Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution.
Published: December 28, 2005 | Updated: December 30, 2005
Microsoft is investigating new public reports of a vulnerability in Windows. Microsoft is also aware of the public release of detailed exploit code that could be used to exploit this vulnerability. Based on our investigation, this exploit code could allow an attacker to execute arbitrary code on the user’s system by hosting a specially crafted Windows Metafile (WMF) image on a malicious Web site. Microsoft is aware that this vulnerability is being actively exploited.
Microsoft has determined that an attacker using this exploit would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker’s Web site. In an e-mail based attack, customers would have to be persuaded to click on a link within a malicious e-mail or open an attachment that exploited the vulnerability. In both the web and email based attacks, the code would execute in the security context of the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Microsoft will continue to investigate these reports and provide additional guidance depending on customer needs.
Just to be safe, DO NOT open any picture from any source :).
Thanks … MS advisory has the same fix but it disables the Windows Image viewer… guess it will do for now. I will add the batch file contents to logon script.
Folks, you do know than none of these workaround are actually a fix. There is a patch which can be downloaded from here . Please follow the instructions carefully, **however, be warned that if you install this patch MS will not support your windows/IE. **
I didnt post a link to that patch as it's not MS code but 3rd party. For those of you who dont know Ilfak Guilfanov is the developer of IDA Pro the best disassembler I have ever seen. Well respected in the reverse engineering community. Upto you whther you want to install unofficial patches.
risc, I agree with you that guy is awesome. Folks dont mind me slightly derailing this thread... but I have found another fellow geek who loves this stuff... risc, have you checked out metaexploit.com and their framewrok...Its awesome, I have recently started playing with it....man it opens your eyes regarding what kind of bad stuff can be running amuck on the Internet,
alrighty, i m counting on the above .msi for deployment…
kaleem bhai, u r rite… that shavlik fix doesn’t cut it… The real culprit is GDI32.DLL and you can’t unregister it if you want your system to run normally.
Yup metasploit is a very cool piece of software. Not installed framework 3, used it through Auditor. Only problem with it is at the moment new exploits are still written mainly in C or Perl. Someone has to rewrite them to work with metasplot. However seem some exploits on packststorm for metasplot aswell.
Worst bit of this exploit is every windows machine since 3.1 was vunerbale. Thats over 10 years if not 15 years or so that this could have been exploited. It was only found by accident, a black hat could have been using this for ages. The only drawback is you need a bit of social engineering to get the WMF picture onto the local machine like a trojan but thats not to difficult as shown.
