Ads Microsoft Windows WMF "SETABORTPROC" Arbitrary Code Execution Friday, 30 December 2005 A vulnerability has been discovered in Microsoft Windows, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to an error in the handling of Windows Metafile files (".wmf") containing specially crafted SETABORTPROC "Escape" records. Such records allow arbitrary user-defined function to be executed when the rendering of a WMF file fails. This can be exploited to execute arbitrary code by tricking a user into opening a malicious ".wmf" file in "Windows Picture and Fax Viewer" or previewing a malicious ".wmf" file in explorer (i.e. opening a folder containing a malicious image file). The vulnerability can also be exploited automatically when a user visits a malicious web site using Microsoft Internet Explorer. NOTE: Exploit code is publicly available. This is being exploited in the wild. The vulnerability can also be triggered from explorer if the malicious file has been saved to a folder and renamed to other image file extensions like ".jpg", ".gif, ".tif", and ".png" etc. The vulnerability has been confirmed on a fully patched system running Microsoft Windows XP SP2. Microsoft Windows XP SP1 and Microsoft Windows Server 2003 SP0 / SP1 are reportedly also affected. Other platforms may also be affected. Solution: Do not save, open or preview untrusted image files from email or other sources, or open untrusted folders and network shares in explorer. Set security level to "High" in Microsoft Internet Explorer to prevent automatic exploitation. The risks can be mitigated by unregistering "Shimgvw.dll". However, this will disable certain functionalities. Secunia do not recommend the use of this workaround on production systems until it has been thoroughly tested. Provided and/or discovered by: First reported in the wild by "noemailpls". Exploit code and additional information provided by H D Moore. Changelog: 2005-12-29: Updated advisory. Original Advisory: Microsoft (KB912840): http://www.microsoft.com/technet/security/advisory/912840.mspx Other References: US-CERT VU#181038: http://www.kb.cert.org/vuls/id/181038   < Prev   Next > [ Back ]

Main Menu SpamAlerts | Windows | Linux | Tutorials | Excell | WhitePapers | News | Spam | Virus Windows Focus VNews Vulnerability Hacking Sql Injection map Downloads Affiliates Online Store Free Ringtones Seo Directory IWebListin Jobs in India Freshers Jobs listings. Winkeyfinder

Copyright 2005-2007 SpamAlertz.com, Content on this site is From variuos other emails, and Advisories.