Windows Security Flaw Is 'Severe'

Washington Post ^ | December 30, 2005 | By Brian Krebs

[zeugma]

I don't think we can post articles from this slimy source, but it's a severe enough alert to make it important to be widely known.

Select the source above for some details.

[zeugma]

The attack vector for this type of attack include the IE browser and Outlook email client. With outlook, you don't have to click on anything if you get a mail with the infected code if you have the preview pane turned on.

Within hours, computer virus and spyware authors were using the flaw to distribute malicious programs that could allow them to take over and remotely control afflicted computers.

Unlike with previously revealed vulnerabilities, computers can be infected simply by visiting one of the Web sites or viewing an infected image in an e-mail through the preview pane in older versions of Microsoft Outlook, even if users did not click on anything or open any files. Operating system versions ranging from the current Windows XP to Windows 98 are affected.

[Williams]

So is there a fix yet?

[HOTTIEBOY]

Bush's fault.

[zeugma]

I think this one needs some widespread attention.

[socal_parrot]

Plug for Mac or Linux? Which will come first?

[AppyPappy]

Create a rule to send all emails with an attachment to a folder with preview pane turned off.

[garyhope]

LOL, so true of the smug, condescending, self-righteous Mac crowd.

[oolatec]

Or just get a Mac mini. Then you don't have to worry about it at all... ;)

[devane617]

Google is taking care of MSFT. MSFT will be a faded memory in a few years...

[Bear_Slayer]

And I heard Haliburton was hired to fix it. :-)

[Fiddlstix]

BTTT

[TexasTransplant]

I don't open any attachments unless it was preceded with a phone call. (Mostly Blueprints and drawings or specs PDF etc)

I've lost too much time rebuilding to take any chances, even with daily backups, daily scans etc, attachments are risky. I'd loose at least a day if I were infected.

What troubled me was the part about simply visiting a site could infect your computer.

[socal_parrot]

All of those holding the "plug for Mac" tickets are the winners. Post #8.

[MeanWestTexan]

Don't use outlook.

[AppyPappy]

I can't use a Mac. I'm a heterosexual.

[b4its2late]

Microsoft Security Advisory (912840)

Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution.

Published: December 28, 2005 | Updated: December 29, 2005

http://www.microsoft.com/technet/security/advisory/912840.mspx

Microsoft is investigating new public reports of a vulnerability in Windows. Microsoft is also aware of the public release of detailed exploit code that could be used to exploit this vulnerability. Based on our investigation, this exploit code could allow an attacker to execute arbitrary code on the user's system by hosting a specially crafted Windows Metafile (WMF) image on a malicious Web site. Microsoft is aware that this vulnerability is being actively exploited.

Microsoft has determined that an attacker using this exploit would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site. In an e-mail based attack, customers would have to be persuaded to click on a link within a malicious e-mail or open an attachment that exploited the vulnerability. In both the web and email based attacks, the code would execute in the security context of the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Microsoft will continue to investigate these reports and provide additional guidance depending on customer needs.

Customers are encouraged to keep their anti-virus software up to date. The Microsoft Windows AntiSpyware (Beta) can also help protect your system from spyware and other potentially unwanted software. Customers can also visit Windows Live Safety Center and are encouraged to use the Complete Scan option to check for and remove malicious software that take advantage of this vulnerability. We will continue to investigate these public reports.

Upon completion of this investigation, Microsoft will take appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs. If you are a Windows OneCare user and your current status is green, you are already protected from known malware that uses this vulnerability to attempt to attack systems.

Microsoft’s investigation into this malicious act is ongoing. We are working closely with our anti-virus partners and aiding law enforcement in its investigation.

Microsoft encourages users to exercise caution when they open e-mail and links in e-mail from untrusted sources. For more information about Safe Browsing, visit the Trustworthy Computing Web site.

We continue to encourage customers to follow our Protect Your PC guidance of enabling a firewall, applying software updates and installing antivirus software. Customers can learn more about these steps at the Protect Your PC Web site.

