|
Microsoft Picture and Fax Viewer, SHIMGVW.DLL, contains a
security vulnerability in its handling of WMF file. When a
user browses a malformed WMF file with IE, SHIMGVW.DLL will be
called automatically to parse the malicious WMF file, and due
to the unspecified code execution vulnerability within
SHIMGVW.DLL, a buffer overflow will happen, allowing an
attacker to get the same privilege as the user.
Please be advised that this vulnerability is not known
until the first WMF 0-day exploit was publicly noted on
December 28, 2005, and this issue is totally DIFFERENT from
that of MS05-053 (Vulnerabilities in Graphics Rendering Could
Allow Code Execution 896424). Microsoft has
been investigating this vulnerability. As of December 30,
2005, countermeasure patch(s) from Microsoft is still not
available.
When a user browses a malicious web site containing
malformed WMF files, the WMF file will execute a Trojan
dropper on a fully patched Windows XP SP2 machine. The dropper
will then install a phony ant-virus program that starts to
scan the Trojan for the user and try to dupe them to buy a
full version of the anti-virus program in order to remove the
malicious program.
BSST (Broadweb Security Service Team) has released the
counter measure signatures in signature pattern 3.31, which
includes:
# 1052254_WindowsXP malformed .wmf files-1
# 1052255_WindowsXP malformed .wmf files-2
Since patches from Microsoft are still not available,
Broadweb BSST strongly suggest that NetKeeper users upgrade
their signature patterns to version 3.31 or later immediately
in order to thwart the WMF 0-day exploit.
Broadweb Security Service Team (BSST) - Empower Your
Network Security
Broadweb NetKeeper Intruder Prevention System delivers
the protection against intrusion, worms, DDOS, Instant
messaging, P2P , Web-Mail, and Web Post.
Reference:
Microsoft Security Advisory (912840)
Vulnerability in Graphics Rendering Engine Could Allow
Remote Code Execution.
| 