Home page logo

fulldisclosure logo Full Disclosure mailing list archives

RE: WMF round-up, updates and de-mystification
From: Brance Amussen <brance () jhu edu>
Date: Wed, 04 Jan 2006 13:11:56 -0500

Um what if the email is HTML, and the corrupt image was imbedded in the body
of the message?? Wouldn't gdi32.dll be responsible for rendering the
(supposed) graphics inline? 
Just a thought.. Correct me if wrong.. 

B :)_S

-----Original Message-----
From: Krpata, Tyler [mailto:tkrpata () bjs com] 
Sent: Tuesday, January 03, 2006 5:36 PM
To: Gadi Evron; bugtraq () securityfocus com
Cc: full-disclosure () lists grok org uk; FunSec [List]
Subject: RE: WMF round-up, updates and de-mystification

It looks like MS has backed off on "viewing mail" as a possible attack
vector. As of today, the advisory
(http://www.microsoft.com/technet/security/advisory/912840.mspx) reads:

"In an E-mail based attack involving the current exploit, customers would
have to be persuaded to click on a link within a malicious e-mail or open an
attachment that exploited the vulnerability. At this point, no attachment
has been identified in which a user can be attacked simply by reading mail."

However, the advisory now includes this (incorrect) piece of

"Windows Metafile (WMF) images can be embedded in other files such as Word
documents. Am I vulnerable to an attack from this vector?"
"No. While we are investigating the public postings which seek to utilize
specially crafted WMF files through IE, we are looking thoroughly at all
instances of WMF handling as part of our investigation. While we're not
aware of any attempts to embed specially crafted WMF files in, for example
Microsoft Word documents, our advice is to accept files only from trusted
source would apply to any such attempts."

-----Original Message-----
From: Gadi Evron [mailto:ge () linuxbox org]
Sent: Tuesday, January 03, 2006 3:29 AM
To: bugtraq () securityfocus com
Cc: full-disclosure () lists grok org uk; FunSec [List]
Subject: WMF round-up, updates and de-mystification

Quite a bit of confusing and a vast amount of information coming from all
directions about the WMF 0day. Here are some URL's and generic facts

to set us straight.

The "patch" by Ilfak Guilfanov works, but by disabling a DLL in Windows.

So far no problems have been observed by anyone using this patch. You should
naturally check it out for yourselves but I and many others recommend it
until Microsoft bothers to show up with their own patch.

Ilfak is trusted and is in no way a Bad Guy.

You can find more information about it at his blog:

If you are still not sure about the patch by Ilfak, check out the discussion
of it going on in the funsec list about the patch, with Ilfak

Occasional information of new WMF problems keep coming in over there.

In this URL you can find the best summary I have seen of the WMF issue:
by the "SANS ISC diary" team.

In this URL you can find the best write-up I have seen on the WMF issue:
By Matthew Murphy at the "Securiteam Blogs".

Also, it should be noted at this time that since the first public discovery
of this "problem", a new one has been coming in - every day. 
All the ones seen so far are variants of the original and in all ways the
SAME problem. So, it would be best to acknowledge them as the same... or we
will keep having a NEW 0day which really isn't for about 2

months when all these few dozen variations are exhausted.

A small BUT IMPORTANT correction for future generations:
The 0day was originally found and reported by Hubbard Dan from Websense on a
closed vetted security mailing list, and later on at the Websense public
page. All those who took credit for it took it wrongly.

Thanks, and a better new year to us all,


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]