|
Microsoft Security Bulletin Advance Notification
Microsoft announced that it would release a security update to help protect customers from exploitations of a vulnerability in the Windows Meta File (WMF) area of code in the Windows operating system on Tuesday, January 2, 2006, in response to malicious and criminal attacks on computer users that were discovered last week.
Microsoft will release the update today on Thursday, January 5, 2006, earlier than planned.
Microsoft originally planned to release the update on Tuesday, January 10, 2006 as part of its regular monthly release of security bulletins, once testing for quality and application compatibility was complete. However, testing has been completed earlier than anticipated and the update is ready for release.
In addition, Microsoft is releasing the update early in response to strong customer sentiment that the release should be made available as soon as possible.
Microsoft’s monitoring of attack data continues to indicate that the attacks are limited and are being mitigated both by Microsoft’s efforts to shut down malicious Web sites and with up-to-date signatures form anti-virus companies.
The security update will be available at 2:00 pm PT as MS06-001.
Enterprise customers who are using Windows Server Update Services will receive the update automatically. In additional the update is supported Microsoft Baseline Security Analyzer 2.0, Systems Management Server, and Software Update Services. Enterprise customers can also manually download the update from the Download Center.
Microsoft will hold a special Web cast on Friday, January 6, 2006, to provide technical details on the MS06-001 and to answer questions. Registration details will be available at http://www.microsoft.com/technet/security/default.mspx.
Microsoft will also be releasing additional security updates on Tuesday, January 10, 2006 as part of its regularly scheduled release of security updates.
What is this alert?
As part of the monthly security bulletin release cycle, Microsoft provides advance notification to our customers on the number of new security updates being released, the products affected, the aggregate maximum severity and information about detection tools relevant to the update. This is intended to help our customers plan for the deployment of these security updates more effectively.
In addition, to help customers prioritize monthly security updates with any non-security updates released on Microsoft Update, Windows Update, Windows Server Update Services and Software Update Services on the same day as the monthly security bulletins, we also provide:
• Information about the release of updated versions of the Microsoft Windows Malicious Software Removal Tool.
• Information about the release of NON-SECURITY, High Priority updates on Microsoft Update (MU), Windows Update (WU), Windows Server Update Services (WSUS) and Software Update Services (SUS). Note that this information will pertain ONLY to updates on Windows Update and only about High Priority, non-security updates being released on the same day as security updates. Information will NOT be provided about Non-security updates released on other days.
On 10 January 2006 Microsoft is planning to release:
Security Updates
• 1 Microsoft Security Bulletin affecting Microsoft Windows. The highest Maximum Severity rating for these is Critical. These updates may require a restart. These updates will be detectable using the Microsoft Baseline Security Analyzer (MBSA).
• 1 Microsoft Security Bulletin affecting Microsoft Exchange and Microsoft Office. The highest Maximum Severity rating for these is Critical. These updates may require a restart. These updates will be detectable using the Microsoft Baseline Security Analyzer (MBSA).
Microsoft Windows Malicious Software Removal Tool
• Microsoft is planning to release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services and the Download Center.
Note that this tool will NOT be distributed using Software Update Services (SUS).
Non-security High Priority updates on MU, WU, WSUS and SUS
• Microsoft is planning to release 1 NON-SECURITY High-Priority Update on Windows Update (WU) and Software Update Services (SUS).
• Microsoft is planning release 3 NON-SECURITY High-Priority Updates on Microsoft Update (MU) and Windows Server Update Services (WSUS).
Although we do not anticipate any changes, the number of bulletins, products affected, restart information and severities are subject to change until released.
Microsoft will host a webcast next week to address customer questions on these bulletins. For more information on this webcast please see below:
• TechNet Webcast: Information About Microsoft January Security Bulletins (Level 200)
• Wednesday, January 11, 2006 11:00 AM (GMT-08:00) Pacific Time (US & Canada)
• http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032287360&EventCategory=4&culture=en-US&CountryCode=US
At this time no additional information on these bulletins such as details regarding severity or details regarding the vulnerability will be made available until 10 Janurary 2006.
Microsoft Windows Metafile Handling Buffer Overflow
Original release date: December 28, 2005
Last revised: --
Source: US-CERT
Systems Affected
* Systems running Microsoft Windows
Overview
Microsoft Windows is vulnerable to remote code execution via an error
in handling files using the Windows Met
afile image format. Exploit
code has been publicly posted and used to successfully attack
fully-patched Windows XP SP2 systems. However, other versions of the
the Windows operating system may be at risk as well.
I. Description
Microsoft Windows Metafiles are image files that can contain both
vector and bitmap-based picture information. Microsoft Windows
contains routines for displaying various Windows Metafile formats.
However, a lack of input validation in one of these routines may allow
a buffer overflow to occur, and in turn may allow remote arbitrary
code execution.
This new vulnerability may be similar to one Microsoft released
patches for in Microsoft Security Bulletin MS05-053. However, publicly
available exploit code is known to affect systems updated with the
MS05-053 patches.
