vulnerability in multiple versions of Windows has been discovered in the portion of Windows that processes a specific type of iimage file called Windows Meta File (WMF). This vulnerability is separate from the recent WMF vulnerability that was patched in Microsoft Security Bulletin MS06-001 on January 5, 2006. There is currently no patch for this vulnerability.
In order to be exploited, a user must visit a malicious web site, open an email message, or access a computer directory folder that contains a specially-crafted WMF file.
UPDATE 6/13/2006:
Microsoft has released a patch for this vulnerability for the Microsoft Windows 98 and Microsoft Windows Millennium Edition Operating Systems. Assuming that most organizations have already migrated from these older versions of Windows, we do not believe this update is urgent but are issuing it for completeness.
SYSTEMS AFFECTED:
Microsoft Windows XP Tablet PC Edition SP2
Microsoft Windows XP Tablet PC Edition SP1
Microsoft Windows XP Tablet PC Edition
Microsoft Windows XP Professional x64 Edition
Microsoft Windows XP Professional SP2
Microsoft Windows XP Professional SP1
Microsoft Windows XP Professional
Microsoft Windows XP Media Center Edition SP2
Microsoft Windows XP Media Center Edition SP1
Microsoft Windows XP Media Center Edition
Microsoft Windows XP Home SP2
Microsoft Windows XP Home SP1
Microsoft Windows XP Home
Microsoft Windows Server 2003 Web Edition SP1
Microsoft Windows Server 2003 Web Edition
Microsoft Windows Server 2003 Standard x64 Edition
Microsoft Windows Server 2003 Standard Edition SP1
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Enterprise x64 Edition
Microsoft Windows Server 2003 Enterprise Edition 64-bit SP1
Microsoft Windows Server 2003 Enterprise Edition 64-bit
Microsoft Windows Server 2003 Enterprise Edition SP1
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Datacenter x64 Edition
Microsoft Windows Server 2003 Datacenter Edition 64-bit SP1
Microsoft Windows Server 2003 Datacenter Edition 64-bit
Microsoft Windows Server 2003 Datacenter Edition SP1
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows ME
Microsoft Windows 98SE
Microsoft Windows 98
Microsoft Windows 2000 Server SP4
Microsoft Windows 2000 Server SP3
Microsoft Windows 2000 Server SP2
Microsoft Windows 2000 Server SP1
Microsoft Windows 2000 Server
Microsoft Windows 2000 Professional SP4
Microsoft Windows 2000 Professional SP3
Microsoft Windows 2000 Professional SP2
Microsoft Windows 2000 Professional SP1
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Datacenter Server SP4
Microsoft Windows 2000 Datacenter Server SP3
Microsoft Windows 2000 Datacenter Server SP2
Microsoft Windows 2000 Datacenter Server SP1
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Advanced Server SP4
Microsoft Windows 2000 Advanced Server SP3
Microsoft Windows 2000 Advanced Server SP2
Microsoft Windows 2000 Advanced Server SP1
Microsoft Windows 2000 Advanced Server
Avaya DefinityOne Media Servers
Avaya IP600 Media Servers
Avaya S3400 Message Application Server
Avaya S8100 Media Servers
RISK:
Government:
Large and medium government entities: Medium
Small government entities: High
Businesses:
Large and medium business entities: Medium
Small business entities: High
Home users: High
DESCRIPTION:
A new vulnerability in multiple versions of Windows has been discovered in the portion of Windows that processes a specific type of image file called Windows Meta File (WMF). This vulnerability is separate from the WMF vulnerability that was patched in Microsoft Security Bulletin MS06-001 on January 5, 2006. There is currently no patch for this vulnerability.
These vulnerabilities exist in the 'ExtCreateRegion' and 'ExtEscape' functions of the Microsoft Windows WMF graphics rendering engine. There are currently no public exploits for this WMF vulnerability. CSCIC is still researching whether publicly-available exploit code for the previous WMF vulnerability may provide a framework for a new exploit.
In order to be exploited, a user must visit a malicious web site, open an email message, or access a computer directory folder that contains a specially-crafted WMF file. Reports indicate that successful exploitation can lead to a Denial of Service, and CSCIC is still researching whether remote code execution may be possible.
UPDATE 6/13/2006: These vulnerabilities have been assigned CVE numbers CVE-2005-4560 and CVE-2006-2372.
RECOMMENDATIONS:
-
CSCIC recommends the following actions be taken:
Update your anti-virus software as soon as a signature for this specific vulnerability is released.
-
If possible, limit user access to trusted Web sites only.
-
Filter all incoming Windows format Meta File (WMF) content at email gateways and proxy servers if possible until patches have been released and applied to all vulnerable systems. Note that WMF images are not typically used on web sites or to send images via email therefore blocking them should have little business impact.
-
UPDATE 6/13/2006: Apply the appropriate patch to vulnerable systems as soon as possible after appropriate testing.
-
UPDATE 6/13/2006: If possible, upgrade from Windows 98 or Windows ME to a newer version of the Windows Operating System.
REFERENCES:
Microsoft:
UPDATE 6/13/2006:
http://www.microsoft.com/technet/security/bulletin/ms06-026.mspx
http://www.microsoft.com/technet/security/Bulletin/MS06-001.mspx
Security Focus:
http://www.securityfocus.com/bid/16167
SANS:
http://isc.sans.org/diary.php?storyid=1031
UPDATE 6/13/2006:
CVE:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2372
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4560
NYS Cyber Security & Critical Infrastructure Coordination
30 South Pearl Street, Suite P2
Albany, NY 12207
(518) 474-0865
7x24 CSAC 1-866-787-4722
CSCIC PGP Public Keys are available at:
http://www.cscic.state.ny.us/security/incident_reporting/public_keys/index.htm
