-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Microsoft Windows Metafile Handling Buffer Overflow

   Original release date: December 28, 2005
   Last revised: --
   Source: US-CERT

Systems Affected

     * Systems running Microsoft Windows

Overview

   Microsoft Windows is vulnerable to remote code execution via an error
   in handling files using the Windows Metafile image format. Exploit
   code has been publicly posted and used to successfully attack
   fully-patched Windows XP SP2 systems. However, other versions of the
   the Windows operating system may be at risk as well.

I. Description

   Microsoft Windows Metafiles are image files that can contain both
   vector and bitmap-based picture information. Microsoft Windows
   contains routines for displaying various Windows Metafile formats.
   However, a lack of input validation in one of these routines may allow
   a buffer overflow to occur, and in turn may allow remote arbitrary
   code execution.

   This new vulnerability may be similar to one Microsoft released
   patches for in Microsoft Security Bulletin MS05-053. However, publicly
   available exploit code is known to affect systems updated with the
   MS05-053 patches.

   Not all anti-virus software products are currently able to detect all
   known variants of exploits for this vulnerability. However, US-CERT
   recommends updating anti-virus signatures as frequently as practical
   to provide maximum protection as new variants appear.

   US-CERT is tracking this issue as VU#181038. This reference number
   corresponds to CVE entry CVE-2005-4560.

II. Impact

   A remote, unauthenticated attacker may be able to execute arbitrary
   code if the user is persuaded to view a specially crafted Windows
   Metafile.

III. Solution

   Since there is no known patch for this issue at this time, US-CERT is
   recommending sites follow several potential workarounds.

Workarounds

   Please be aware US-CERT has confirmed that filtering based just on the
   WMF file extension or MIME type "application/x-msmetafile" will not
   block all known attack vectors for this vulnerability. Filter
   mechanisms should be looking for any file that Microsoft Windows
   recognizes as a Windows Metafile by virtue of its file header.

Do not access Windows Metafiles from untrusted sources

   Exploitation occurs by accessing a specially crafted Windows Metafile.
   By only accessing Windows Metafiles from trusted or known sources, the
   chances of exploitation are reduced.

   Attackers may host malicious Windows Metafiles on a web site. In order
   to convince users to visit their sites, those attackers often use URL
   encoding, IP address variations, long URLs, intentional misspellings,
   and other techniques to create misleading links. Do not click on
   unsolicited links received in email, instant messages, web forums, or
   internet relay chat (IRC) channels. Type URLs directly into the
   browser to avoid these misleading links. While these are generally
   good security practices, following these behaviors will not prevent
   exploitation of this vulnerability in all cases, particularly if a
   trusted site has been compromised or allows cross-site scripting.

Block access to Windows Metafiles at network perimeters

   By blocking access to Windows Metafiles using HTTP proxies, mail
   gateways, and other network filter technologies, system administrators
   may also limit other potential attack vectors.

Reset the program association for Windows Metafiles

   Remapping handling of Windows Metafiles to open a program other than
   the default Windows Picture and Fax Viewer (SHIMGVW.DLL) may prevent
   exploitation via some current attack vectors. However, this may still
   allow the underlying vulnerability to be exploited via other known
   attack vectors.
   _________________________________________________________________


   This document is also available at

   <http://www.us-cert.gov/cas/techalerts/TA05-362A.html>

   Updates will be made at

   <http://www.kb.cert.org/vuls/id/181038>

   Feedback can be directed to

   <mailto:cert@cert.org?subject=TA05-362A%20Feedback%20VU%23181038>
   _________________________________________________________________

   Produced 2005 by US-CERT, a government organization.

   Terms of use

   <http://www.us-cert.gov/legal.html>

   Revision History

   December 28, 2005: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBQ7M8HX0pj593lg50AQJZLAf8DSIBug0PJwRekEIVO98pEJOQByA6oU63
orYhC7cPDlrFEmIXG5Nx+2sDedb83cUmuGbNTFYKd2FqEzdGty7EsMGIKW6NGyIJ
O0qrS+wOm3T6/9XZ0fwuI0cHJjrlDoF3LlTnfsL4SpEEQRFlDsS/Bd9lxuUHDoU6
0PKOiy2j+XjhpyKlNGA5d7a7Qo+HkKYkO4xMm5NPO5kKYKHW81REcs8mqnMbN0JC
JAoFLSWsCrSVqx8arE2ofwZCtOkCb5iQFlkKsc6EUFzUtYzBS8jaAncYEb1KJatl
w3ACj4+Rr/OsbY1Sqle+P6XKPfIVwjx7s/MgvQR20OVtCbIE92N9nw==
=hAPk
-----END PGP SIGNATURE-----