月曜日, 1月 16, 2006

MS06-001 WMF

"The vulnerability was introduced when all that GDI functionality was allowed to be called from metafiles. The potential danger of this type of metafile record was recognized and some applications (Internet Explorer, notably)...

How then is Internet Explorer an attack vector for the vulnerability? An example of that is through the Windows Picture and Fax Viewer. That application can convert a raw WMF into a printable EMF record. During this conversion, the application will process the META_ESCAPE record. All the current exploits we’re aware of are based on creating an html construct using an IFRAME. At a high level, the IFRAME passes off content to the Windows shell to display. The shell looks up the registered handler for WMF which is the Windows Picture and Fax Viewer (shimgvw.dll) by default. It can run into the vulnerability when converting a raw WMF to a printable EMF if MS06-001 is not applied to the system.

Now, there’s been some speculation that you can only trigger this by using an incorrect size in your metafile record and that this trigger was somehow intentional. That speculation is wrong on both counts...

...With WMF we want to be very clear: the Windows 9x platform is not vulnerable to any "Critical" attack vector..."

posted on Friday, January 13, 2006 11:57 PM by stepto

technet

microsoft security .

0 Comments:

コメントを投稿

Links to this post:

リンクを作成

<< Home