Not all anti-virus software products are currently able to detect all
known variants of exploits for this vulnerability. However, US-CERT
recommends updating anti-virus signature
s as frequently as practical
to provide maximum protection as new variants appear.
US-CERT is tracking this issue as VU#181038. This reference number
corresponds to CVE entry CVE-2005-4560.
II. Impact
A remote, unauthenticated attacker may be able to execute arbitrary
code if the user is persuaded to view a specially crafted Windows
Metafile.
III. Solution
Since there is no known patch for this issue at this time, US-CERT is
recommending sites follow several potential workarounds.
Workarounds
Please be aware US-CERT has confirmed that filtering based just on the
WMF file extension or MIME type "application/x-msmetafile" will not
block all known attack vectors for this vulnerability. Filter
mechanisms should be looking for any file that Microsoft Windows
recognizes as a Windows Metafile by virtue of its file header.
Do not access Windows Metafiles from untrusted sources
Exploitation occurs by access
ing a specially crafted Windows Metafile.
By only accessing Windows Metafiles from trusted or known sources, the
chances of exploitation are reduced.
Attackers may host malicious Windows Metafiles on a web site. In order
to convince users to visit their sites, those attackers often use URL
encoding, IP address variations, long URLs, intentional misspellings,
and other techniques to create misleading links. Do not click on
unsolicited links received in email, instant messages, web forums, or
internet relay chat (IRC) channels. Type URLs directly into the
browser to avoid these misleading links. While these are generally
good security practices, following these behaviors will not prevent
exploitation of this vulnerability in all cas
es, particularly if a
trusted site has been compromised or allows cross-site scripting.
Block access to Windows Metafiles
at network perimeters
By blocking access to Windows Metafiles using HTTP proxies, mail
gateways, and other network filter technologies, system administrators
may also limit other potential attack vectors.
Reset the program association for Windows Metafiles
Remapping handling of Windows Metafiles to open a program other than
the default Windows Picture and Fax Viewer (SHIMGVW.DLL) may prevent
exploitation via some current attack vectors. However, this may still
allow the underlying vulnerability to be exploited via other known
attack vectors.
Microsoft Windows Image Processing Vulnerabilities
Original release date: November 08, 2005
Last revised: --
Source: US-CERT
Systems Affected
* Microsoft Windows 2000
* Microsoft Windows XP
* Microsoft Windows Server 2003
For more complete information, refer to Microsoft Security Bulletin
MS05-053.
Overview
Microsoft has released updates that address critical vulnerabilities
in Windows graphics rendering services. A remote, unauthenticated
attacker exploiting these vulnerabilities could execute arbitrary code
or cause a denial of service on an affecte
d system.
I. Description
The Microsoft Security Bulletin for November 2005 addresses multiple
buffer overflows in Windows image processing routines. Viewing a
specially crafted image from an application that uses a vulnerable
routine may trigger these vulnerabilities. If this application can
access images from remote sources, such as web sites or email, then
remote exploitation is possible.
Further information is available in the following US-CERT
Vulnerability Notes:
VU#300549 - Microsoft Windows Graphics Rendering Engine buffer
overflow vulnerability
Microsoft Windows Graphics Rendering Engine contains a buffer overflow
that may allow a remote attacker to execute arbitrary code on a
vulnerable system.
(CVE-2005-2123)
VU#433341 - Microsoft Windows vulnerable to buffer overflow via
specially crafted "WMF" file
Microsoft Windows may be vulnerable to remote code execution via a
buffer overflow in the Windows Metafile image format handling.
(CVE-2005-2124)
VU#134756 - Microsoft Windows buffer overflow in Enhanced Metafile
rendering API
Microsoft Windows Enhanced Metafile Format image rendering routines
contain a buffer overflow flaw that may allow an attacker to cause a
denial-of-service condition.
(CVE-2005-0803)
III. Solution
Apply Updates
Microsoft has provided the updates to correct these vulnerabilities in
Microsoft Security Bulletin MS05-053. These updates are also available
on the Microsoft Update site.
II. Impact
A remote, unauthenticated attacker exploiting these vulnerabilities
could execute arbitrary code with the privileges of the user. If the
user is logged on with administrative privileges, the attacker could
take control of an affected system. An attacker may also be able to
cause a denial of service.
Appendix A. References
* Microsoft Security Bulletin MS05-053 -
<http://www.microsoft.com/technet/security/bulletin/MS05-053.mspx>
* Microsoft Security Bulletin Summary for November 2005 -
<http://www.microsoft.com/technet/security/bulletin/ms05-nov.mspx>
* US-CERT Vulnerability Note VU#300549 -
<http://www.kb.cert.org/vuls/id/300549>
* US-CERT Vulnerability Note VU#433341 -
<http://www.kb.cert.org/vuls/id/433341>
* US-CERT Vulnerability Note VU#134756 -
<http://www.kb.cert.org/vuls/id/134756>
* Microsoft Update - <https://update.microsoft.com/microsoftupdate>
|
