|
Home   Programs Emergency management Response CCIRC Analytical releases2 AV05-38: Update to Advisory AV05-038
Update to Advisory AV05-038
Date: 06 January 2006 Microsoft releases MS06-001 to address WMF related vulnerability Microsoft originally planned to release the update on Tuesday, January 10, 2006 as part of its regular monthly release of security bulletins, once testing for quality and application compatibility was complete. However, testing has been completed earlier than anticipated and the update is ready for release.
Microsoft customers who are using Windows Server Update Services will receive the update automatically. In additional the update is supported Microsoft Baseline Security Analyzer 2.0, Systems Management Server, and Software Update Services. Enterprise customers can also manually download the update from the Download Center. Microsoft Security Bulletin MS06-001: http://www.microsoft.com/technet/security/bulletin/ms06-001.mspx
Update to Advisory AV05-038
Date: 29 December 2005
Microsoft has released a Security Advisory to address the WMF vulnerability and can be found at: http://www.microsoft.com/technet/security/advisory/912840.mspx Work around:The vulnerability seems to be within the SHIMGVW.DLL. Unregistering this DLL (type REGSVR32 /U SHIMGVW.DLL at the command prompt or in the "Start->Run" Window, then reboot) will resolve most of the vulnerability, but will also break Windows "Picture and Fax Viewer", as well as any ability of programs like "Paint" and "Explorer" to display thumbnails of any picture and real (benign) WMF files. Please note that this will only block some known attack vectors, and is reported to not correct the underlying vulnerability. The vulnerability can also be triggered from explorer if the malicious file has been saved to a folder and renamed to other image file extensions such as BMP, GIF, PNG, JPG, JPEG, JPE, JFIF, DIB, RLE, EMF, TIF, TIFF or ICO. System administrators are advised not to rely solely on perimeter filters to block files with the WMF extension from reaching the browser, as this may not be sufficient protection. Windows XP will detect and process a WMF file based on its content ("magic bytes") and not rely on the extension alone, which means that a renamed WMF file extension might get past perimeter defenses. Additional sites that should be blocked: Crackz [dot] ws
unionseek [dot] com
www.tfcco [dot] com
Iframeurl [dot] biz
beehappyy [dot] biz
toolbarbiz[dot]biz
toolbarsite[dot]biz
toolbartraff[dot]biz
toolbarurl[dot]biz
buytoolbar[dot]biz
buytraff[dot]biz
iframebiz[dot]biz
iframecash[dot]biz
iframesite[dot]biz
iframetraff[dot]biz
iframeurl[dot]biz Additional information:http://www.microsoft.com/technet/security/advisory/912840.mspx
http://www.f-secure.com/weblog/#00000752
http://isc.sans.org/diary.php?storyid=975
http://www.ciac.org/ciac/bulletins/q-085.shtml Number: AV05-038
Date: 28 December 2005 Microsoft Windows WMF Handling (0-day) Vulnerability PurposeThe purpose of this advisory is to draw your attention to reports of a vulnerability in Microsoft Windows, which can be exploited to compromise a vulnerable system. Exploit code is publicly available. This is being exploited in the wild. AssessmentThis vulnerability is triggered by an error in the handling of corrupted Windows Metafile files (".wmf"). The default viewer for wmf files is the Windows Picture and Fax Viewer in Windows XP and can be exploited by a user opening a malicious ".wmf" file or by visiting a malicious web site using Microsoft Intenet Explorer. Firefox users can get infected if they decide to run or download the image file. Versions affected:
Microsoft Windows XP Service Pack 1
Microsoft Windows XP Service Pack 2
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 (Itanium)
Microsoft Windows Server 2003 SP1 (Itanium)
Microsoft Windows Server 2003 x64 Edition Suggested actionAt this time, PSEPC is unaware of the availability of a vendor patch which repairs this vulnerability. PSEPC recommends the following: - block access to the unionseek[DOT]com domain
- block WMF files in your HTTP and SMTP content checkers
- ensure anti-virus software is fully updated
For additional information, please refer to the following web sites: http://secunia.com/advisories/18255/ http://isc.sans.org/ http://www.securityfocus.com/bid/16074/info http://vil.mcafeesecurity.com/vil/content/v_137760.htm Note to ReadersPublic Safety and Emergency Preparedness Canada (PSEPC) collects information related to cyber and physical threats to, and incidents involving, Canadian critical infrastructure. This allows us to monitor and analyze threats and to issue alerts, advisories and other information products. To report threats or incidents, please contact the Government Operations Centre (GOC) at (613) 991-7000 or goc-cog@psepc-sppcc.gc.ca by e-mail. Unauthorized use of computer systems and mischief in relation to data are serious Criminal Code offences in Canada. Any suspected criminal activity should be reported to local law enforcement organizations. The Royal Canadian Mounted Police (RCMP) National Operations Centre (N.O.C.) provides a 24/7 service to receive such reports or to redirect callers to local law enforcement organizations. The N.O.C. can be reached at (613) 993-4460. National security concerns should be reported to the Canadian Security Intelligence Service (CSIS) at (613) 993-9620. For urgent matters or to report any incidents, please contact the Government Operations Centre at: Phone: (613) 991-7000
Fax: (613) 996-0995
Secure Fax: (613) 991-7094
Email: goc-cog@psepc-sppcc.gc.ca For general information on critical infrastructure protection and emergency preparedness, please contact PSEPC's Public Affairs division at: Telephone: (613) 944-4875 or 1-800-830-3118
Fax: (613) 998-9589
E-mail: communications@psepc-sppcc.gc.ca
Web: www.psepc.gc.ca
|
Printable version
Send this page