__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Microsoft IE5 WMF Security Advisory [Microsoft Security Advisory 913333] February 8, 2006 18:00 GMT Number Q-115 ______________________________________________________________________________ PROBLEM: Microsoft released a security advisory related to newly discovered vulnerabilities in WMF files. Note: This is not the same issue as the one addressed by Microsoft Security Bulletin MS06-001 (912919). PLATFORM: Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 Internet Explorer 5.5 Service Pack 2 on Microsoft Windows ME DAMAGE: May allow an attacker to execute arbitrary code on a user's system in the security context of the logged-on user. The attacker could do this by one or more of the following actions: -By hosting a specially crafted Windows Metafile (WMF) image on a malicious Web site; -By convincing a user to open a specially crafted e-mail attachment; -By convincing a user to click on a link in an e-mail message that takes the user to a malicious Web site; or -By sending a specially crafted e-mail message to Outlook Express users, which they view in the preview pane. SOLUTION: Apply the available security updates. ______________________________________________________________________________ VULNERABILITY The risk is HIGH. An attacker may execute arbitrary code in the ASSESSMENT: context of the logged in user. Vulnerabilities associated with WMF files have been widely publicized. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/q-115.shtml ORIGINAL BULLETIN: http://www.microsoft.com/technet/security/advisory/913333.mspx CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2006-0020 ______________________________________________________________________________ [***** Start Microsoft Security Advisory 913333 *****] Microsoft Security Advisory (913333) Vulnerability in Internet Explorer Could Allow Remote Code Execution Published: February 7, 2006 Microsoft is investigating new public reports of a vulnerability in older versions of Microsoft Internet Explorer. Based on our investigation, this vulnerability could allow an attacker to execute arbitrary code on the user's system in the security context of the logged-on user. The attacker could do this by one or more of the following actions: • By hosting a specially crafted Windows Metafile (WMF) image on a malicious Web site; • By convincing a user to open a specially crafted e-mail attachment; • By convincing a user to click on a link in an e-mail message that takes the user to a malicious Web site; or • By sending a specially crafted e-mail message to Outlook Express users, which they view in the preview pane. Note This is not the same issue as the one addressed by Microsoft Security Bulletin MS06-001 (912919). The vulnerability exists in: • Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 • Internet Explorer 5.5 Service Pack 2 on Microsoft Windows Millennium. The vulnerability does not exist in: • Internet Explorer for Microsoft Windows XP Service Pack 1 and Windows XP Service Pack 2 • Internet Explorer for Microsoft Windows XP Professional x64 Edition • Internet Explorer for Microsoft Windows Server 2003 and Windows Server 2003 Service Pack 1 • Internet Explorer for Windows Server 2003 for Itanium-based Systems • Internet Explorer for Windows Server 2003 with Service Pack 1 for Itanium- based Systems • Internet Explorer for Windows Server 2003 x64 Edition • Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4 • Internet Explorer 6 Service Pack 1 on Microsoft Windows 98 • Internet Explorer 6 Service Pack 1 on Microsoft Windows 98 Second Edition • Internet Explorer 6 Service Pack 1 on Windows Millennium Edition Microsoft has determined that an attacker who exploits this vulnerability would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site. It could also be possible to display specially crafted Web content by using banner advertisements or by using other methods to deliver Web content to affected systems. In an e-mail based attack, customers would have to click a link to the malicious Web site, preview a malicious e-mail message, or open an attachment that exploited the vulnerability. In both Web-based and e-mail based attacks, the code would execute in the security context of the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Microsoft will continue to investigate these reports and provide additional guidance depending on customer needs. Upon completion of this investigation, Microsoft will take appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs. Microsoft encourages users to exercise caution when they open e-mail and links in e-mail from untrusted sources. For more information about Safe Browsing, visit the Trustworthy Computing Web site. We continue to encourage customers to follow our Protect Your PC guidance of enabling a firewall, applying software updates and installing antivirus software. Customers can learn more about these steps at the Protect Your PC Web site. Mitigating Factors: • In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site. • In an e-mail based attack of this exploit, customers would have to open a malicious e-mail message, preview a malicious e-mail message in the Outlook Express preview pane, click