Vulnerabilities in Graphics Rendering Engine May Still Exist Even After Applying the MS05-053 (KB896424) Security Update
As you have probably read in this blog, I go out into the dark side of the World Wide Web looking for exploits in the wild, and demonstrating how least privilege can save you.
While surfing around in Windows XP SP2 that is fully patched through 12/13/2005, I was almost sure that I was safe even in an administrator account. Turns out, I was wrong. Next thing I know, files are launching and the faux spyware message shows up in the tray, my background is changed, and Task Manager is disabled.
When I traced the files executing the code, it had come to mind that files with those particular extensions were supposed to have been harmless. They were Windows Metafiles going by the name xpl.wmf and xpladv470.wmf. Something was amiss, I know I had installed KB896424 [microsoft.com] to prevent Windows Metafiles from excuting code. According to Microsoft:A remote code execution vulnerability exists in the rendering of Windows Metafile (WMF) image format that could allow remote code execution on an affected system. Any program that renders WMF images on the affected systems could be vulnerable to this attack. An attacker who successfully exploited this vulnerability could take complete control of an affected system.
Apprently, code is still allowed to execute whether I 1) visited a webpage containing the exploit, 2) the file is previewed in Explorer, or 3) by simply executing it in Windows.
I have confirmed the following that remain vulnerable:
* Windows XP SP2 with all updates through 12/13/2005 including KB896424
* Windows XP SP2 with KB896424
* Windows Server 2003 Sp1 with all updates through 12/13/2005 including KB896424
Windows XP SP2 Fully Updated:
Windows Server 2003 SP1 Fully Updated:
It appears to only run with the same privileges as the user. So if you are a restricted user, you don't have anything to worry about if this gets executed. It will simply die from lack of privileges.
12/28/2005 Update: Temporary Workaround and More Information
According to Security Focus:Any code execution that occurs will be with SYSTEM privileges due to the nature of the affected engine.
However, according to the many different samples and websites I have tried, the code does not execute as SYSTEM even as a limited user. Who is right? I don't know, but for now I say I am. During any code execution of the metafiles, shimgvw.dll, the Windows Picture and Fax Viewer, is only loaded in explorer.exe. Explorer.exe has the same privileges as the user. It is unable to do any damage when executed in the limited user account.
You can stop code from being executed by disabling the Windows Picture and Fax Viewer:
1) Go to Start, and Run
2) Type the following command, pressing enter afterwards: regsvr32 shimgvw.dll /u
You must be admin.
3) Restarting is not required. The files are rendered harmless right away. However if you want to be thorough, you can.
The only trade off is that you will not be able to preview thumbnails in explorer.
Another Update: Microsoft Releases Security Advisory
Microsoft has released a Security Advisory. It confirms what I knew all along:An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
posted by Josh @ 12:49 AM
28 comments
28 Comments:
There are a lot of applications still use the "MS meta file library" included in GDI32 :<
This is a little odd, but thanks to your intstructions on how to stop the thumbnail service, I have now managed to fix my thumbnail service after a year of it failing.
I'll just have to avoid dodgy websites so I don't get a virus!
Thanks
Hi,
Thanks for the info on the exploit! My question is, once a user disables the fax viewer, and a patch (that works) is released, what is the command to re-register the fax viewer?
Thanks!
Here is a hint for those who can't think for themselves: regsvr32 /?
When this happened to me it ended up in the following folder \Temporary Internet Files\Content.IE5\GPY4LAN\xpl[1].wmf. Initially Symantec could not delete or repair the file due to "access privilidges". I erased all of my temporary internet files and the file was then no longer present when I ran the scan on my computer.
I have software DEP enabled on my system, does this help mitigate the vulnerability?
Yes. Windows XP Service Pack 2 also includes software-enforced DEP that is designed to reduce exploits of exception handling mechanisms in Windows. By default software-enforced DEP applies to core operating system components and services. This vulnerability can be mitigated by enabling DEP for all programs on your computer.
For additional information about how to “Enable DEP for all programs on your computer”, see the product documentation.
Does this vulnerability affect image formats other than Windows Metafile (WMF)?
At this point, the only image format affected is the Windows Metafile (WMF) format. It is possible however than an attacker could rename the file extension of a WMF file to that of a different image format. In this situation, it is likely that the Graphic Rendering engine would detect and render the file as a WMF image which could allow exploitation.
Is this issue related to Microsoft Security Bulletin MS05-053 - Vulnerabilities in Graphics Rendering Engine Could Allow Code Execution (896424) which was released in November?
No, these are different and separate issues.
In regards to the question posted on 12/30/2005 at 12:41 PM that "I have software DEP enabled on my system, does this help mitigate the vulnerability?",
there was a reply posted indicating software DEP would help mitigate this problem. However, in "Microsoft Security Advisory (912840): Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution" Microsoft indicates that software DEP won't help. Microsoft states "Software based DEP does not mitigate the vulnerability. However, Hardware based DEP may work when enabled: please consult with your hardware manufacturer for more information on how to enable this and whether it can provide mitigation."
Someone help quick! i have windows xp proffesional sp1 installed at the minute but its just installing sp2 and you said sp2 can get infected please respond asap thanks p.s. Hurry!!
What about this vulnerability
MS05-046? My system picked this up and I was wondering if it effected the same files and how I can find and delet ethese files.
Hi,
I have an older corporate version of win xp, pre-SP1. Am I vulnerable? Thanks.
