Windows File Format in "extremely critical flaw"
Windows File Format in "extremely critical flaw"
December 30, 2005: The popular Windows Metafile format (WMF) is being cast as the demon as the spread of a new viral trojan is tracked across the internet.
Operating systems affected by the trojan include: •Microsoft Windows Server 2003 Datacenter Edition
•Microsoft Windows Server 2003 Enterprise Edition
•Microsoft Windows Server 2003 Standard Edition
•Microsoft Windows Server 2003 Web Edition
•Microsoft Windows XP Home Edition
•Microsoft Windows XP Professional
As we go to press, there is no current patch available.
Microsoft's official explanation for the flaw reads: "Microsoft is aware of the public release of detailed exploit code that could allow an attacker to execute arbitrary code in the security context of the logged-on user, when such user is visiting a Web site that contains a specially crafted Windows Metafile (WMF) image. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site."
Security expert, Secunia, is a little more detailed in it's description: "The vulnerability is caused due to an error in the handling of Windows Metafile files (".wmf") containing specially crafted SETABORTPROC "Escape" records. Such records allow arbitrary user-defined function to be executed when the rendering of a WMF file fails. This can be exploited to execute arbitrary code by tricking a user into opening a malicious ".wmf" file in "Windows Picture and Fax Viewer" or previewing a malicious ".wmf" file in explorer (i.e. opening a folder containing a malicious image file).
The vulnerability can also be exploited automatically when a user visits a malicious web site using Microsoft Internet Explorer."
Web Sense Security Labs, lays the hard word: "There is currently no patch available. Visiting an infected webpage with Internet Explorer on a fully-patched XP Service Pack 2 computer causes immediate infection. Earlier Firefox users are vulnerable but they are first prompted to display the WMF image. If a filesystem indexing service (such as Google Desktop) is installed, users of Firefox and even text-based browsers can become infected."
Comment on this story
Related Article: