Computer Emergency Response Team - Industrie Services et Tertiaire



			Public Advisories/Alerts

			Cert-IST publications

			Useful links

			News - Events







		Printable version

Accueil | Resources | Public Advisories/Alerts | Alerts

Reference:	CERT-IST/AL-2006.001
Version:	1.0
Version date:	02 January 2006

Vulnerability Classification

Risk:

high

Impact:

Get access

Confidence:

Vendor-acknowledged

Attack expertise:

Beginner

Attack requirements:

Remote (no account) over a standard service

System Information

Affected Platform(s):

Microsoft Windows systems

Affected Software(s):

"Windows Meta File" (WMF) handler

Impacted products

Description

Publication context:

This Cert-IST alert informs you about the "WMF" flaw exploitation and more specifically of the spreading of SPAM e-mails or Instant Messaging messages that exploit the "WMF" flaw (CVE-2005-4560).

Reminder : The vulnerability concerns the "Windows Meta File" (WMF) image handling. It may allow a remote attacker, via a crafted "WMF" message, to execute arbitrary code on a vulnerable system.

The information related to this vulnerability are available on the Cert-IST web site :

Cert-IST advisory : AV-2005.485
Potential Danger : DG-2005.010
Crisis response hub : "Windows "WMF"

Technical information:

Unwanted SPAM e-mails are currently spreading. These e-mails exploit the new "WMF" flaw. They entice the user to browse malicious web sites, or contain as an attachment malicious images.

Currently, there is for instance a "New Year" message spreading. It has the following characteristics :

If the user opens the attachment, the code runs and tries to download malicious code (Trojan horse for instance).

Other messages (through MSN Messenger for instance) exploiting this flaw are also spreading.

Solution

Recommendations :

Awaiting for an official Microsoft patch, the Cert-IST recommends to :

Update your anti-virus solutions (clients and servers).
Inform the users :
- not to open suspicious attachments (any image file and not only "WMF" extension),
- not to follow URL received by e-mails, or to browse suspicious web sites,
- to display e-mails in TXT format (brute text) in their mail client,
- not to use high privileges on their systems.
Filter on your mail gateways HTML messages.
Filter on your HTTP and mail gateways "image" files (extensions WMF, BMP, GIF, PNG, JPG, JPEG, JPE, JFIF, DIB, RLE, EMF, TIF, TIFF, ICO, etc...).
Apply the temporary patch given in the Microsoft advisory (unregister the "shimgvw.dll" library).
Implement a software restriction policy for blocking "shimgvw.dll" on Windows Server 2003 domain controllers.
Update your IDS database signatures.

Standard vulnerability IDs

CERT/CC: VU#181038

Additional Resources

"WMF" FAQ
- http://isc.sans.org/diary.php?storyid=994
Cert-IST Advisory
- https://wws.cert-ist.com/fast-cgi/AV/Avis.cgi?lang=eng&ref=CERT-IST/AV-2005.485
Cert-IST alert CERT-IST/AL-2006.001
- https://wws.cert-ist.com/fast-cgi/AL/Alerte.cgi?lang=eng&Alias=cert-ist_al-2006_001
Cert-IST Crisis Blog
- https://wws.cert-ist.com/fra/hub/windowswmf/
Cert-IST Potential Danger CERT-IST/DG-2005.010
- https://wws.cert-ist.com/fast-cgi/DG/Danger.cgi?lang=eng&Alias=cert-ist_dg-2005_010
Microsoft security bulletin MS06-001
- http://www.microsoft.com/technet/security/Bulletin/MS06-001.mspx
Vulnerability evolution
- http://www.f-secure.com/weblog/
- http://isc.sans.org/

History

Version

Comment

Date

1.0

Alert creation

02 January 2006



Copyright © 1999-2009 Cert-IST \| Legal Notice \| Sitemap