TITLE: Microsoft Windows WMF/EMF File Rendering Arbitrary Code Execution SECUNIA ADVISORY ID: SA17498 VERIFY ADVISORY: http://secunia.com/advisories/17498/ CRITICAL: Highly critical IMPACT: System access WHERE: >From remote OPERATING SYSTEM: Microsoft Windows 2000 Advanced Server http://secunia.com/product/21/ Microsoft Windows 2000 Datacenter Server http://secunia.com/product/1177/ Microsoft Windows 2000 Professional http://secunia.com/product/1/ Microsoft Windows 2000 Server http://secunia.com/product/20/ Microsoft Windows Server 2003 Datacenter Edition http://secunia.com/product/1175/ Microsoft Windows Server 2003 Enterprise Edition http://secunia.com/product/1174/ Microsoft Windows Server 2003 Standard Edition http://secunia.com/product/1173/ Microsoft Windows Server 2003 Web Edition http://secunia.com/product/1176/ Microsoft Windows XP Home Edition http://secunia.com/product/16/ Microsoft Windows XP Professional http://secunia.com/product/22/ DESCRIPTION: Two vulnerabilities have been reported in Microsoft Windows, which can be exploited by malicious people to compromise a vulnerable system. 1) A boundary error exists in the Graphics Rendering Engine when rendering certain malformed Windows Metafile (WMF) and Enhanced Metafile (EMF) image files. This can be exploited to execute arbitrary code on a user's system via a specially crafted WMF/EMF file. 2) A boundary error exists in the rendering of certain malformed Windows Metafile (WMF) image files. This can be exploited to execute arbitrary code on a user's system via a specially crafted WMF file. Vulnerability #1 and #2 reportedly affects any program that renders the affected image types and can be exploited by e.g. tricking the user to open a malicious WMF/EMF file, or to view a folder that contains the image. The vulnerabilities are also reportedly exploitable by embedding the image in an Office document, or by convincing the user to view an HTML email in Outlook containing an image attachment, or via a malicious web site. SOLUTION: Apply patches. Microsoft Windows 2000 (requires SP 4): http://www.microsoft.com/downloads/details.aspx?FamilyId=F361FCCB-B273-47E7-BB15-BC9C27073446 Microsoft Windows XP (requires SP 1 or SP 2): http://www.microsoft.com/downloads/details.aspx?FamilyId=E38372B2-3BF6-4393-B9A4-F34248C8073E Microsoft Windows XP Professional x64 Edition: http://www.microsoft.com/downloads/details.aspx?FamilyId=086C6878-916C-4A4F-8CA8-A4C0E304FDA4 Microsoft Windows Server 2003 (with or without SP 1): http://www.microsoft.com/downloads/details.aspx?FamilyId=CEE3DD3B-3C20-47A9-8BBD-1EA2FBB4AF96 Microsoft Windows Server 2003 (Itanium) (with or without SP 1): http://www.microsoft.com/downloads/details.aspx?FamilyId=CCFF22BB-ADC4-4974-813C-7721BDB842C0 Microsoft Windows Server 2003 x64 Edition: http://www.microsoft.com/downloads/details.aspx?FamilyId=F1ADB6E4-0A08-496C-B94C-A1B37178914A PROVIDED AND/OR DISCOVERED BY: 1) eEye Digital Security. 2) Venustech AdDLab, eEye Digital Security, and Peter Ferrie of Symantec Security Response. ORIGINAL ADVISORY: MS05-053 (KB896424): http://www.microsoft.com/technet/security/Bulletin/MS05-053.mspx OTHER REFERENCES: SA14631: http://secunia.com/advisories/14631/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------