Customers who believe they have been attacked should contact their local FBI office or post their complaint on the Internet Fraud Complaint Center Web site. Customers outside the U.S. should contact the national law enforcement agency in their country.

Customers who believe they may have been affected by this issue can also contact Product Support Services. You can contact Product Support Services in the United States and Canada at no charge using the PC Safety line (1 866-PCSAFETY). Customers outside of the United States and Canada can locate the number for no-charge virus support by visiting the Microsoft Help and Support Web site.

Mitigating Factors:

•	In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site.
•	In an E-mail based attack of the current exploit, customers would have to be persuaded to click on a link within a malicious e-mail or open an attachment that exploited the vulnerability.
•	An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
•	By default, Internet Explorer on Windows Server 2003, on Windows Server 2003 Service Pack 1, on Windows Server 2003 with Service Pack 1 for Itanium-based Systems, and on Windows Server 2003 x64 Edition runs in a restricted mode that is known as Enhanced Security Configuration This mode mitigates this vulnerability where the e-mail vector is concerned although clicking on a link would still put users at risk. In Windows Server 2003, Microsoft Outlook Express uses plain text for reading and sending messages by default. When replying to an e-mail message that is sent in another format, the response is formatted in plain text. See the FAQ section of this vulnerability for more information about Internet Explorer Enhanced Security Configuration.

General Information

Purpose of Advisory: To provide customers with initial notification of the publicly disclosed and exploited vulnerability. For more information see the “Suggested Actions” section of the security advisory.

Advisory Status: Under Investigation

Recommendation: Review the suggested actions and configure as appropriate.

References	Identification
CVE Reference	CVE-2005-4560
CERT Reference	VU#181038
Microsoft Knowledge Base Article	912840

This advisory discusses the following software.

Related Software

Microsoft Windows 2000 Service Pack 4

Microsoft Windows XP Service Pack 1

Microsoft Windows XP Service Pack 2

Microsoft Windows XP Professional x64 Edition

Microsoft Windows Server 2003

Microsoft Windows Server 2003 for Itanium-based Systems

Microsoft Windows Server 2003 Service Pack 1

Microsoft Windows Server 2003 with SP1 for Itanium-based Systems

Microsoft Windows Server 2003 x64 Edition

Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)

Note Microsoft Windows Server 2003 Service Pack 1 and Microsoft Windows Server 2003 x64 Edition also refer to Microsoft Windows Server 2003 R2.

Top of section

What is the scope of the advisory?
Microsoft is aware of a new vulnerability report affecting the Graphics Rendering Engine in Microsoft Windows. This vulnerability affects the software that is listed in the “Overview” section.

Is this a security vulnerability that requires Microsoft to issue a security update?
We are currently investigating the issue to determine the appropriate course of action for customers. We will include the fix for this issue in an upcoming security bulletin.

What causes the vulnerability?
A vulnerability exists in the way specially crafted Windows Metafile (WMF) images are handled that could allow arbitrary code to be executed.

What is the Windows Metafile (WMF) image format?
A Windows Metafile (WMF) image is a 16-bit metafile format that can contain both vector information and bitmap information. It is optimized for the Windows operating system.

For more information about image types and formats, see Microsoft Knowledge Base Article 320314. Additional information about these file formats is also available at the MSDN Library Web site.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take complete control of the affected system. In a Web-based attack scenario, an attacker would host a Web site that exploits this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site. It could also be possible to display specially crafted Web content by using banner advertisements or by using other methods to deliver Web content to affected systems.

How could an attacker exploit the vulnerability?
An attacker could host a malicious Web site that is designed to exploit this vulnerability through Internet Explorer and then persuade a user to view the Web site.

I am reading e-mail in plain text, does this help mitigate the vulnerability?
Yes. Reading e-mail in plain text does mitigate this vulnerability where the e-mail vector is concerned although clicking on a link would still put users at risk.

