Security update for WMF vulnerability
- Thread starter Osiris
- Start date
- Status
Win2kpatcher
Fully Optimized
- Messages
- 2,171
WMF?
Microsoft has yielded to pressure and released a patch for the latest Windows security vulnerability, breaking its regular once-a-month update schedule.
The software giant has issued a software patch for the Windows Meta File (WMF) vulnerability, uncovered on Dec. 27 and confirmed on Dec. 28, that Microsoft had initially planned to release with other software updates and fixes on January 10. The patch, MS06-001, is available here.
Microsoft's decision followed mounting criticism that it was leaving millions of users vulnerable to a growing number of WMF attacks, while experts had advised users to take the unprecedented step of downloading non-Microsoft fixes.
In a statement, Microsoft said it was acting following "strong customer sentiment that the release should be made available as soon as possible."
The u-turn comes after Microsoft earlier this week attempted to sooth concerns and silence critics saying, although the WMF vulnerability was serious and malicious attacks were being attempted by hackers, "Microsoft's intelligence sources indicated that the scope of the attacks are not widespread."
According to Microsoft, the WMF vulnerability only effects machines running Windows 2000 Service Pack 4, XP SP 1 and SP 2, XP Professional x64 Edition, Windows Server 2003 and Server 2003 SP 1 and Windows Server 2003 x64 Edition.
Older versions of Windows - Windows 98, 98 Second Edition and Millennium Edition - are going unpatched. While these version of Windows do contain the affected component, Microsoft said the vulnerability is not critical because an "exploitable attack vector" has not been identified that would justify a critical severity rating. Microsoft will only release updates for "critical" security issues on these dating operating systems.
Users still running on Windows NT and pre SP 4 versions of Windows 2000 also get nothing because these have reached the end of Microsoft's mandated support lifecycles. Instead, Microsoft has advised users to upgrade to later editions of Windows
The software giant has issued a software patch for the Windows Meta File (WMF) vulnerability, uncovered on Dec. 27 and confirmed on Dec. 28, that Microsoft had initially planned to release with other software updates and fixes on January 10. The patch, MS06-001, is available here.
Microsoft's decision followed mounting criticism that it was leaving millions of users vulnerable to a growing number of WMF attacks, while experts had advised users to take the unprecedented step of downloading non-Microsoft fixes.
In a statement, Microsoft said it was acting following "strong customer sentiment that the release should be made available as soon as possible."
The u-turn comes after Microsoft earlier this week attempted to sooth concerns and silence critics saying, although the WMF vulnerability was serious and malicious attacks were being attempted by hackers, "Microsoft's intelligence sources indicated that the scope of the attacks are not widespread."
According to Microsoft, the WMF vulnerability only effects machines running Windows 2000 Service Pack 4, XP SP 1 and SP 2, XP Professional x64 Edition, Windows Server 2003 and Server 2003 SP 1 and Windows Server 2003 x64 Edition.
Older versions of Windows - Windows 98, 98 Second Edition and Millennium Edition - are going unpatched. While these version of Windows do contain the affected component, Microsoft said the vulnerability is not critical because an "exploitable attack vector" has not been identified that would justify a critical severity rating. Microsoft will only release updates for "critical" security issues on these dating operating systems.
Users still running on Windows NT and pre SP 4 versions of Windows 2000 also get nothing because these have reached the end of Microsoft's mandated support lifecycles. Instead, Microsoft has advised users to upgrade to later editions of Windows
TheMajor
PowerQuest / Opera
- Messages
- 10,176
- Location
- Netherlands
Maybe Microsoft just published this patch to get people to install SP2 as it sends a monthly copy of your registry to Bill's servers 
One week after issuing an emergency patch for a vulnerability in Windows Meta File image processing that opened the door for arbitrary code execution, a new problem has been discovered in the format. But Microsoft has downplayed the concerns, saying the bug only causes "performance issues."
According to a posting to the Bugtraq mailing list, "Windows WMF graphics rendering engine is affected by multiple memory corruption vulnerabilities." The problems involve the ExtCreateRegion and ExtEscape functions.
"Reports indicate that these issues lead to a denial of service condition, however, it is conjectured that arbitrary code execution is possible as well. Any code execution that occurs will be with the privileges of the user viewing a malicious image," says Security Focus.
According to a posting to the Bugtraq mailing list, "Windows WMF graphics rendering engine is affected by multiple memory corruption vulnerabilities." The problems involve the ExtCreateRegion and ExtEscape functions.
"Reports indicate that these issues lead to a denial of service condition, however, it is conjectured that arbitrary code execution is possible as well. Any code execution that occurs will be with the privileges of the user viewing a malicious image," says Security Focus.
Contrary to a recent rumor circulating on the internet, Microsoft did not intentionally back-door the majority of Windows systems by means of the WMF vulnerability. Although it is a serious issue that should be patched straight away, the idea that it's a secret back door is quite preposterous.
