|
|
|
 |
|
TECH UPDATES |
Home > Resources > Tech Updates |
 |
| |
|
|
Windows Metafile Vulnerability Explained |
| |
| The year 2006 has begun for Windows with a new un-patched and unreported vulnerability surfacing in all the releases starting from Windows 98 SE. It was on Tuesday, December 27, 2005 that Microsoft became aware of previously unknown security vulnerability in the Windows Meta File (WMF) code area in the Windows platform. This vulnerability has also been reported in some releases of IrfanView, IBM Lotus Notes, Google Desktop, Mozilla and XnView. The gravity of the vulnerability has forced Microsoft to act out of turn 1. |
| |
| The attacks are carried out through vulnerability in the way Windows XP and Windows Server 2003 handle corrupted Windows Metafile (.WMF) graphic files. The HappyNY.A uses an e-mail with the subject "Happy New Year" and carries a HappyNewYear.jpg file as an attachment. This attachment is actually a hostile file which, when clicked, leads the victim to a malicious Web site and installs Bifrose backdoor Trojan in the victim's system. An attacker could then remotely gain complete control over the compromised computer. |
| |
| The WMF exploitation has started to take off in the wild and in the coming days and weeks dozens if not hundreds of WMF exploiting sites are likely to be reported. |
| |
| Please note that Windows Metafile data may be saved with an extension other than WMF. A file with any extension that is associated with Windows Picture and Fax Viewer can be used to exploit this vulnerability. Moreover, a Windows Metafile can arrive with any of the following extensions over any protocol. In short, multiple entry points exist for this vulnerability. By default, Windows Picture and Fax Viewer is associated with the following file extensions: |
| |
BMP, DIB, GIF, EMF, JFIF, JPE, JPEG, JPG, PNG, TIF, TIFF, WMF, ICO |
| |
| Microsoft2 initially planned to release the update on Tuesday, January 10, 2006, as part of its monthly release of security bulletins. However, taking customer vulnerability into account, they broke the monthly patch cycle and released the patch on Thursday, January 5, 2006. There have been no patch releases for Windows 98 and Windows ME. So these OS users still have to rely on third party security measures. |
| |
|
| Cyberoam Gateway Anti-virus module protects its users against the above vulnerability by blocking files which can use this exploit. These files are blocked based on the exploit signatures and the module works across file types. This means that even if the exploit tries to use non WMF files it would be effectively blocked. |
| |
|
| In addition, Cyberoam Gateway Anti-virus works over all protocols of mail i.e. SMTP, POP3 and IMAP and web protocols like HTTP, thus effectively monitoring and protecting all entry points. This means that users are protected even if the exploit tries to transmit itself over emails or HTTP websites. |
| |
|
In case the Cyberoam Anti-virus module is not enabled, Cyberoam recommends blocking all the WMF files over HTTP, using Cyberoam’s WEBCAT module, until the Microsoft patch is installed.
Cyberoam advises administrators to caution users against visiting un-trusted and unfamiliar sites. P2P file sharing sites and file transfer over IM must be blocked until Microsoft offered patch is installed. Strict policies to enforce these measures must be set up irrespective of the usual hierarchy and identity-based policies that Cyberoam enables. |
| |
|
| 1. |
http://news.com.com |
| 2. |
http://www.microsoft.com |
| |
|
| More information can be obtained from the links below: |
http://www.securityfocus.com |
http://www.cve.mitre.org |
| |
|
|
|
