|The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.|
Windows: code execution with a WMF file
Synthesis of the vulnerability
Displaying a malicious WMF file leads to code execution.
Impacted systems: Windows 2000, Windows 2003, Windows 95, Windows 98, Windows ME, Windows NT, Windows XP.
Severity of this alert: 3/4.
Consequences of an intrusion: user access/rights.
Pirate's origin: internet client.
Creation date: 28/12/2005.
Revisions dates: 29/12/2005, 02/01/2006, 04/01/2006, 06/01/2006.
Références of this alert: 912840, BID-16074, CERTA-2006-AVI-011, CVE-2005-4560, MS06-001, VIGILANCE-VUL-5459, VU#181038.
Description of the vulnerability
Images in WMF (Windows Metafile) format are supported by the Graphics Rendering Engine. It is used in the Windows Picture and Fax Viewer (shimgvw.dll), which is used to pre-visualize images in explorer (Windows XP and 2003)
A WMF image can contain a META_ESCAPE record of SETABORTPROC type indicating code to run when an error occurs. Thus, when an invalid WMF image containing this function type is displayed, code is run.
An attacker can therefore send a malicious image to user, or invite him to surf on a web site, in order to run code on his computer.
Full Vigil@nce bulletin... (Free trial)
Computer vulnerabilities tracking service
Vigil@nce provides a computer vulnerability watch. Each administrator can customize the list of products for which he wants to receive vulnerability alerts. The technology watch team tracks security threats targeting the computer system. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system.