Windows Graphics Rendering Engine Zero Day
Date:
12/30/2005 12:00:00 AM
Severity:
High
Affected Software:
Overview:
Over the last few days, several media outlets and information security vendors have alerted users to the existence of a "zero day" vulnerability affecting Windows XP SP2 and other versions of Microsoft Windows. Exploitable via both Internet Explorer and Firefox (as well as email), this vulnerability is found in the Windows Graphics Rendering Engine and allows for remote code to be executed on the affected system. "Zero Day" vulnerabilities are those which are publicly disclosed prior to the existence of proper remediation or mitigation steps.
Please Note: While this vulnerability is found in the same component as one patched by Microsoft in Security Bulletin MS05-053, which was discovered by eEye Digital Security and described in a detailed vulnerability analysis, it is not the same issue and currently there is no patch available. Microsoft has released a Security Alert, available on their website.
What eEye Customers Should Know
Windows 98, Windows ME, Windows 2000, Windows XP, and Windows 2003 are all affected, with no patch being made available yet. The Windows Graphics Rendering Engine is vulnerable, exploitable via a malicious website or other HTML document that contains a maliciously crafted WMF file that, if successful, will run arbitrary commands on a remote system. When the system is exploited, it will run arbitrary commands in the context of the logged-in user.
Users of Internet Explorer can be exploited in an automated fashion. Users of Mozilla Firefox, while still at risk, are less vulnerable, as they would need to download and execute a malicious WMF file.
It has been reported that this vulnerability is being used to distribute spyware. As always, users should take precautions to not click on web links sent to them in unsolicited emails and take note of what websites they are visiting.
Technical Analysis:
Detection:
Prevention:
eEye Digital Security's Research Team, after a detailed analysis of this flaw, has confirmed that eEye's Blink® Endpoint Vulnerability Prevention protects from the potential exploitation of this flaw, without requiring invasive firewalling, which could limit system functionality. Additionally, Blink does not require the killing of services or applications as a means of protection. The result is 100% protection, with zero downtime or impact to operations.
Current Blink customers aren't required to do anything to realize the protection from this flaw. No updates or policy changes are required.
Those interested in protecting their systems with Blink can download an evaluation by visiting:
www.eeye.com/blink
Links:
Copyright ©1998-2010 eEye Digital Security
Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert@eEye.com for permission.
Disclaimer
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.