Note In Windows Server 2003, Microsoft Outlook Express uses plain text for reading and sending messages by default. When replying to an e-mail message that is sent in another format, the response is formatted in plain text.

I have software DEP enabled on my system, does this help mitigate the vulnerability?
Yes. Windows XP Service Pack 2 also includes software-enforced DEP that is designed to reduce exploits of exception handling mechanisms in Windows. By default software-enforced DEP applies to core operating system components and services. This vulnerability can be mitigated by enabling DEP for all programs on your computer.
For additional information about how to “Enable DEP for all programs on your computer”, see the product documentation.

Does this vulnerability affect image formats other than Windows Metafile (WMF)?
At this point, the only image format affected is the Windows Metafile (WMF) format. It is possible however than an attacker could rename the file extension of a WMF file to that of a different image format. In this situation, it is likely that the Graphic Rendering engine would detect and render the file as a WMF image which could allow exploitation.

Windows Metafile (WMF) images can be embedded in other files such as Word documents. Am I vulnerable to an attack from this vector?
No. While we are investigating the public postings which seek to utilize specially crafted WMF files through IE, we are looking thoroughly at all instances of WMF handling as part of our investigation. While we're not aware of any attempts to embed specially crafted WMF files in, for example Microsoft Word documents, our advice is to accept files only from trusted source would apply to any such attempts.

It has been reported that malicious files indexed by MSN Desktop Search could lead to exploitation of the vulnerability. Is this true?
We have received reports and are investigating them thoroughly as part of our ongoing investigation. We are not aware at this time of issues around the MSN Desktop Indexer, but we are continuing to investigate.

Is this issue related to Microsoft Security Bulletin MS05-053 - Vulnerabilities in Graphics Rendering Engine Could Allow Code Execution (896424) which was released in November?
No, these are different and separate issues.

Are there any third party Intrusion Detection Systems (IDS) that would help protect against attempts to exploit this vulnerability?
While we don't know of specific products or services that currently scan or detect for attempts to render specially crafted WMF files, we are working with our partners through industry programs like VIA to provide information as we have it. . Customers should contact their IDS provider to determine if it offers protection from this vulnerability.

When this security advisory was issued, had Microsoft received any reports that this vulnerability was being exploited?
Yes. When the security advisory was released, Microsoft had received information that this vulnerability was being actively exploited.

Top of section

Microsoft has tested the following workaround. While this workaround will not correct the underlying vulnerability, it will help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.

Note The following steps require Administrative privileges.

To un-register Shimgvw.dll, follow these steps:

1.	Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll" (without the quotation marks), and then click OK.
2.	A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.

Impact of Workaround: The Windows Picture and Fax Viewer will no longer be started when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer.

To undo this change, re-register Shimgvw.dll by following the above steps. Replace the text in Step 1 with “regsvr32 %windir%\system32\shimgvw.dll” (without the quotation marks).

Top of section

Top of section

•	Microsoft encourages users to exercise caution when they open e-mail and links in e-mail from untrusted sources. For more information about Safe Browsing, visit the Trustworthy Computing Web site.
•	Customers in the U.S. and Canada who believe they may have been affected by this possible vulnerability can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support that is associated with security update issues or viruses." International customers can receive support by using any of the methods that are listed at Security Help and Support for Home Users Web site.
•	All customers should apply the most recent security updates released by Microsoft to help ensure that their systems are protected from attempted exploitation. Customers who have enabled Automatic Updates will automatically receive all Windows updates. For more information about security updates, visit the Microsoft Security Web site.
•	Protect Your PC We continue to encourage customers follow our Protect Your PC guidance of enabling a firewall, getting software updates and installing ant-virus software. Customers can learn more about these steps by visiting Protect Your PC Web site.
•	For more information about staying safe on the Internet, customers can visit the Microsoft Security Home Page.
•	Keep Windows Updated All Windows users should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit the Microsoft Update Web site, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have Automatic Updates enabled, the updates are delivered to you when they are released, but you have to make sure you install them.

