Remortgages

Exploit for Vulnerability in Microsoft Windows Metafile Handling

January 2, 2006

US-CERT is aware of active exploitation of a vulnerability in how Microsoft Windows handles Windows Metafiles (".wmf"). Several variations of the WMF exploit file have been released that attempt to avoid detection by anti-virus software and intrusion detection and intrusion prevention systems.
A Windows system may be compromised through several methods including:

* Opening a specially crafted WMF file. Note that a malicious WMF file may masquerade as a JPEG or other type of image file.
* Visiting a specially crafted web site.
* Placing a malicious WMF file in a location that is indexed by Google Desktop Search or other content indexing software.
* Viewing a folder that contains a malicious WMF file with Windows Explorer.

Once the vulnerability is exploited, a remote attacker may be able to perform any of the following malicious activities:

* Execute arbitrary code
* Cause a denial-of-service condition
* Take complete control of a vulnerable system

More information about this vulnerability can be found in the following:

* US-CERT Vulnerability Note:VU#181038 - Microsoft Windows Metafile handler SETABORTPROC GDI Escape vulnerability

* Technical Cyber Security Alert:TA05-362A - Microsoft Windows Metafile Handling Buffer Overflow

* Microsoft Security Advisory:912840 - Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution

Although there is limited information on how to fully defend against this exploit, US-CERT recommends the following mitigation:

* Unregister SHIMGVW.DLL

Please see VU#181038 for details and additional workarounds at: http://www.kb.cert.org/vuls/id/181038 .

source: www.us-cert.gov

[ Comment, Edit or Article Submission ]