<Microsoft Windows Metafile Handling Buffer Overflow.aspx>

OIT HOME

DAS

STATE CHIEF INFORMATION OFFICER

INVESTMENT & GOVERNANCE DIVISION

INFRASTRUCTURE SERVICES DIVISION

DIGITAL GOVERNMENT

FAQ'S

LIVE HELP

CONTACT OIT

Microsoft Windows Metafile Handling Buffer Overflow

Original release date: December 28, 2005

Last revised: --

Source: US-CERT

Systems Affected

Systems running Microsoft Windows

Overview

Microsoft Windows is vulnerable to remote code execution via an error in handling files using the Windows Metafile image format. Exploit code has been publicly posted and used to successfully attack fully-patched Windows XP SP2 systems. However, other versions of the Windows operating system may be at risk as well.

I. Description

Microsoft Windows Metafiles are image files that can contain both vector and bitmap-based picture information. Microsoft Windows contains routines for displaying various Windows Metafile formats. However, a lack of input validation in one of these routines may allow a buffer overflow to occur, and in turn may allow remote arbitrary code execution.

This new vulnerability may be similar to one Microsoft released patches for in Microsoft Security Bulletin MS05-053. However, publicly available exploit code is known to affect systems updated with the MS05-053 patches.

Not all anti-virus software products are currently able to detect all known variants of exploits for this vulnerability. However, US-CERT recommends updating anti-virus signatures as frequently as practical to provide maximum protection as new variants appear.

US-CERT is tracking this issue as VU#181038. This reference number corresponds to CVE entry CVE-2005-4560.

II. Impact

A remote, unauthenticated attacker may be able to execute arbitrary code if the user is persuaded to view a specially crafted Windows Metafile.

III. Solution

Since there is no known patch for this issue at this time, US-CERT is recommending sites follow several potential workarounds.

Workarounds

Please be aware US-CERT has confirmed that filtering based just on the WMF file extension or MIME type "application/x-msmetafile" will not block all known attack vectors for this vulnerability. Filter mechanisms should be looking for any file that Microsoft Windows recognizes as a Windows Metafile by virtue of its file header.

Do not access Windows Metafiles from untrusted sources

Exploitation occurs by accessing a specially crafted Windows Metafile. By only accessing Windows Metafiles from trusted or known sources, the chances of exploitation are reduced.

Attackers may host malicious Windows Metafiles on a web site. In order to convince users to visit their sites, those attackers often use URL encoding, IP address variations, long URLs, intentional misspellings, and other techniques to create misleading links. Do not click on unsolicited links received in email, instant messages, web forums, or internet relay chat (IRC) channels. Type URLs directly into the browser to avoid these misleading links. While these are generally good security practices, following these behaviors will not prevent exploitation of this vulnerability in all cases, particularly if a trusted site has been compromised or allows cross-site scripting.

Block access to Windows Metafiles at network perimeters

By blocking access to Windows Metafiles using HTTP proxies, mail gateways, and other network filter technologies, system administrators may also limit other potential attack vectors.

Reset the program association for Windows Metafiles

Remapping handling of Windows Metafiles to open a program other than the default Windows Picture and Fax Viewer (SHIMGVW.DLL) may prevent exploitation via some current attack vectors. However, this may still allow the underlying vulnerability to be exploited via other known attack vectors.