Bugtraq mailing list archives
Re: MS released a patch today - MS06-001
From: "Anthony R. Nemmer" <intertwingled () qwest net>
Date: Thu, 05 Jan 2006 19:33:41 -0700
Unfortunately, they didn't release a patch for 98, SE, or ME. :-( Tony Duran, Jason IT0 wrote:
Microsoft released a patch for the WMF vulnerability this afternoon. KB912919 http://www.microsoft.com/technet/security/bulletin/ms06-001.mspx http://www.microsoft.com/technet/security/bulletin/ms06-jan.mspx Has anyone looked into this, tried it, or know what it modifies? In the workarounds FAQ for the vulnerability, it mentions: (Therefore, I think this is pre-patch release info. ============================================================================ ===============================================Workarounds for Graphics Rendering Engine Vulnerability - CVE-2005-4560:Microsoft has tested the following workaround. While this workaround will not correct the underlying vulnerability, it will help block known attack vectors. * Unregister the Windows Picture and Fax Viewer (Shimgvw.dll) on Windows XP Service Pack 1; Windows XP Service Pack 2; Windows Server 2003 and Windows Server 2003 Service Pack 1 Microsoft has tested the following workaround. While this workaround will not correct the underlying vulnerability, it helps block known attack vectors. When a workaround reduces functionality, it is identified in the following section. Note This workaround is intended to help protect against Web based exploit vectors and is not effective against exploits that have Windows Metafile images embedded in Word documents and other similar attack vectors. Note The following steps require Administrative privileges. We recommend that you restart the computer after you apply this workaround. Alternatively, you can log out and log back in after you apply the workaround. However, we do recommend that you restart the computer. To un-register Shimgvw.dll, follow these steps: 1. Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll" (without the quotation marks), and then click OK. 2. When a dialog box appears that confirms that the process has been successful, click OK. Impact of Workaround: The Windows Picture and Fax Viewer will no longer start when users click a link to an image type that is associated with the Windows Picture and Fax Viewer. To undo this workaround after the security update has been deployed, reregister Shimgvw.dll. To do this, use this same procedure, but replace the text in step 1 with "regsvr32 %windir%\system32\shimgvw.dll" (without the quotation marks). -----Original Message-----From: Dave Korn [mailto:davek_throwaway () hotmail com] Sent: Tuesday, January 03, 2006 1:10 PMTo: bugtraq () securityfocus com Subject: Re: WMF browser-ish exploit vectors Evans, Arian wrote in news:8654C851B1DAFA4FA18A9F150145F92502C16D7A () fnex01 fishnetsecurity comHere, let's make the rendering issue simple: Due to IE being so content help-happy there are a myriad of IE-friend file types (e.g.-.jpg) that onecan simply rename a metafile to for purpose of web exploitation, and IE will pull out the wonderful hey;you're-not-a-jpeg-you're-a-something-else-that-I-can- -automatically-handle trick err /feature/ for you.Yeh, that's a real dumbass design feature that one.http://sharepoint2003/bizdir/your_custom_folder_icon.jpg http://yourcorp_web_based_DMS/surprise_not_a.doc etc.Have you tried giving it a mpg/avi/wma/wmv extension and getting it to open in a (perhaps embedded) mediaplayer? That's liable to work as well; mediaplayer is also vulnerable to the choose-an-app-based-on-extension/app-loads-a-viewer-based-on-actual-content desynchronisation attack...cheers, DaveK
-- SKYKING, SKYKING, DO NOT ANSWER
Current thread:
- MS released a patch today - MS06-001 Duran, Jason IT0 (Jan 05)
- Re: MS released a patch today - MS06-001 Anthony R. Nemmer (Jan 06)