SecurityvulnsSECURITYVULNS:DOC:10838ISS Protection Alert: Windows Picture and Fax Viewer WMF Overflow
-----BEGIN PGP SIGNED MESSAGE-----
Internet Security Systems Protection Alert
December 28, 2005
Microsoft Picture and Fax Viewer WMF Buffer Overflow
Summary:
The X-Force is tracking a new, unpatched critical vulnerability in Microsoft.s
Picture and Fax Viewer application which is the default viewer for WMF graphics
within Microsoft Windows XP and 2003. Successful exploitation would grant an
attacker the privileges of the user viewing the image, up to and including
administrative privileges.
Business Impact:
Compromise of networks and machines using Microsoft Windows may lead
to exposure of confidential information, loss of productivity, and
further network compromise. Successful exploitation of these vulnerabilities
could be used to gain unauthorized access to networks and machines. No
authentication is required for an attacker to leverage these vulnerabilities
to compromise a network or machine. Windows installations are vulnerable
in their default configurations.
Although this attack requires some user interaction, it is possible to trick
users into clicking on links or opening attachments that contain a malicious
file. Other methods may be employed such as embedding the link in Javascript or
some other method that will automatically download the file without the user.s
knowledge. This vulnerability has been confirmed to already be in the wild and
has been observed propagating in several worms and spyware.
About Internet Security Systems (ISS)
Internet Security Systems, Inc. (ISS) is the trusted security expert to
global enterprises and world governments, providing products and services
that protect against Internet threats. An established world leader in
security since 1994, ISS delivers proven cost efficiencies and reduces
regulatory and business risk across the enterprise for
more than 11,000 customers worldwide. ISS products and services
are based on the proactive security intelligence conducted by ISS.
X-Forceยฎ research and development team . the unequivocal world
authority in vulnerability and threat research. Headquartered
in Atlanta, Internet Security Systems has additional operations
throughout the Americas, Asia, Australia, Europe and the Middle East.
Copyright (c) 2005 Internet Security Systems, Inc. All rights reserved
worldwide.
This document is not to be edited or altered in any way without the
express written consent of Internet Security Systems, Inc. If you wish
to reprint the whole or any part of this document, please email
[email protected] for permission. You may provide links to this document
from your web site, and you may make copies of this document in
accordance with the fair use doctrine of the U.S. copyright laws.
Disclaimer: The information within this document may change without notice.
Use of this information constitutes acceptance for use in an AS IS condition.
There are NO warranties, implied or otherwise, with regard to this information
or its use. Any use of this information is at the user's risk. In no event
shall the author/distributor (Internet Security Systems X-Force) be held
liable for any damages whatsoever arising out of or in connection with the
use or spread of this information.
X-Force PGP Key available on MIT's PGP key server and PGP.com's key
server, as well as at http://www.iss.net/security_center/sensitive.php
Please send suggestions, updates, and comments to: X-Force
[email protected] of Internet Security Systems, Inc.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBQ7MMKjRfJiV99eG9AQH0EgP+OsrdRpWHhCVJQOwP+RpGMcezK/LuRyKG
hFigX0/oMAd4GZ5stqOv2KQnQFn0BKJjMnkKb9sPvcGL6pU19k6m1aj3Wi/DjKO9
YqJiaquEWZ2apv18txv9sop5sUN9qagAihBTJ4jPvu1/BowN2ZA7zlouKw2gvS2N
rHX7rm/qAOM=
=Zj6r
-----END PGP SIGNATURE-----