on a link that would take them to a malicious Web site, or open an attachment that could exploit the vulnerability. Users can disable the preview pane in Outlook Express and delete the suspicious e-mail message without opening the e-mail message. • In an e-mail based attack of this exploit, customers would have to open a malicious e-mail message, preview a malicious e-mail message in the Outlook preview pane, click on a link that would take them to a malicious Web site, or open an attachment that could exploit the vulnerability. Users can disable the preview pane in Outlook and delete the suspicious e-mail message without opening the e-mail message. Customers who read e-mail in plain text in Outlook would have to click on a link that would take them to a malicious Web site, or open an attachment to be at risk from this vulnerability. • An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. • Customers who have installed Internet Explorer 6 Service Pack 1 are not affected by this vulnerability. • Internet Explorer 6 Service Pack 1 is the only supported version for Windows 98 and Windows 98 Second Edition. • This issue does not affect Windows XP Service Pack 1, Windows XP Service Pack 2, Windows XP Professional x64 Edition, Windows Server 2003, Windows Server 2003 Service Pack 1, Windows Server 2003 for Itanium-based Systems, Windows Server 2003 with Service Pack 1 for Itanium-based Systems, or Windows Server 2003 x64 Edition. General Information Overview Purpose of Advisory: To provide customers with initial notification of the publicly disclosed and exploited vulnerability. For more information see the “Suggested Actions” section of this security advisory. Advisory Status: Under investigation, vulnerability confirmed Recommendation: Review the suggested actions and configure as appropriate. Download and install Internet Explorer 6 Service Pack 1 if you are using Windows 2000 Service Pack 4 or Windows Millennium Edition. References Identification CVE Reference CVE-2006-0020 Microsoft Knowledge Base Article 913333 Service Packs Internet Explorer 6 Service Pack 1 This advisory discusses the following software: Related Software Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 Internet Explorer 5.5 Service Pack 2 on Microsoft Windows Millennium Edition Top of section Frequently Asked Questions What is the scope of the advisory? Microsoft is aware of a new vulnerability report that affects Internet Explorer, which is a component of Microsoft Windows. The vulnerability affects the software that is listed in the “Overview” section. Is this a security vulnerability that requires Microsoft to issue a security update? We are currently investigating the issue to determine the appropriate course of action for customers. Upon completion of this investigation, Microsoft will take appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs. What causes this threat? When Internet Explorer displays a Web page that contains a specially crafted WMF image, system memory may be corrupted in such a way that an attacker could execute arbitrary code. What is the Windows Metafile (WMF) image format? A Windows Metafile (WMF) image is a 16-bit metafile format that can contain both vector information and bitmap information. It is optimized for the Windows operating system. For more information about image types and formats, see Microsoft Knowledge Base Article 320314 or visit the MSDN Library Web site. What might an attacker use the vulnerability to do? An attacker who successfully exploited this vulnerability could take complete control of the affected system. How could an attacker exploit the vulnerability by posting a specially crafted WMF image on a Web site? An attacker could host a malicious Web site that is designed to exploit this vulnerability through Internet Explorer and then persuade a user to view the Web site. This can also include Web sites that accept user-provided content or advertisements, Web sites that host user-provided content or advertisements, and compromised Web sites. These Web sites could contain malicious Windows Metafile (WMF) images that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or in an Instant Messenger request that takes users to the attacker's Web site. It could also be possible to display specially crafted Web content by using banner advertisements or by using other methods to deliver Web content to affected systems. Could this vulnerability be exploited through other vectors? Yes. An attacker could, for example, embed a specially crafted WMF image in an e-mail message. Also, any application that handles a WMF image by default, such as an image viewer, could be vulnerable as well. On Windows 2000, WMF files are not associated with a specific application, so users will be prompted to select an application prior to opening. Does this vulnerability affect image formats other than Windows Metafile (WMF)? The only image format affected is the Windows Metafile (WMF) format. It is possible, however, that an attacker could rename the file name extension of a WMF file to that of a different image format. In this situation, Internet Explorer could detect and render the file as a WMF image by using its MIME type detection functionality, which could