TITLE:
Microsoft Windows WMF/EMF File Rendering Arbitrary Code Execution

SECUNIA ADVISORY ID:
SA17498

VERIFY ADVISORY:
http://secunia.com/advisories/17498/

CRITICAL:
Highly critical

IMPACT:
System access

WHERE:
>From remote

OPERATING SYSTEM:
Microsoft Windows 2000 Advanced Server
http://secunia.com/product/21/
Microsoft Windows 2000 Datacenter Server
http://secunia.com/product/1177/
Microsoft Windows 2000 Professional
http://secunia.com/product/1/
Microsoft Windows 2000 Server
http://secunia.com/product/20/
Microsoft Windows Server 2003 Datacenter Edition
http://secunia.com/product/1175/
Microsoft Windows Server 2003 Enterprise Edition
http://secunia.com/product/1174/
Microsoft Windows Server 2003 Standard Edition
http://secunia.com/product/1173/
Microsoft Windows Server 2003 Web Edition
http://secunia.com/product/1176/
Microsoft Windows XP Home Edition
http://secunia.com/product/16/
Microsoft Windows XP Professional
http://secunia.com/product/22/

DESCRIPTION:
Two vulnerabilities have been reported in Microsoft Windows, which
can be exploited by malicious people to compromise a vulnerable
system.

1) A boundary error exists in the Graphics Rendering Engine when
rendering certain malformed Windows Metafile (WMF) and Enhanced
Metafile (EMF) image files. This can be exploited to execute
arbitrary code on a user's system via a specially crafted WMF/EMF
file.

2) A boundary error exists in the rendering of certain malformed
Windows Metafile (WMF) image files. This can be exploited to execute
arbitrary code on a user's system via a specially crafted WMF file.

Vulnerability #1 and #2 reportedly affects any program that renders
the affected image types and can be exploited by e.g. tricking the
user to open a malicious WMF/EMF file, or to view a folder that
contains the image. The vulnerabilities are also reportedly
exploitable by embedding the image in an Office document, or by
convincing the user to view an HTML email in Outlook containing an
image attachment, or via a malicious web site.

SOLUTION:
Apply patches.

Microsoft Windows 2000 (requires SP 4):
http://www.microsoft.com/downloads/details.aspx?FamilyId=F361FCCB-B273-47E7-BB15-BC9C27073446

Microsoft Windows XP (requires SP 1 or SP 2):
http://www.microsoft.com/downloads/details.aspx?FamilyId=E38372B2-3BF6-4393-B9A4-F34248C8073E

Microsoft Windows XP Professional x64 Edition:
http://www.microsoft.com/downloads/details.aspx?FamilyId=086C6878-916C-4A4F-8CA8-A4C0E304FDA4

Microsoft Windows Server 2003 (with or without SP 1):
http://www.microsoft.com/downloads/details.aspx?FamilyId=CEE3DD3B-3C20-47A9-8BBD-1EA2FBB4AF96

Microsoft Windows Server 2003 (Itanium) (with or without SP 1):
http://www.microsoft.com/downloads/details.aspx?FamilyId=CCFF22BB-ADC4-4974-813C-7721BDB842C0

Microsoft Windows Server 2003 x64 Edition:
http://www.microsoft.com/downloads/details.aspx?FamilyId=F1ADB6E4-0A08-496C-B94C-A1B37178914A

PROVIDED AND/OR DISCOVERED BY:
1) eEye Digital Security.
2) Venustech AdDLab, eEye Digital Security, and Peter Ferrie of
Symantec Security Response.

ORIGINAL ADVISORY:
MS05-053 (KB896424):
http://www.microsoft.com/technet/security/Bulletin/MS05-053.mspx

OTHER REFERENCES:
SA14631:
http://secunia.com/advisories/14631/

----------------------------------------------------------------------

About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.

Subscribe:
http://secunia.com/secunia_security_advisories/

Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/


Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.

----------------------------------------------------------------------