Home / Cyber Advisories

---

MS-ISAC ADVISORY NUMBER:
2005-022

DATE(S) ISSUED:
12/28/2005

SUBJECT:
Public Exploit for Newly Discovered WMF Vulnerability in Microsoft Windows

An exploit has been made public for a newly discovered vulnerability in Windows XP Service Pack 2 and Windows 2003 Web Server Edition Service Pack 1 that affects even fully patched systems. The vulnerability is in the portion of Windows that processes a specific type of image file called Windows Meta File (WMF). WMF images are commonly used for Microsoft Office clipart and other pictures. If infected, various malicious programs will be downloaded and installed onto the infected system. These malicious programs may include keystroke loggers and Trojans.

Currently a user must visit a specific malicious web site to be exploited however the potential exists for other malicious web sites or malicious emails to take advantage of the vulnerability. Due to the concern that this vulnerability may be exploited via potential malicious sources such as emails, instant messaging file transfers, and other websites, this risk is rated medium to high.

SYSTEMS AFFECTED:

• Windows XP Service Pack 1 and 2
• Windows 2003 Web Server Edition Service Pack 1

RISK:
Government:

• Large and medium government entities: Medium
• Small government entities: High

Businesses:

• Large and medium business entities: Medium
• Small business entities: High

Home users: High

DESCRIPTION:
A publicly available web page at unionseek.com contains a malicious Windows format Meta File (WMF) image within an iframe. Upon navigating to this URL and opening this file, a vulnerable system will download and execute a Windows PE file. This PE file will execute with SYSTEM-level privileges then download and install various malicious programs onto the infected system. These malicious programs may include key stroke loggers and IRC-based remote-administration tools.

The following information is provided from the Symantec DeepSight Threat Management System:

The existence of this vulnerability has not yet been corroborated by another party, or the affected vendor (Microsoft). However, the DeepSight Threat Analyst Team has verified that this exploit functions as designed on a full patched Windows XP Service Pack 2 machine, as well as a Windows 2003 Web Server Edition Service Pack 1 machine.

Although the only known exploit at this time requires the user to visit the malicious web site above, other malicious sites may start employing this exploit. In addition, other potential attack vectors include sending a malicious WMF image in an email or embedding a WMF image in a Microsoft Office document.

RECOMMENDATIONS:
CSCIC recommends the following actions be taken:

• Block access to the unionseek.com domain for the short term until this malicious site is removed.
• Update your anti-virus software as soon as a signature for this specific exploit is released. Symantec, McAfee and F-Secure have all released new signatures within the last 12 hours to detect the Trojans installed by this exploit.
• If possible, limit user access to trusted Web sites only.
• Filter all incoming Windows format Meta File (WMF) content at email gateways and proxy servers if possible until patches have been released and applied to all vulnerable systems. Note that WMF images are not typically used on web sites or to send images via email therefore blocking them should have little business impact.

REFERENCES:

SecurityFocus:
http://www.securityfocus.com/bid/16074

SANS:
http://isc.sans.org/diary.php?storyid=972

Secunia:
http://secunia.com/advisories/18255/

FrSIRT:
http://www.frsirt.com/english/advisories/2005/3086

F-Secure:
http://www.f-secure.com/weblog/

McAfee:
http://vil.mcafeesecurity.com/vil/content/v_137760.htm

Symantec:
http://www.symantec.com/avcenter/venc/data/bloodhound.exploit.56.html

Copyright © 2008 - Privacy Policy - Contact Us