Analysis of Microsoft Mwf Security Vulnerability and Its Impact

Analysis of Microsoft MWF Security Vulnerability and its Impact

Juan Carlos

January 9, 2006

In a statement released December 29, 2005 Microsoft Corp. expanded on a self-acknowledged critical security flaw in their Microsoft Windows operating system originally released in security bulletin 912810 on December 28, 2005. Microsoft and other researchers describe the flaw's discovery as having the potential for a major impact. The flaw, known as the WMF vulnerability, takes advantage of a part of the Windows Operating System (OS) used to view images which can be exploited to install spyware, viruses or hijacking programs. Since the vulnerability is a part of the Windows OS itself and not Internet Explorer, users who feel more secure using alternative browsers, such as Mozilla or Netscape, are just as vulnerable if they download a file from a malicious site. "Marc Maiffret, an executive with eEye Digital Security Inc. of Aliso Viejo, Calif., said the vulnerability still could be troubling because personal firewalls will offer little protection and the attacks can easily be modified to get around security software such as antivirus programs" (Linn, 2006, p. 1). The flaw was first made public by security researchers who posted details of their findings on the Internet on December 27, 2005.

"The problem with this attack is that it is so hard to defend against for the average user," said Johannes Ullrich, chief research officer for the SANS Internet Storm Center in Bethesda, MD" (Krebs, 2005, p. 1). Within hours of the announcement reports from network security professionals confirmed that infections from malicious websites and emails had affected systems under their care. Microsoft did not think the attacks would be widespread because the vulnerability requires someone to take action, for example, by opening strange emails. Now however "hundreds of sites have begun using the flaw to install a broad range of malicious software. SANS has received several reports of attackers blasting out spam e-mails containing links that lead to malicious sites exploiting the new flaw, Ullrich said (Krebs, 2005, p. 2). Such activity suggests that the hackers doubt Microsoft's belief that users will resist the urge to click on emailed links to interesting yet malicious sites.

The WMF file vulnerability is caused by the fact that the Windows operating system is designed to read and playback Graphic Device Interface (GDI) commands stored inside a WMF file. "Windows Metafile Format: graphics file format used to exchange graphics information between Microsoft Windows applications. WMF files can hold both vector and bit-mapped images" (Webopedia, 2001). The vulnerability is caused by what are known as "escape records" used by the WMF. What should be a data only file is manipulated by malicious hackers to carry executable content when the data is viewed (Liston, 2006, p. 1).

In response, Microsoft released both a patch and a Security Bulletin on January 5, 2006 titled Microsoft Security Bulletin MS06-001, Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution (912919). In the Executive Summary Microsoft details the vulnerability as follows:

If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. (Microsoft 912919, 2006, p. 2)

To the relief of many an administrator this patch arrived five days earlier than expected and it could be downloaded via Microsoft Windows Update Web site. The patch was released for users of Windows 2000, XP SP1/SP2, and Server 2000/2003 along with a workaround for reregistering the Shimgvw.dll in Windows Fax and Image Viewer for users of Windows 98/SE and ME users.

The solution to this wide-spread problem is to simply apply the patch as soon as possible. Increasing consumer awareness of the problem and its easily available solution is the key to preventing further and likely far greater exploitation of the vulnerability. The consequences of inaction are serious. "Dean

...