Microsoft Windows Metafile Handling Buffer Overflow
Original release date: December 28, 2005
Last revised: December 31, 2005
Source: US-CERT
Systems Affected
- Systems running Microsoft Windows
Overview
Microsoft Windows is vulnerable to remote code execution via an
error in handling files using the Windows Metafile image
format. Exploit code has been publicly posted and used to successfully
attack fully-patched Windows XP SP2 systems. However, other versions
of the the Windows operating system may be at risk as well.
I. Description
Microsoft Windows
Metafiles are image files that can contain both vector and
bitmap-based picture information. Microsoft Windows contains routines
for displaying various Windows Metafile formats. However, a lack of
input validation in one of these routines may allow a buffer overflow
to occur, and in turn may allow remote arbitrary code execution.
This new vulnerability may be similar to one Microsoft released
patches for in Microsoft
Security Bulletin MS05-053. However, publicly available exploit
code is known to affect systems updated with the MS05-053 patches.
Not all anti-virus software products are currently able to detect all
known variants of exploits for this vulnerability. However, US-CERT
recommends updating anti-virus signatures as frequently as practical
to provide maximum protection as new variants appear.
US-CERT is tracking this issue as VU#181038. This reference
number corresponds to CVE
entry CVE-2005-4560.
II. Impact
A remote, unauthenticated attacker may be able to execute arbitrary
code if the user is persuaded to view a specially crafted Windows
Metafile.
III. Solution
Since there is no known patch for this issue at this time, US-CERT
is recommending sites follow several potential workarounds.
Workarounds
Please refer to the Solution section of US-CERT Vulnerability Note for the latest workarounds we are aware of:
http://www.kb.cert.org/vuls/id/181038#solution
Microsoft has suggested a procedure for disabling SHIMGVW.DLL in the Suggested
Actions+Workarounds+ section of Microsoft Security Advisory
(912840):
http://www.microsoft.com/technet/security/advisory/912840.mspx
Feedback can be directed to US-CERT.
Produced 2005 by US-CERT, a government organization. Terms of use
Revision History
December 28, 2005: Initial release
December 29, 2005: Modified workarounds and added link to Microsoft Security Advisory (912840)
December 31, 2005: Added direct link to Solution section of US-CERT Vulnerability Note VU#181038