Top of section

Resources:

•	You can provide feedback by completing the form by visiting the following Web site.
•	Customers in the U.S. and Canada can receive technical support from Microsoft Product Support Services. For more information about available support options, see the Microsoft Help and Support Web site.
•	International customers can receive support from their local Microsoft subsidiaries. For more information about how to contact Microsoft for international support issues, visit the International Support Web site.
•	The Microsoft TechNet Security Web site provides additional information about security in Microsoft products.

Disclaimer:

The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

•	December 28, 2005: Advisory published
•	December 29, 2005: Advisory updated. FAQ section updated.

[zeugma]

So is there a fix yet?

I don't think so. Best fix at the moment is Firefox and Thunderbird.

[zeugma]

Plug for Mac or Linux? Which will come first?

Linux. MACs are for queer cowboys. (Just kidding folks!)

[zeugma]

Microsoft Security Advisory (912840)

Excellent addition to the thread. Thanks!

[socal_parrot]

THEY'RE SHEEPHERDERS!!!!

I'm getting tired of the whole "they're not cowboys, they're sheepherders" crowd too.

I'm a bit grumpy today.

[Boundless]

> Best fix at the moment is Firefox and Thunderbird.

Agreed, and largely because Tbird has images disabled by
default in the preview pane, unlike Outlook, which by
default exposes you to the full power of the dark side.

Given that this was a WaPo article, I'm astonished that
it didn't have their trademarked tag line:
"... women and children hardest hit."

[ShadowAce]

[Doohickey]

Outlook 2003 does not display images in the preview pane unless the recipient requests they be downloaded.

[Doohickey]

Outlook 2003 has the same functionality.

[The_Reader_David]

And what exactly is that supposed to mean? Are you impuning El Rushbo's sexual orientation?

[The_Reader_David]

Mac or Linux is fine by me: the FreeBDS kernel (underlies OS X) and Minux (a crippled version of Unix for Intel chips created as a basis for student exercises, and fleshed out by Linus Torvalds to create Linux) were both produced by category theorists, so I've got a guild-loyalty to both.

[theFIRMbss]

>Bush's fault

It is hard to say
who gets blamed for more bad things,
George Bush or Bill Gates.

If we add WalMart,
we'd have the three-sectioned root
of all the world's BAD . . .

[zeugma]

Just about any unix works for me, as it suits the way I work better than anything else I've found. I just wish we could do better than X though.

[antiRepublicrat]

Minux (a crippled version of Unix for Intel chips created as a basis for student exercises, and fleshed out by Linus Torvalds to create Linux)

1. Minux is pretty good now, highly robust with a small footprint. 2. Linus didn't flesh it out to make Linux. Minux was his platform used to create Linux, and Linux used some ideas from Minix.

[TechJunkYard]

This advisory discusses the following software.
Related Software
...
Microsoft Windows Server 2003
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition

People actually use Windows Server 2003 as a desktop O/S? (I would think that's not very cost-effective.)

Windows admins surf the web and do e-mail on a server box? (All of my servers stay in runlevel 3 precisely to prevent that.)

Hmmmm.

[Calvinist_Dark_Lord]

It is hard to say who gets blamed for more bad things, George Bush or Bill Gates.

If we add WalMart, we'd have the three-sectioned root of all the world's BAD . . .

The Liberal's version of the "Axis of Evil"? i think you may be on to something there.

[Casloy]

Three letters MAC.

[Clara Lou]

Question: Is this the same WMF vulnerability that was called a trojan on a thread yesterday, or is this something in addition? Symantec dealt with the trojan on the 28th. Will that take care of this?

[zeugma]

Trouble is, 'tis not only liberals who dislike mr. gates.

[taxed2death]

hahahah...that's the joke around our office here where we do a lot of solid modeling....We use PC's running linux and BRLcad.

