0-Day Windows Exploit in the Wild!

[Foxbat]

I just got off of the Internet Storm Center pages about the Windows MetaFile zero-day exploit and wanted to warn people. The F-Secure blog has this entry about a new SPAM that is making the rounds that contains an infected image.

According to the experts, this WMF vulnerability is present in Windows 9x/ME/2K/XP/2K3 (no mention of NT) and Microsoft is not expected to have a fix for several days. This is considered to be the "fish or cut bait" time for those people still running 9x and ME as Microsoft will not release a fix for these versions. People are strongly urged to upgrade to XP. Macs and Linux don't have this vulnerability.

Also, it's reported that running Google Desktop can activate the exploit just by scanning the infected file(s).

 

[SatelliteGAL]

Is this the one they are worried about hitting on Jan 5th?

 

[Foxbat]

No, this is a totally new exploit that was first detected when PCs started to get infected. The bad guys found a long-buried "feature" in the Windows MetaFile file that allows the author to specify an Exit Handler in the case of a fatal error interpretting the WMF file. The only problem is this "exit handler" runs code that can exploit buffer overflows which causes code to be executed at Kernel privelege. The code executed could install a Trojan backdoor or turn off Windows firewall and Antivirus protection, leaving your PC wide open to other attacks.

 

[SatinKzo]

Good thing I don't trust MS for my Firewall and antivirus protection.

 

[Purogamer]

I read this story on yahoo since no one else was carrying it (hint), it's basically the newest reminder not to open attachment story...If you open an attached WMF file (wmf?) you're gonna be in trouble. It's as close to a non-story as they can come up with if you ask me...

 

[SatinKzo]

I never read the story itself. It's just good practice to never open emails or attachments from unknown/untrusted senders like purogramer said.

 

[SimpleSimon]

Good thing I don't trust MS for my Firewall and antivirus protection.

Shame you don't understand how those two things hook into the system.

Provider is not relevant when the hook is disabled.

 

[charper1]

Microsoft Windows Graphics Rendering Engine WMF SetAbortProc Code Execution Vulnerability

Risk
High

Date Discovered
12-28-2005

Description
Microsoft Windows WMF graphics rendering engine is affected by a remote code execution vulnerability. This issue affects the 'SetAbortProc' function.

The problem presents itself when a user views a malicious WMF formatted file, triggering the vulnerability when the engine attempts to parse the file.

The issue may be exploited remotely or by a local attacker. Any remote code execution that occurs will be with the privileges of the user viewing a malicious image. An attacker may gain SYSTEM privileges if an administrator views the malicious file.

Local code execution may facilitate a complete compromise.

Symantec Enterprise Security Manager
Symantec Enterprise Security Manager posted an update to the OS Patch Policy that detects and reports systems that are not patched against this vulnerability. Click here for the advisory released January 5, 2006.

Symantec Vulnerability Assessment
Symantec Vulnerability Assessment detects and reports this vulnerability. Click here for the advisory released January 6, 2006.

AntiVirus Products
A heuristic detection has been released to detect possible exploits of this vulnerability. Symantec Antivirus products will detect files which contain code to exploit this vulnerability as Bloodhound.Exploit.56.

