Microsoft WMF Vulnerability: Security Bulletin

January 5, 2006 – Qualys^® Vulnerability R&D Lab has released a new vulnerability check in QualysGuard^® to protect organizations against the new vulnerability present in Microsoft Windows. The Vulnerability that was announced today in the Graphics Rendering Engine could allow remote code execution. Customers can immediately audit their networks for this critical vulnerability by accessing their QualysGuard subscription.

Due to the criticality of the vulnerability, Microsoft recently released a patch outside the monthly cycle. An unofficial patch was also provided by a third party. QualysGuard has new vulnerability checks to test for the vulnerability and the unofficial patch.

Microsoft has released an official security patch to fix the newly discovered flaw in Microsoft Windows. Please refer to the advisory MS06-001 for more details.

Qualys has released the following check for this vulnerability along with a check to detect the existence of the unofficial patch.

Microsoft Windows Graphics Rendering Engine WMF Format Code Execution (MS06-001)
SEVERITY: Urgent  5
QUALYS ID: 90289
VENDOR REFERENCE: MS06-001
CVE REFERENCE: CVE-2005-4560
CVSS SCORES: Base: 5.6 / Temporal: 5
THREAT: Microsoft Windows supports the Windows Metafile (WMF) image format. WMF is a 16-bit image format that contains vector and bitmap information. Microsoft Windows WMF graphics rendering engine is affected by a remote code execution vulnerability. The cause of this issue is currently unknown. The problem presents itself when a user views a malicious WMF formatted file, triggering the vulnerability when the engine attempts to parse the file. Any code execution that occurs will be with SYSTEM privileges due to the nature of the affected engine. It should be noted that viewing a malicious file in Windows Explorer may automatically trigger this issue. Microsoft Windows XP is considered to be vulnerable at the moment. It is likely that other Windows operating systems are affected as well. The graphic rendering engine in Microsoft Windows contains several issues described in advisory MS06-001 which could be exploited by an attacker to execute arbitrary code on a vulnerable system.
IMPACT: This issue could be exploited remotely through any means that would allow an attacker to transmit the malicious image to a user, including through a malicious Web site and HTML email or embedding it in an Office document. Attacks could also occur by enticing an unsuspecting user to visit a remote file share hosting the file. User interaction is required in remote attack scenarios. A local attacker could also exploit this issue to gain elevated privileges without any user interaction. It is noted that any application that is used to view the affected image type may present an attack vector. This client side vulnerability has the potential to cause a significant worm outbreak.
SOLUTION: Please refer the Microsoft Advisory MS06-001 for more details and instructions for installing the patch. Microsoft has categorized this update as Critical.

Patch to Microsoft Windows WMF Flaw (912840) Installed
SEVERITY: Medium  2
QUALYS ID: 90290
VENDOR REFERENCE: Microsoft Security Advisory (912840)
CVE REFERENCE: N/A
THREAT: Unofficial patch for the Microsoft Windows vulnerability in Graphics Rendering Engine (Advisory 912840) provided by Ilfak Guilfanov is installed on the target system.
IMPACT: N/A
SOLUTION: Remove the unofficial patch and install the official patch from Microsoft. Please refer Microsoft Security Bulletin MS06-001 for more information.

This new vulnerability check is included in Qualys vulnerability signatures v1.13.33-3. Each QualysGuard account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the QualysGuard HOME menu, select the Account Info tab.

SELECTIVE SCAN INSTRUCTIONS USING QUALYSGUARD:

To perform a selective vulnerability scan, configure a scan profile to use the following options:

1. Ensure access to TCP ports 135 and 139 are available.
2. Enable Windows Authentication (specify Authentication Records).
3. Enable the following Qualys IDs:
   • 90289
   • Or 90290 if scanning for the presence of the unofficial patch
4. If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.
5. If you would like to be notified if QualysGuard is unable to logon to a host (if Authentication fails), also include QID 105015.

In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Matrix Report, available from the QualysGuard HOME page.

Users are reminded that browsing a malicious website, or opening a malicious email or attachment may result in infection.

For more information, customers may contact Qualys Technical Support directly at support@qualys.com or by telephone toll free at:
US: 1 866.801.6161 | EMEA: 33 1 44.17.00.41 | UK: +44 1753 872102

QualysGuard is an on-demand security audit service delivered over the web that enables organizations to effectively manage their vulnerabilities and maintain control over their network security with centralized reports, verified remedies, and full remediation workflow capabilities with trouble tickets. QualysGuard provides comprehensive reports on vulnerabilities including severity levels, time to fix estimates and impact on business, plus trend analysis on security issues. By continuously and proactively monitoring all network access points, QualysGuard dramatically reduces security managers' time researching, scanning and fixing network exposures and enables companies to eliminate network vulnerabilities before they can be exploited.

Access for QualysGuard customers: https://qualysguard.qualys.com

Free trial of QualysGuard service: http://www.qualys.com/forms/trials/qualysguard_trial/