MS05-053 - WMF/EMF Rendering Vulnerability

[dynamoo]

Just one thing in the Patch Tuesday Bulletin:

Microsoft Security Bulletin MS05-053
Vulnerabilities in Graphics Rendering Engine Could Allow Code Execution (896424)
http://www.microsoft.com/technet/sec.../MS05-053.mspx

My analysis:

Essentially, a flaw in the rendering of WMF and EMF graphics files could lead to remote code execution. Typically, the files would have to be delivered through a web page, email message or be embedded in a document. If embedded in a document or web page it will require some user intervention to spread.

However, it is possible to embed a WMF file directly into an email message and have it display automatically (possibly through an autopreview pane). A virus using this attack mechanism could spread very quickly because little user intervention is required. It would be possible to create an effective and very fast spreading mass mailing virus using this flaw.

This is not an attack vector that could be exploited by a Sasser/Blaster/Zotob style worm. It is also extremely unlikely that you would view a WMF or EMF file on a server for any reason. Therefore, I do not feel that the majority servers are at risk from this flaw unless they display or process email in some way.

The patch for this ONLY appears to be for the EMF and WMF rendering subsystem, so in my view the patch itself carries a very low risk.

Summary: patch anything that access email or the the internet as soon as you can, but it's probably not necessary to schedule any server downtime for this patch as the vast majority of them would never carry out a task that would render this kind of graphics file.

[nihil]

Hmmmm,

I can see your point, but wouldn't it depend on what the payload was, and how well protected your servers are from internal attack?

[dynamoo]

Well, of course the payload can be anything you like - you could use it as a dropper for a variety of other exploits. However, the attack vector would still be through the client PC, and the server itself wouldn't be vulnerable to the WMF/EMF exploit (unless you view an infected file or have a mail client running with Autopreview).

Of course, if your servers aren't secured against things like the UPnP vulnerability then you're living on borrowed time. Any old virus can try to exploit those kind of holes.

Really my POV is that I don't think I need to spend this weekend patching servers and can catch up with this one later. SUS will cover everthing else.

[nihil]

Hi dynamoo i am certainly inclined to agree.

If you patch everything that might be vulnerable then it won't launch so your servers should be safe.

All I would add is be sure to catch all your laptops................I have seen bad things brought in that way, and they are far more likely to be used for "personal activities"