[funsec] RE: WMF round-up, updates and de-mystification

Krpata, Tyler tkrpata at bjs.com
Tue Jan 3 16:36:17 CST 2006


It looks like MS has backed off on "viewing mail" as a possible attack
vector. As of today, the advisory
(http://www.microsoft.com/technet/security/advisory/912840.mspx) reads:

"In an E-mail based attack involving the current exploit, customers
would have to be persuaded to click on a link within a malicious e-mail
or open an attachment that exploited the vulnerability. At this point,
no attachment has been identified in which a user can be attacked simply
by reading mail."

However, the advisory now includes this (incorrect) piece of
information:

"Windows Metafile (WMF) images can be embedded in other files such as
Word documents. Am I vulnerable to an attack from this vector?"
"No. While we are investigating the public postings which seek to
utilize specially crafted WMF files through IE, we are looking
thoroughly at all instances of WMF handling as part of our
investigation. While we're not aware of any attempts to embed specially
crafted WMF files in, for example Microsoft Word documents, our advice
is to accept files only from trusted source would apply to any such
attempts."


-----Original Message-----
From: Gadi Evron [mailto:ge at linuxbox.org] 
Sent: Tuesday, January 03, 2006 3:29 AM
To: bugtraq at securityfocus.com
Cc: full-disclosure at lists.grok.org.uk; FunSec [List]
Subject: WMF round-up, updates and de-mystification

Quite a bit of confusing and a vast amount of information coming from 
all directions about the WMF 0day. Here are some URL's and generic facts

to set us straight.

The "patch" by Ilfak Guilfanov works, but by disabling a DLL in Windows.

So far no problems have been observed by anyone using this patch. You 
should naturally check it out for yourselves but I and many others 
recommend it until Microsoft bothers to show up with their own patch.

Ilfak is trusted and is in no way a Bad Guy.

You can find more information about it at his blog:
http://www.hexblog.com/2005/12/wmf_vuln.html

If you are still not sure about the patch by Ilfak, check out the 
discussion of it going on in the funsec list about the patch, with Ilfak

participating:
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Occasional information of new WMF problems keep coming in over there.

In this URL you can find the best summary I have seen of the WMF issue:
http://isc.sans.org/diary.php?storyid=994
by the "SANS ISC diary" team.

In this URL you can find the best write-up I have seen on the WMF issue:
http://blogs.securiteam.com/index.php/archives/167
By Matthew Murphy at the "Securiteam Blogs".

Also, it should be noted at this time that since the first public 
discovery of this "problem", a new one has been coming in - every day. 
All the ones seen so far are variants of the original and in all ways 
the SAME problem. So, it would be best to acknowledge them as the 
same... or we will keep having a NEW 0day which really isn't for about 2

months when all these few dozen variations are exhausted.

A small BUT IMPORTANT correction for future generations:
The 0day was originally found and reported by Hubbard Dan from Websense 
on a closed vetted security mailing list, and later on at the Websense 
public page. All those who took credit for it took it wrongly.

Thanks, and a better new year to us all,

	Gadi.




More information about the funsec mailing list