The rumor began when popinjay expert Steve Gibson examined an unofficial patch issued by Ilfak Guilfanov, and, due to his lack of security experience, observed behavior that he could not explain by means other than a Microsoft conspiracy. He then went on to speculate publicly about this via a "This Week in Tech" podcast, and on his own web site. Slashdot grabbed the story, and the result is a fair number of Netizens who now mistakenly believe that the WMF flaw was created with malicious intent.
What it is
We think it's time that this irrational fear is put to rest. First, let's look at how the flaw works: A WMF (Windows Metafile) image can trigger the execution of arbitrary code because the rendering engine, shimgvw.dll, supports the SetAbortProc API, which was originally intended as a means to cancel a print task, say when the printer is busy with a very large job, or the queue is very long, or there is a mechanical problem, and so on. Unfortunately, due to a bit of careless coding, it is possible to cause shimgvw.dll (i.e., the Windows Picture and Fax Viewer) to execute code when SetAbortProc is invoked.
a script to play back graphical device interface (GDI) calls when a rendering task is initiated. Unfortunately, and due entirely to Microsoft's carelessness whenever security competes with functionality, it is possible to point the abort procedure to arbitrary code embedded in a metafile.
Gibson could not imagine why WMF rendering should need the SetAbortProc API, since, as he mistakenly believed, WMF outputs to a screen, not a printer. In fact, it can output to a printer as well. But following Gibson's erroneous assumption, the question arose: what would be the point of polling the process and allowing the user, or application, to cancel it?
Having exhausted his imagination on that score, he concluded that there's no good reason for SetAbortProc to be involved in handling metafiles. The more logical explanation, Gibson reckoned, was that someone at Microsoft had deliberately back-doored Windows with this peculiar little stuff-up. And besides, the idea of compromising a computer with an image file seemed quite cloak-and-dagger, adding to the supposed "mystery."
The rumor began when popinjay expert Steve Gibson examined an unofficial patch issued by Ilfak Guilfanov, and, due to his lack of security experience, observed behavior that he could not explain by means other than a Microsoft conspiracy. He then went on to speculate publicly about this via a "This Week in Tech" podcast, and on his own web site. Slashdot grabbed the story, and the result is a fair number of Netizens who now mistakenly believe that the WMF flaw was created with malicious intent.
What it is
We think it's time that this irrational fear is put to rest. First, let's look at how the flaw works: A WMF (Windows Metafile) image can trigger the execution of arbitrary code because the rendering engine, shimgvw.dll, supports the SetAbortProc API, which was originally intended as a means to cancel a print task, say when the printer is busy with a very large job, or the queue is very long, or there is a mechanical problem, and so on. Unfortunately, due to a bit of careless coding, it is possible to cause shimgvw.dll (i.e., the Windows Picture and Fax Viewer) to execute code when SetAbortProc is invoked.
a script to play back graphical device interface (GDI) calls when a rendering task is initiated. Unfortunately, and due entirely to Microsoft's carelessness whenever security competes with functionality, it is possible to point the abort procedure to arbitrary code embedded in a metafile.
Gibson could not imagine why WMF rendering should need the SetAbortProc API, since, as he mistakenly believed, WMF outputs to a screen, not a printer. In fact, it can output to a printer as well. But following Gibson's erroneous assumption, the question arose: what would be the point of polling the process and allowing the user, or application, to cancel it?
Having exhausted his imagination on that score, he concluded that there's no good reason for SetAbortProc to be involved in handling metafiles. The more logical explanation, Gibson reckoned, was that someone at Microsoft had deliberately back-doored Windows with this peculiar little stuff-up. And besides, the idea of compromising a computer with an image file seemed quite cloak-and-dagger, adding to the supposed "mystery."
Microsoft disclosed another Windows Metafile (WMF) vulnerability Tuesday, saying an attacker could execute code as the logged-in user.
The company discovered four ways that the flaw could be exploited, however it stressed the latest flaw is very limited in scope.
Only users of Internet Explorer 5.01 Service Pack 4 on Windows 2000 Service Pack 4 and Internet Explorer 5.5 Service Pack 2 on Windows Millennium are affected by the problem, Microsoft said.
An attacker would be able to exploit the flaw by hosting a specially crafted WMF file on a Web site, convincing a user to open a specially crafted e-mail attachment, convincing a user to click on a link in an e-mail, or by the user viewing specially crafted e-mail in the preview pane of Outlook Express.
The company discovered four ways that the flaw could be exploited, however it stressed the latest flaw is very limited in scope.
Only users of Internet Explorer 5.01 Service Pack 4 on Windows 2000 Service Pack 4 and Internet Explorer 5.5 Service Pack 2 on Windows Millennium are affected by the problem, Microsoft said.
An attacker would be able to exploit the flaw by hosting a specially crafted WMF file on a Web site, convincing a user to open a specially crafted e-mail attachment, convincing a user to click on a link in an e-mail, or by the user viewing specially crafted e-mail in the preview pane of Outlook Express.
- Status
Similar threads