Platforms Affected
Microsoft Windows XP Tablet PC Edition SP2
Microsoft Windows XP Tablet PC Edition SP1
Microsoft Windows XP Tablet PC Edition
Microsoft Windows XP Professional x64 Edition
Microsoft Windows XP Professional SP2
Microsoft Windows XP Professional SP1
Microsoft Windows XP Professional
Microsoft Windows XP Media Center Edition SP2
Microsoft Windows XP Media Center Edition SP1
Microsoft Windows XP Media Center Edition
Microsoft Windows XP Home SP2
Microsoft Windows XP Home SP1
Microsoft Windows XP Home
Microsoft Windows Server 2003 Web Edition SP1
Microsoft Windows Server 2003 Web Edition
Microsoft Windows Server 2003 Standard x64 Edition
Microsoft Windows Server 2003 Standard Edition SP1
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Enterprise x64 Edition
Microsoft Windows Server 2003 Enterprise Edition 64-bit SP1
Microsoft Windows Server 2003 Enterprise Edition 64-bit
Microsoft Windows Server 2003 Enterprise Edition SP1
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Datacenter x64 Edition
Microsoft Windows Server 2003 Datacenter Edition 64-bit SP1
Microsoft Windows Server 2003 Datacenter Edition 64-bit
Microsoft Windows Server 2003 Datacenter Edition SP1
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows ME
Microsoft Windows 98SE
Microsoft Windows 98
Microsoft Windows 2000 Server SP4
Microsoft Windows 2000 Server SP3
Microsoft Windows 2000 Server SP2
Microsoft Windows 2000 Server SP1
Microsoft Windows 2000 Server
Microsoft Windows 2000 Professional SP4
Microsoft Windows 2000 Professional SP3
Microsoft Windows 2000 Professional SP2
Microsoft Windows 2000 Professional SP1
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Datacenter Server SP4
Microsoft Windows 2000 Datacenter Server SP3
Microsoft Windows 2000 Datacenter Server SP2
Microsoft Windows 2000 Datacenter Server SP1
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Advanced Server SP4
Microsoft Windows 2000 Advanced Server SP3
Microsoft Windows 2000 Advanced Server SP2
Microsoft Windows 2000 Advanced Server SP1
Microsoft Windows 2000 Advanced Server

Components Affected
XnView XnView Standard 1.80.3
XnView XnView Minimal 1.80.3
XnView XnView Complete 1.80.3
Wine Windows API Emulator 0.9.4
Wine Windows API Emulator 0.9.3
Wine Windows API Emulator 0.9.2
Wine Windows API Emulator 0.9.1
Wine Windows API Emulator 0.9
Avaya DefinityOne Media Servers
Avaya IP600 Media Servers
Avaya S3400 Message Application Server
Avaya S8100 Media Servers
IrfanView IrfanView 3.98
IrfanView IrfanView 3.97
IrfanView IrfanView 3.95
IBM Lotus Notes 6.5.4
IBM Lotus Notes 6.5.3
IBM Lotus Notes 6.5.2
IBM Lotus Notes 6.5.1
IBM Lotus Notes 6.5

Recommendations
Permit local access for trusted individuals only. Where possible, use restricted environments and restricted shells.
Do not allow untrusted individuals to have local access to computers. This may limit exposure to local attack vectors.

Deploy network intrusion detection systems to monitor network traffic for malicious activity.
Deploy network intrusion detection systems to monitor all network traffic for signs of suspicious or anomalous activity. This may aid in detecting attempts to exploit latent vulnerabilities or in detecting malicious activity that occurs as a result of successful exploitation.

Do not accept or execute files from untrusted or unknown sources.
Users should not accept files from untrusted or unknown sources as they may be malicious in nature.

Do not follow links provided by unknown or untrusted sources.
Users should avoid Web sites of questionable integrity and not follow links supplied by unknown or untrusted sources.

Do not accept communications that originate from unknown or untrusted sources.
Disabling client support for HTML email may limit exposure to this attack vector.

Implement multiple redundant layers of security.
As it may be possible that this issue will be leveraged to execute code, memory protection schemes are recommended. Memory protection schemes such as non-executable stack/heap configurations and randomly mapped memory segments may complicate exploitation of memory corruption vulnerabilities.

Microsoft has released a security advisory (Microsoft Security Advisory (912840)) confirming this issue. The referenced advisory contains information about workarounds and the vendor plans to release updates in the near future. Please see the advisory for more information.

Microsoft plans to release updates to address this issue on Tuesday, January 10, 2006.

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com .
IBM Lotus Notes 6.5:
IBM Lotus Notes 6.5.1:
IBM Lotus Notes 6.5.2:

References
Source: Lotus Notes vulnerable to MS Windows graphics rendering engine bug
URL: http://www.nist.org/nist_plugins/content/content.php?content.25

Source: Microsoft Security Advisory (912840)
URL: http://www.microsoft.com/technet/security/advisory/912840.mspx

Source: Technet Security
URL: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/security/default.asp

Source: Vulnerabilities in Graphics Rendering Engine May Still Exist Even After Applying
URL: http://redxii.blogspot.com/2005/12/vulnerabilities-in-graphics-rendering.html

Source: Vulnerability Note VU#181038 - Microsoft Windows Metafile handler buffer overflo
URL: http://www.kb.cert.org/vuls/id/181038