?

Log in

No account? Create an account
January 2nd, 2006 - Adventures in Engineering — LiveJournal
The wanderings of a modern ronin.

Ben Cantrick
  Date: 2006-01-02 07:52
  Subject:   [MeFi] Windoze WMF vulnerability patch.
Public
Microsoft Windows Metafile (WMF) format images are graphical files that can contain both vector and bitmap-based picture information. WMF files contain a sequence of GDI function calls. The image is created by executing the GDI functions. Certain GDI functions can have unexpected security implications. The GDI Escape function allows an application to access capabilities of a device that are not directly available through GDI. For example, a print job can be cancelled via a GDI Escape call.

A remote, unauthenticated attacker may be able to execute arbitrary code if the user is persuaded to view a specially crafted Windows Metafile.


http://www.kb.cert.org/vuls/id/181038

http://www.f-secure.com/weblog/archives/archive-122005.html#00000757

http://isc.sans.org/diary.php?storyid=999


Yup, you read that right: VIEW AN IMAGE, GET P0WNED! Thanks a lot for designing the GDI so that images can execute code, MS. Great idea there. Almost as good as letting an email execute arbitrary javascript when I click on it.

Patch this now. There is already one verified worm in the wild that takes advantage of this, and more are undoubtedly on the way. This is literally a "view a web page with a bad image on it, and your computer is owned" exploit, so your firewall and such do not protect you one whit. Do not wait; patch it. Until MS bestirs itself to fix the problem, use Ilfak Guilfanov's patch. (Note: Bastard spammers are now apparently churning out many fake "patches" for this problem that do not fix it, but instead just install spyware and popup loaders on your system. So either install Guilfanov's patch, or do not install any patch at all.)

Edit: A tool to check if your system is vulnerable here. Thanks to cassandrapoe.

Edit 2: Also check out spiderfarmer's post on the subject, which includes a link to an excellent Wikipedia page on the vulnerability.
8 Comments | Post A Comment | | Link



browse
May 2015