Alerts
Alerts
Zero-Day Tracker
Common Name:
WMF Metafile
Date Disclosed:
12/27/2005
Date Patched:
1/5/2006
Vendor:
Microsoft
Application:
Windows 2000
Windows XP
Windows 2003
Description:
A vulnerability exists within the Windows Graphical Device Interface library (GDI32.dll) which may be exploited by attackers to execute arbitrary code on a remote system by a specially-crafted WMF file. The most common attack vector for this vulnerability would be a malicious WMF file residing on a website, which, when visited by a victim, would exploit the victim's host.
Severity:
High
Code Execution:
Yes
Impact:
Arbitrary code execution under the context of the logged in user
This is a file-format vulnerability. WMF files are auto-displayed by Internet Explorer, which would allow for a remote attacker to have widespread effect by placing a malicious WMF file on a web site and persuading a remote victim to view the site. Also, since exploit code was developed and published for this vulnerability very rapidly, the attack proliferated quickly across the Internet before any formidable signature-protection was able to protect against the flaw.
Mitigation:
Since this vulnerability is patched, the primary mitigation for this vulnerability would be to apply MS06-001. However, other mitigation was also suggested by Microsoft to thwart the main attack vector by unregistering shimgvw.dll, the Windows Picture and Fax Viewer (necessary for web-based attacks), as outlined in their referenced MS06-001 bulletin. eEye has verified that this mitigation did stop the main attack vector, although it did not repair the underlying vulnerability in GDI32.dll.
Protection:
Patch:
Microsoft Patch - MS06-001
Links:
CVE-2005-4560
First Public PoC Code Disclosure (Metasploit Plugin)
Status:
1/5/2006: Patched - MS06-001
Common Name:
WMF Metafile
Date Disclosed:
12/27/2005
Date Patched:
1/5/2006
Vendor:
Microsoft
Application:
Windows 2000
Windows XP
Windows 2003
Description:
A vulnerability exists within the Windows Graphical Device Interface library (GDI32.dll) which may be exploited by attackers to execute arbitrary code on a remote system by a specially-crafted WMF file. The most common attack vector for this vulnerability would be a malicious WMF file residing on a website, which, when visited by a victim, would exploit the victim's host.
Severity:
High
Code Execution:
Yes
Impact:
Arbitrary code execution under the context of the logged in user
This is a file-format vulnerability. WMF files are auto-displayed by Internet Explorer, which would allow for a remote attacker to have widespread effect by placing a malicious WMF file on a web site and persuading a remote victim to view the site. Also, since exploit code was developed and published for this vulnerability very rapidly, the attack proliferated quickly across the Internet before any formidable signature-protection was able to protect against the flaw.
Mitigation:
Since this vulnerability is patched, the primary mitigation for this vulnerability would be to apply MS06-001. However, other mitigation was also suggested by Microsoft to thwart the main attack vector by unregistering shimgvw.dll, the Windows Picture and Fax Viewer (necessary for web-based attacks), as outlined in their referenced MS06-001 bulletin. eEye has verified that this mitigation did stop the main attack vector, although it did not repair the underlying vulnerability in GDI32.dll.
Protection:
- eEye's Blink® Personal Edition protects from this vulnerability.
- eEye's Blink® Professional Edition protects from this vulnerability.
- eEye's Retina® Network Security Scanner scans devices to detect for this vulnerability.
Patch:
Microsoft Patch - MS06-001
Links:
CVE-2005-4560
First Public PoC Code Disclosure (Metasploit Plugin)
Status:
1/5/2006: Patched - MS06-001