You are all vulnerable if you are on a Microsoft operating system. The WMF Exploit has not been patched. No way to stop it except for going to only trusted sites. Also make sure all your current applications require authorization before opening.
Very thought provoking.
Thanks for the insights!
I will check back again soon.
Keep up the good work!
Visit my blogs:
Web Site Promotion,
Business and Finance,
Cars and Trucks,
Funny News,
Free Info Center,
Computers and Internet,
Internet Marketing Secrets,
Net Detective,
Web Detective,
Detective Software,
Baby Names,
Famous Quotes,
Internet Marketing Secrets,
Jokes
Thanks for your blog...
http://best-casino-online.t35.com
Best Online Casino
i was attacked by http ms windows wmf code axec should i type in the command start, run than regsvr32 shimgvw.dll/u
buy-levitra
Canadian Pharmacy - largest OnLine Pharmacy and Health information Website
Online pharmacies that offer caring customer service - Canadian pharmacy that provides. Buy prescription drugs from the internet's leading online pharmacy
Hi,
This article is good and informative.
Software Development Company
Free Directory
Software Jobs India
Online betting and sports betting from the best UK Bookmakers also taking clients worldwide. Football Betting. Casino Bonus, Bingo, Lotto, Poker, and Games
companies marketing mineral makeups and also get the best bargains in mineral makeup you can imagine,
find aout how to consolidate your students loans or just how to lower your actual rates.,
looking for breast enlargements? in Rochester,
homeopathy for eczema learn about it.,
Allergies, information about lipitor,
save big with great bargains in mineral makeup,
change edition interviewing motivational people preparing second,
interviewing motivational people preparing second time,
interviewing people motivational preparing for a second time,
black mold exposure,
black mold exposure symptoms,
black mold symptoms of exposure,
free job interview questions,
free job interview answers,
interview answers to get a job,
lookfor hair styles for fine thin hair,
search hair styles for fine thin hair,
hair styles for fine thin hair,
beach resort in the philippines,
great beach resort in the philippines,
luxury beach resort in the philippines,
iron garden gates, here,
iron garden gates,
wrought iron garden gates
, here,
wrought iron garden gates
,
You: The Owner's Manual: An Insider's Guide to the Body That Will Make You Healthier and Younger
,
eat eating mindless more than think we we why
,
texturizer,
texturizers here,
black hair texturizer,
find aout how care curly hair,
find about how to care curly hair,
care curly hair,
lipitor rash,
lipitor reactions,
new house ventura california,
the house new houston tx,
new house washington dc,
new house pa philadelphia,
san antonio tx house new,
house new pa philadelphia,
new house washington dc,
new house ventura california,
the house new houston tx,
house new san antonio tx,
the house new houston tx, that you are looking for,
new house ventura california, you need to buy,
new house washington dc,
house new pa philadelphia,
new house san antonio tx,
hair surgery transplant,
air filter allergy,
refurbished dell laptop computers,
hair surgery transplant,
air filter allergy,
refurbished dell laptop computers,
hair surgery transplant,
air filter allergy,
refurbished dell laptop computers,
chocolate esophagus heartburn study,
chocolate esophagus heartburn studybe informed,
digestion healing healthy heartburn natural preventing way,
digestion healing healthy heartburn natural preventing way,
sew skirts, 16simple styles you can make!,
sew what skirts 16 simple styles you,
rebates and discounts on sunsetter awnings,
sunsetter awnings discounts and rebates,
discount on sunsetter awnings
truck and bus tires 12r 22.5, get the best price,
tires truck and bus 12r 22.5 best price,
tires truck bus tires12r 22.5 best price,
plush car seat strap covers,
car seat strap covers,plush,
car seat strap, plush covers,
oscoda voip phone systems, the best!,
oscoda voip the phone system,
oscoda voip phone systems,
exterior iron gates,
oriental wrought iron gates,
powder coated iron garden fencing,
Interesting blog about Microsoft!
One of the LARGEST online slots casino that accepts players from the USA is Online Slots Casinos which has 98% payouts and bonuses!
I’m trying to find out about Unified Communication for a project but there doesn’t seem to be much information available. Is it the same as VoIP, and if not how is it different?
Hi, I love your blog!
Please link to this site
http://onlinecasino-japan.blogspot.com/
Thanks!!!
Onlinecasino lovers
Merrygoland6
black mold exposure,
black mold symptoms of exposure,
wrought iron garden gates,
your next iron garden gates, here,
hair styles for fine thin hair,
search hair styles for fine thin hair,
night vision binoculars,
buy, night vision binoculars,
lipitor reactions,
lipitor reactions,
luxury beach resort in the philippines,
beach resort in the philippines,
homeopathy for baby eczema.,
homeopathy for baby eczema.,
save big with great mineral makeup bargains,
companies marketing mineral makeups,
prodam iphone praha,
Apple prodam iphone praha,
iphone clone cect manual,
manual for iphone clone cect,
fero 52 binoculars night vision,
fero 52 night vision,
best night vision binoculars,
buy, best night vision binoculars,
computer programs to make photo albums,
computer programs, make photo albums,
Excellent article and commentary! Online Penny Slots and Online Penny Slots Machines
Hi, I found your blog very interesting.If you have a chance check out the following web site .additional information that could be of high interest to you.Mexican Meds
Hi Nice Blog .Nowadays many games are popular and one of them is online bingo which is really becoming popular on the internet.Bingo online games are the fun games that are liked by every individual.
Post a Comment
<< Home