[zeugma]

I don't know. There is a bulletin from MS farther up the page. (Post 16) That might help.

[garyhope]

"What troubled me was the part about simply visiting a site could infect your computer."

Happened to me once visiting of all things, a site about Japanese kitchen knives! Luckily my McAfee caught it and I cleansed it.

[joonbug]

This is news?

Once you go Mac, you never go back...

[zeugma]

I was perusing the /. post on this and ran across this...

I agree with all of that. Hell, I still tend to think of it as gdi.exe, which is about the last time I cared what Windows internals really looked like. But this "bug" is even better than that - it's not in the image format parser, it's in the freakin' WMF API!!! Believe it or not, WMF files are allowed to have callback functions (user or kernel mode unknown by me) in them - in other words a (picture) data file can contain executable code to "help" Windows display it!! It gets better: change the file extension to "jgp" or "gif" or another image type, hell, probably any file type that has a custom icon/is previewable, and Windows will look at the file and go "oh - that's really a WMF file - I know what to do..." (I'm dyin' here). Even Windows Explorer (with thumbnails enabled) will execute the code if you look at a directory that contains one of these files.

If there ever was a smoking-gun lead-pipe indictment of Microsoft's sloppy love of whizzo features, security, stability, maintainability, administerability be damned; this has GOT to be it. If the filetype API is that flawed, we need to just get rid of .WMF files, period.

Yeah, I know take /. posts with a grain of salt, but, if true, it will be interesting to see what will be done about it. --

[Hank Rearden]

Some people use IE and Outlook?

Ick.

[zeugma]

Some people use IE and Outlook?

Yeah. Some people don't know better. While at relatives the other week, I ended up installing Firefox and Thunderbird for them, and deleting every single outlook and IE icon I could find.

[LexBaird]

And what exactly is that supposed to mean? Are you impuning El Rushbo's sexual orientation?

It means he prefers to remain a masochistic MicroSerf, afraid to look at any attachment not verified by the Pope, and afraid to visit half the Web for fear that he'll have to spend the next week cleaning the crap off his zombie PC .... for the 937th time this year. All because he mistakes a tool for a lifestyle.

I'm on a Mac, and have been for over ten years. Anti-virus? None. Trojans? None. Viruses? Worms? None and none. Downtime from malware? None. Time dealing with security updates in the last year? Maybe 10 minutes, total.

I also maintain a design dept. LAN, with 5 Macs and one MS print server. In over eight years, there has never been a minute lost to downtime on any Mac due to malware. The MS server, OTOH, was used one afternoon by a "visitor" to browse the Net. In spite of a hardware router firewall and virus protection, in one day that box got 187 pieces of crap infecting it, that took at least 5 reboots before we got them removed. I wish I could just take Exploder off of the file server completely, but I don't have the time to figure out how without removing vital OS parts.

[The_Reader_David]

Ah, but the liberals hate him because he's rich. Those of on the right stand with Linus Torvalds in this regard: "I don't mind Bill Gates being rich. I mind Bill Gates having a lousy operating system."

[Havoc]

ROFL. This is great. Seems the only way anything coming from MS works as designed is if they stole it from someone else. Xerox and IBM should have awards for being the best at making MS crap work.

[octobersky]

But if you must turn off the preview pane.

[RunningWolf]

I don't use Outlook, but I went ahead and disabled Outlook as much as I could by deleting all the *.dll files.

If I completely remove Outlook, XP puts it back in

[derllak]

Go to command prompt and type
regsvr32 -u %windir%\system32\shimgvw.dll

This disables the offending dll. Then rename it so some other program doesn't reactivate it.
ren %windir%\system32\shimgvw.dll %windir%\system32\shimgvw.dll_bad

[Williams]

Sorry to have to ask this, but how exactly do I go to command prompt?

[XeniaSt]

So is there a fix yet?

./

Get Root !

[derllak]

It's getting worse... New IM Worm Exploiting WMF Vulnerability