lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <4491EF4A5F6B4E40BDC73E7408F432CD07EB4C11@saf.gos.ca>
Date: Thu, 5 Jan 2006 15:00:35 -0600
From: "Duran, Jason IT0" <jason.duran@....sk.ca>
To: bugtraq@...urityfocus.com
Subject: MS released a patch today - MS06-001



Microsoft released a patch for the WMF vulnerability this afternoon.
KB912919
http://www.microsoft.com/technet/security/bulletin/ms06-001.mspx

http://www.microsoft.com/technet/security/bulletin/ms06-jan.mspx

Has anyone looked into this, tried it, or know what it modifies?

In the workarounds FAQ for the vulnerability, it mentions:
(Therefore, I think this is pre-patch release info.

============================================================================
===============================================

 Workarounds for Graphics Rendering Engine Vulnerability - CVE-2005-4560: 

Microsoft has tested the following workaround. While this workaround will
not correct the underlying vulnerability, it will help block known attack
vectors.

* Unregister the Windows Picture and Fax Viewer (Shimgvw.dll) on Windows XP
Service Pack 1; Windows XP Service Pack 2; Windows Server 2003 and Windows
Server 2003 Service Pack 1

Microsoft has tested the following workaround. While this workaround will
not correct the underlying vulnerability, it helps block known attack
vectors. When a workaround reduces functionality, it is identified in the
following section.

Note This workaround is intended to help protect against Web based exploit
vectors and is not effective against exploits that have Windows Metafile
images embedded in Word documents and other similar attack vectors.

Note The following steps require Administrative privileges. We recommend
that you restart the computer after you apply this workaround.
Alternatively, you can log out and log back in after you apply the
workaround. However, we do recommend that you restart the computer.

To un-register Shimgvw.dll, follow these steps:

1.
 Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll"
(without the quotation marks), and then click OK.
 
2.
 When a dialog box appears that confirms that the process has been
successful, click OK.
 

Impact of Workaround: The Windows Picture and Fax Viewer will no longer
start when users click a link to an image type that is associated with the
Windows Picture and Fax Viewer.

To undo this workaround after the security update has been deployed,
reregister Shimgvw.dll. To do this, use this same procedure, but replace the
text in step 1 with "regsvr32 %windir%\system32\shimgvw.dll" (without the
quotation marks).
 

-----Original Message-----
From: Dave Korn [mailto:davek_throwaway@...mail.com] 
Sent: Tuesday, January 03, 2006 1:10 PM
To: bugtraq@...urityfocus.com
Subject: Re: WMF browser-ish exploit vectors


Evans, Arian wrote in
news:8654C851B1DAFA4FA18A9F150145F92502C16D7A@...x01.fishnetsecurity.com
> Here, let's make the rendering issue simple:
>
> Due to IE being so content help-happy there are a
> myriad of IE-friend file types (e.g.-.jpg) that one
> can simply rename a metafile to for purpose of web exploitation, and 
> IE will pull out the wonderful hey;
> you're-not-a-jpeg-you're-a-something-else-that-I-can-
> -automatically-handle trick err /feature/ for you.

  Yeh, that's a real dumbass design feature that one.

> http://sharepoint2003/bizdir/your_custom_folder_icon.jpg
>
> http://yourcorp_web_based_DMS/surprise_not_a.doc
>
> etc.


  Have you tried giving it a mpg/avi/wma/wmv extension and getting it to 
open in a (perhaps embedded) mediaplayer?  That's liable to work as well; 
mediaplayer is also vulnerable to the 
choose-an-app-based-on-extension/app-loads-a-viewer-based-on-actual-content 
desynchronisation attack...


    cheers,
      DaveK
-- 
Can't think of a witty .sigline today.... 




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