allow exploitation. Users can block file types by extension to provide additional defense in depth safeguards. However, it is important for content filtering to be performed on file headers that are associated with content downloaded from the Internet or that are received in e-mail messages. If I block .wmf images by extension, can this protect me against attempts to exploit this vulnerability? No. Internet Explorer does not determine file types by the file name extensions that they use. Therefore, if an attacker alters the file name extension of a WMF image, Internet Explorer could still render the file in a way that could exploit the vulnerability. What versions of Internet Explorer are associated with this advisory? The vulnerability exists in Internet Explorer 5.01 Service Pack 4 on Windows 2000 and in Internet Explorer 5.5 Service Pack 2 on Windows Millennium. Is this issue related to Microsoft Security Bulletin MS05-053 - Vulnerabilities in Graphics Rendering Engine Could Allow Code Execution (896424), which was released in November 2005? No, these are different and separate issues. Is this issue related to Microsoft Security Bulletin MS06-001 - Vulnerabilities in Graphics Rendering Engine Could Allow Code Execution (912919), which was released in January 2006? No, these are different and separate issues. Is this issue related to a public posting discussing specially crafted WMF images that could potentially cause the application using the Windows Graphics Rendering Engine to crash? No, these are different and separate issues. That posting has been discussed in the Microsoft Security Response Center Blog. Top of section Suggested Actions • Download and install Internet Explorer 6 Service Pack 1 if you are using Windows 2000 Service Pack 4 or Windows Millennium Edition. • Users can disable the preview pane in Outlook Express and Outlook and delete any suspicious e-mail messages they receive before opening or viewing them. • Microsoft encourages users to exercise caution when they open e-mail messages and links in e-mail messages that come from untrusted sources. For more information about Safe Browsing, visit the Trustworthy Computing Web site. • Customers in the U.S. and Canada who believe they may have been affected by this vulnerability can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support that is associated with security update issues or viruses." International customers can receive support by using any of the methods that are listed at Security Help and Support for Home Users Web site. • All customers should apply the most recent security updates released by Microsoft to help ensure that their systems are protected from attempted exploitation. Customers who have enabled Automatic Updates will automatically receive all Windows updates. For more information about security updates, visit the Microsoft Security Web site. • Customers are encouraged to keep their antivirus software up to date. The Microsoft Windows AntiSpyware (Beta) can also help protect your system from spyware and other potentially unwanted software. Customers can also visit Windows Live Safety Center and are encouraged to use the Complete Scan option to check for and remove malicious software that might take advantage of this vulnerability. • Protect Your PC We continue to encourage customers follow our Protect Your PC guidance of enabling a firewall, getting software updates and installing ant-virus software. Customers can learn more about these steps by visiting Protect Your PC Web site. • For more information about staying safe on the Internet, customers can visit the Microsoft Security Home Page. • Keep Windows Updated All Windows users should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit the Microsoft Update Web site, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have Automatic Updates enabled, the updates are delivered to you when they are released, but you have to make sure you install them. Top of section Resources: • You can provide feedback by completing the form by visiting the following Web site. • Customers in the U.S. and Canada can receive technical support from Microsoft Product Support Services. For more information about available support options, see the Microsoft Help and Support Web site. • International customers can receive support from their local Microsoft subsidiaries. For more information about how to contact Microsoft for international support issues, visit the International Support Web site. • The Microsoft TechNet Security Web site provides additional information about security in Microsoft products. Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Revisions: • February 7, 2006: Advisory published [***** End Microsoft Security Advisory 913333 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Microsoft for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) Q-105: Apple QuickTime Vulnerabilities Q-106: kdelibs Buffer Overflow Q-107: sudo Vulnerabilities Q-108: Wine Q-109: Security Vulnerabilities in Sun StorEdge Enterprise Backup Software (EBS) Q-110: ImageMagick Q-111: HP Tru64 UNIX Running DNS BIND Q-112: Mozilla Security Update Q-113: Firefox Security Update Q-114: Security Vulnerability in Sun Java System Access Manager