WMF Exploit

Hi all just read on my Microsoft Security Blog they will be releasing a
patch for it on Update Tuesday 10th.
Below is what was posted.
Joan

Hi folks- Kevin Kean here again. We here in the MSRC have been hard at
work on this WMF vulnerability and so I wanted to provide you all with an
update on the situation.



When the MSRC learned of the attacks on December 27, 2005, we mobilized
under what we call the Software Security Incident Response Process (SSIRP)
to analyze the attack, assess its scope and determine and the appropriate
guidance for customers, as well as to engage with anti-virus partners and
law enforcement.



Based on that process, we have finished development of a security update
to fix the vulnerability and are testing it to ensure quality and
application compatibility. Our goal is to release the update on Tuesday,
January 10, 2006, as part of the regular, monthly security update release
cycle, although quality is the gating factor. Customers will be able to
get the update through all the usual deployment tools: Microsoft Update,
Windows Update, Automatic Update, the Download Center and Windows Server
Update Services.



As we've noted in previous posts, we have been carefully monitoring the
attempted exploitation of this vulnerability through our own investigative
process as well as partnering the industry and law enforcement. Although
the issue is serious and malicious attacks are being attempted, we have
found that the scope of the attacks is not widespread. AV companies have
also indicated that attacks are being effectively mitigated through
up-to-date signatures.



To help protect against any attempted exploitation while the security
update is being developed we really want to continue to urge customers not
to visit unfamiliar or untrusted Web sites that could potentially host the
malicious code. More guidance for consumer customers can be found here
http://www.microsoft.com/athome/secu...ng_safety.mspx. We
also encourage enterprise customers to continue to review the information
in the security advisory as well:
http://www.microsoft.com/technet/sec...ry/912840.mspx.



Best,

Kevin



*This posting is provided "AS IS" with no warranties, and confers no
rights.*

Perhaps of some relevance to those running Win Me and other Win9x systems
is:

...in a practical sense, only Windows XP and Windows Server 2003 (in all
their service pack levels) are vulnerable to the WMF flaw.

....all versions of Windows back to 3.0 have the vulnerability in GDI32.
Except for Windows XP and Windows Server 2003, no Windows versions, in
their
default configuration, have a default association for WMF files, and none
of
their Paint programs or any other standard programs installed with them
can
read WMF files...

However

On other platforms, unless you have installed your own vulnerable default
handler for WMF files, the likelihood of compromise even when a system is
bombarded with malicious WMFs is low

Those running XnView or IrfanView need to be especially careful even on
Win Me.


For more info see:
http://blog.ziffdavis.com/seltzer/ar.../03/39684.aspx

Remember though that Microsoft are far from infallible and may well be
wrong and Win 9x systems may well also be vulnerable. Time will tell.
--
Mike Maltby




Joan Archer wrote:

Hi all just read on my Microsoft Security Blog they will be releasing
a patch for it on Update Tuesday 10th.
Below is what was posted.
Joan

Hi folks- Kevin Kean here again. We here in the MSRC have been hard
at work on this WMF vulnerability and so I wanted to provide you all
with an update on the situation.



When the MSRC learned of the attacks on December 27, 2005, we
mobilized under what we call the Software Security Incident Response
Process (SSIRP) to analyze the attack, assess its scope and determine
and the appropriate guidance for customers, as well as to engage with
anti-virus partners and law enforcement.



Based on that process, we have finished development of a security
update to fix the vulnerability and are testing it to ensure quality
and application compatibility. Our goal is to release the update on
Tuesday, January 10, 2006, as part of the regular, monthly security
update release cycle, although quality is the gating factor. Customers
will be able to get the update through all the usual
deployment tools: Microsoft Update, Windows Update, Automatic Update,
the Download Center and Windows Server Update Services.



As we've noted in previous posts, we have been carefully monitoring
the attempted exploitation of this vulnerability through our own
investigative process as well as partnering the industry and law
enforcement. Although the issue is serious and malicious attacks are
being attempted, we have found that the scope of the attacks is not
widespread. AV companies have also indicated that attacks are being
effectively mitigated through up-to-date signatures.



To help protect against any attempted exploitation while the security
update is being developed we really want to continue to urge
customers not to visit unfamiliar or untrusted Web sites that could
potentially host the malicious code. More guidance for consumer
customers can be found here
http://www.microsoft.com/athome/secu...ng_safety.mspx.
We also encourage enterprise customers to continue to review the
information in the security advisory as well:
http://www.microsoft.com/technet/sec...ry/912840.mspx.


Best,

Kevin



*This posting is provided "AS IS" with no warranties, and confers no
rights.*

Hi, Mike,

Mike M wrote:
Perhaps of some relevance to those running Win Me and other Win9x
systems is:

..in a practical sense, only Windows XP and Windows Server 2003 (in all
their service pack levels) are vulnerable to the WMF flaw.

...all versions of Windows back to 3.0 have the vulnerability in GDI32.
Except for Windows XP and Windows Server 2003, no Windows versions, in
their
default configuration, have a default association for WMF files, and
none of
their Paint programs or any other standard programs installed with them can
read WMF files...

This seems to be the current thinking on this vulnerability. I've read
similar comments in some other postings.


However

On other platforms, unless you have installed your own vulnerable
default handler for WMF files, the likelihood of compromise even when a
system is bombarded with malicious WMFs is low

Those running XnView or IrfanView need to be especially careful even on
Win Me.

I checked the association for WMF files on my Windows ME machine, and
surprisingly (at least to me), the file extension was associated with
Microsoft's Picture It Express. This application came as an OEM
installed application when I first got the computer over five years ago.
I have a few photo editing applications installed and didn't expect to
see Picture It Express as the default handler. There may be
associations with the WMF files that some users may not even be aware of.


For more info see:
http://blog.ziffdavis.com/seltzer/ar.../03/39684.aspx

Remember though that Microsoft are far from infallible and may well be
wrong and Win 9x systems may well also be vulnerable. Time will tell.

I absolutely agree, but I think there is a lot of potential upside for
this vulnerability on Win 9x systems. I'd still feel better about it if
MS issued a patch for these OS's as well.

Cheers,
Tom

Thanks for the follow up Mike, just thought I would post the info here as
I know that quite a few in here run XP as well g
I'll carry on with my Safe Sex (oops I mean Hex)
Joan

Mike M wrote:
Perhaps of some relevance to those running Win Me and other Win9x
systems is:

..in a practical sense, only Windows XP and Windows Server 2003 (in
all their service pack levels) are vulnerable to the WMF flaw.

snip