MS05-053 - WMF/EMF Rendering Vulnerability
Results 1 to 4 of 4

Thread: MS05-053 - WMF/EMF Rendering Vulnerability

  1. #1

    MS05-053 - WMF/EMF Rendering Vulnerability

    Just one thing in the Patch Tuesday Bulletin:

    Microsoft Security Bulletin MS05-053
    Vulnerabilities in Graphics Rendering Engine Could Allow Code Execution (896424)
    http://www.microsoft.com/technet/sec.../MS05-053.mspx

    My analysis:

    Essentially, a flaw in the rendering of WMF and EMF graphics files could lead to remote code execution. Typically, the files would have to be delivered through a web page, email message or be embedded in a document. If embedded in a document or web page it will require some user intervention to spread.

    However, it is possible to embed a WMF file directly into an email message and have it display automatically (possibly through an autopreview pane). A virus using this attack mechanism could spread very quickly because little user intervention is required. It would be possible to create an effective and very fast spreading mass mailing virus using this flaw.

    This is not an attack vector that could be exploited by a Sasser/Blaster/Zotob style worm. It is also extremely unlikely that you would view a WMF or EMF file on a server for any reason. Therefore, I do not feel that the majority servers are at risk from this flaw unless they display or process email in some way.

    The patch for this ONLY appears to be for the EMF and WMF rendering subsystem, so in my view the patch itself carries a very low risk.

    Summary: patch anything that access email or the the internet as soon as you can, but it's probably not necessary to schedule any server downtime for this patch as the vast majority of them would never carry out a task that would render this kind of graphics file.

  2. #2
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,191
    Hmmmm,

    I can see your point, but wouldn't it depend on what the payload was, and how well protected your servers are from internal attack?

    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  3. #3
    Well, of course the payload can be anything you like - you could use it as a dropper for a variety of other exploits. However, the attack vector would still be through the client PC, and the server itself wouldn't be vulnerable to the WMF/EMF exploit (unless you view an infected file or have a mail client running with Autopreview).

    Of course, if your servers aren't secured against things like the UPnP vulnerability then you're living on borrowed time. Any old virus can try to exploit those kind of holes.

    Really my POV is that I don't think I need to spend this weekend patching servers and can catch up with this one later. SUS will cover everthing else.

  4. #4
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,191
    Hi dynamoo i am certainly inclined to agree.

    If you patch everything that might be vulnerable then it won't launch so your servers should be safe.

    All I would add is be sure to catch all your laptops................I have seen bad things brought in that way, and they are far more likely to be used for "personal activities"

    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •