SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   OS (Microsoft)  >   Windows Kernel Vendors:   Microsoft
Microsoft Windows Unspecified WMF Rendering Bug Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1015416
SecurityTracker URL:  http://securitytracker.com/id/1015416
CVE Reference:   CVE-2005-4560   (Links to External Site)
Updated:  Dec 31 2005
Original Entry Date:  Dec 28 2005
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): Windows 2000 SP4, 2003 SP1, and XP SP2; and prior service packs
Description:   A vulnerability was reported in Microsoft Windows in the graphics rendering engine. A remote user can execute arbitrary code on the target user's system.

A remote user can create a specially crafted Windows Metafile (WMF) image that, when loaded by the target user, will cause arbitrary code to be executed on the target user's system. The code will run with the privileges of the target user.

The image file does not need to have a '.wmf' file extension, as the graphics rendering engine can detect the specific type of image file even if the file extension has been changed.

This vulnerability can be exploited via an HTML page.

A demonstration exploit is circulating in the wild.

A demonstration exploit for the Metasploit Framework is available at:

http://metasploit.com/projects/Framework/exploits.html#ie_xp_pfv_metafile

http://metasploit.com/tools/framework-2.5-snapshot.tar.gz

Impact:   A remote user can create HTML that, when loaded by the target user, will execute arbitrary code on the target user's system.
Solution:   No solution was available at the time of this entry.

The vendor has issued an advisory, available at:

http://www.microsoft.com/technet/security/advisory/912840.mspx

The vendor's advisory includes the following temporary workaround [quoted]:

Un-register the Windows Picture and Fax Viewer (Shimgvw.dll) on Windows XP Service Pack 1; Windows XP Service Pack 2; Windows Server 2003 and Windows Server 2003 Service Pack 1

Note The following steps require Administrative privileges.

To un-register Shimgvw.dll, follow these steps:

1. Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll" (without the quotation marks), and then click OK.

2. A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.

Impact of Workaround: The Windows Picture and Fax Viewer will no longer be started when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer.

To undo this change, re-register Shimgvw.dll by following the above steps. Replace the text in Step 1 with regsvr32 %windir%\system32\shimgvw.dll (without the quotation marks).

Vendor URL:  www.microsoft.com/technet/security/advisory/912840.mspx (Links to External Site)
Cause:   Not specified
Underlying OS:  

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jan 5 2006 (Vendor Issues Fix) Microsoft Windows WMF Rendering Bug Lets Remote Users Execute Arbitrary Code
The vendor has issued a fix.



 Source Message Contents

Date:  27 Dec 2005 20:20:14 -0000
Subject:  Is this a new exploit?

Warning the following URL successfully exploited a fully patched windows xp system with a freshly updated norton anti virus.

unionseek.com/d/t1/wmf_exp.htm

The url runs a .wmf and executes the virus, f-secure will pick up the virus norton will not.

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC