Microsoft releases security bulletin early to patch critical IE flaw

by John McCormick | Jan 09, 2006 6:50:00 PM

Tags: Operating systems, John McCormick, Microsoft Internet Explorer, Microsoft Corp., Microsoft Windows, security bulletin, vulnerability, security, IT Locksmith Newsletter

Takeaway: The first security bulletin of 2006 is so critical that Microsoft released it on January 5—a week before the usual deadline. John McCormick has the details on Microsoft Security Bulletin MS06-001.

Microsoft's first security bulletin of the year was so critical that Redmond released it early.

Details

The first security bulletin of 2006 is so critical that Microsoft released it on January 5—a week before the usual patch cycle. Microsoft Security Bulletin MS06-001, "Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution," addresses a vulnerability that's so serious it even made the front page of some business newspapers, including the Financial Times.

This might be the only security bulletin this month; the Microsoft Security Bulletin Summaries and Webcasts page lists the bulletin as from both January 5 and 11. However, Microsoft purportedly plans to release two additional security updates—one for Windows and one for Microsoft Office and Exchange Server.

This is a remote code execution threat due to a Graphics Rendering Engine vulnerability (CVE-2005-4560). The problem is due to a fault in the way the graphics engine handles Windows Metafile (WMF) images. Microsoft Security Advisory 912840 addressed this vulnerability in late December because active exploitation was already under way.

Microsoft Baseline Security Analyzer (MBSA) versions 1.2.1 and 2.0, as well as Systems Management Server, will determine if the update is necessary for particular systems. For more details about WMF and other image file formats, see Microsoft Knowledge Base Article 320314.

Applicability

All Microsoft operating systems from Windows 98 on are vulnerable, including Windows XP Service Pack 2 and Windows Server 2003 SP1. However, because this isn't a critical threat Windows 98, Windows SE, or Windows ME, the update doesn't support these versions. (Microsoft has ended support for these OS versions except for critical issues.)

Risk level - critical

Microsoft has rated this vulnerability as critical for Windows 2000, all versions of Windows XP (including SP2), and all versions of Windows Server 2003 (including SP1). This rating also applies to x64 and Itanium-based systems.

Mitigating factors

A successful attack would only give the attacker the same rights as the local user. In addition, an image hosted on a malicious Web site initiates the attack, so the user must actively visit a malicious Web site, either by clicking an e-mail or instant messaging link. However, it's important to note that a user can also initiate an attack by opening a Word document that contains an embedded malicious image.

Fix

Apply the update. This fix does affect functionality because it removes support for the SETABORTPROC record type (META-ESCAPE WMF images).

In addition, there's an available workaround, tested and approved by Microsoft, to help block the attack from Web-based vectors: Unregister the Windows Picture and Fax Viewer (Shimgvw.dll) on Windows XP and Windows Server 2003 systems. Keep in mind that this recommendation may change, so see the security bulletin for details.

Simply blocking WMF files doesn't provide complete protection because hackers may disguise the file format. The graphics engine doesn't read the file extension to determine how to process the image.

Final word

Congratulations to Microsoft for realizing the importance of this threat and getting a patch out as soon as possible.

By the way, for those of you who don't subscribe to the IT Locksmith newsletter, you may have wondered where I've been the past few weeks. Every year, I write an article or two looking back on the previous year and offering predictions for the coming one. This year, I posted those reflections in my new TechRepublic blog.

My blog is your chance to get my uncensored thoughts and opinions on what's happening in the security arena. It's an opportunity for you to see what didn't make the cut in my weekly article and to see what I have to say when my editor isn't around. So, if you have any interest in my opinions based on 45 years of experience in IT, bookmark my new blog.

---

Also watch for …

• Google has announced plans to add on-demand video, including CBS television programs and NBA basketball games, to the search giant's offerings. Apple's iTunes store already offers NBC and ABC television shows, and Google already offers free hosting for amateur videos.
• Serious flaws have emerged in BlackBerry software. There were originally three vulnerabilities, but RIM has already patched one, which posed a DoS attack possibility, in versions 4.0.02 and later.

---

Miss a column?

Check out the IT Locksmith Archive, and catch up on the most recent editions of John McCormick's column.

Want to stay on top of the latest security updates? Automatically sign up for our free IT Locksmith newsletter, delivered each Tuesday!

John McCormick is a security consultant and well-known author in the field of IT, with more than 17,000 published articles. He has written the IT Locksmith column for TechRepublic for more than four years.

Print/View all Posts Comments on this article

good start but Tech Locksmith | 01/10/06

No faradhi | 01/10/06

Not a Critical IE flaw.... Jaqui | 01/10/06

Attack vectors and continued WMF vuln. gshollingsworth | 01/10/06

PS - workaround for latest WMF vulns. gshollingsworth | 01/10/06