what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Technical Cyber Security Alert 2005-362A

Technical Cyber Security Alert 2005-362A
Posted Dec 31, 2005
Authored by US-CERT | Site us-cert.gov

Technical Cyber Security Alert TA05-362A - Microsoft Windows is vulnerable to remote code execution via an error in handling files using the Windows Metafile image format. Exploit code has been publicly posted and used to successfully attack fully-patched Windows XP SP2 systems. However, other versions of the the Windows operating system may be at risk as well.

tags | advisory, remote, code execution
systems | windows
advisories | CVE-2005-4560
SHA-256 | f6f83f4c62f88b1b8f28ccf5bd55c11ca01db6be417a1c42f07ba65cd3f93cf3

Technical Cyber Security Alert 2005-362A

Change Mirror Download

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Microsoft Windows Metafile Handling Buffer Overflow

Original release date: December 28, 2005
Last revised: --
Source: US-CERT

Systems Affected

* Systems running Microsoft Windows

Overview

Microsoft Windows is vulnerable to remote code execution via an error
in handling files using the Windows Metafile image format. Exploit
code has been publicly posted and used to successfully attack
fully-patched Windows XP SP2 systems. However, other versions of the
the Windows operating system may be at risk as well.

I. Description

Microsoft Windows Metafiles are image files that can contain both
vector and bitmap-based picture information. Microsoft Windows
contains routines for displaying various Windows Metafile formats.
However, a lack of input validation in one of these routines may allow
a buffer overflow to occur, and in turn may allow remote arbitrary
code execution.

This new vulnerability may be similar to one Microsoft released
patches for in Microsoft Security Bulletin MS05-053. However, publicly
available exploit code is known to affect systems updated with the
MS05-053 patches.

Not all anti-virus software products are currently able to detect all
known variants of exploits for this vulnerability. However, US-CERT
recommends updating anti-virus signatures as frequently as practical
to provide maximum protection as new variants appear.

US-CERT is tracking this issue as VU#181038. This reference number
corresponds to CVE entry CVE-2005-4560.

II. Impact

A remote, unauthenticated attacker may be able to execute arbitrary
code if the user is persuaded to view a specially crafted Windows
Metafile.

III. Solution

Since there is no known patch for this issue at this time, US-CERT is
recommending sites follow several potential workarounds.

Workarounds

Please be aware US-CERT has confirmed that filtering based just on the
WMF file extension or MIME type "application/x-msmetafile" will not
block all known attack vectors for this vulnerability. Filter
mechanisms should be looking for any file that Microsoft Windows
recognizes as a Windows Metafile by virtue of its file header.

Do not access Windows Metafiles from untrusted sources

Exploitation occurs by accessing a specially crafted Windows Metafile.
By only accessing Windows Metafiles from trusted or known sources, the
chances of exploitation are reduced.

Attackers may host malicious Windows Metafiles on a web site. In order
to convince users to visit their sites, those attackers often use URL
encoding, IP address variations, long URLs, intentional misspellings,
and other techniques to create misleading links. Do not click on
unsolicited links received in email, instant messages, web forums, or
internet relay chat (IRC) channels. Type URLs directly into the
browser to avoid these misleading links. While these are generally
good security practices, following these behaviors will not prevent
exploitation of this vulnerability in all cases, particularly if a
trusted site has been compromised or allows cross-site scripting.

Block access to Windows Metafiles at network perimeters

By blocking access to Windows Metafiles using HTTP proxies, mail
gateways, and other network filter technologies, system administrators
may also limit other potential attack vectors.

Reset the program association for Windows Metafiles

Remapping handling of Windows Metafiles to open a program other than
the default Windows Picture and Fax Viewer (SHIMGVW.DLL) may prevent
exploitation via some current attack vectors. However, this may still
allow the underlying vulnerability to be exploited via other known
attack vectors.
_________________________________________________________________


This document is also available at

<http://www.us-cert.gov/cas/techalerts/TA05-362A.html>

Updates will be made at

<http://www.kb.cert.org/vuls/id/181038>

Feedback can be directed to

<mailto:cert@cert.org?subject=TA05-362A%20Feedback%20VU%23181038>
_________________________________________________________________

Produced 2005 by US-CERT, a government organization.

Terms of use

<http://www.us-cert.gov/legal.html>

Revision History

December 28, 2005: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBQ7M8HX0pj593lg50AQJZLAf8DSIBug0PJwRekEIVO98pEJOQByA6oU63
orYhC7cPDlrFEmIXG5Nx+2sDedb83cUmuGbNTFYKd2FqEzdGty7EsMGIKW6NGyIJ
O0qrS+wOm3T6/9XZ0fwuI0cHJjrlDoF3LlTnfsL4SpEEQRFlDsS/Bd9lxuUHDoU6
0PKOiy2j+XjhpyKlNGA5d7a7Qo+HkKYkO4xMm5NPO5kKYKHW81REcs8mqnMbN0JC
JAoFLSWsCrSVqx8arE2ofwZCtOkCb5iQFlkKsc6EUFzUtYzBS8jaAncYEb1KJatl
w3ACj4+Rr/OsbY1Sqle+P6XKPfIVwjx7s/MgvQR20OVtCbIE92N9nw==
=hAPk
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close