Visible Symptoms
- This exploit executes arbitrary code; current known code executions include
some of the following
- installation of adware/spyware
- initiation of shell code
Detailed AnalysisA vulnerability exists in the vulnerability in the Graphics Rendering Engine
that could shell image viewer DLL (shimgvw.dll) associated with viewing of Windows
Metafile data files (commonly with .WMF extension). The vulnerability allows
for Windows Metafile Format files to be exploited by redirecting return code
to a series of assembly language instructions of an unknown payload, or arbitrary
code.
Note that even if the file extension is renamed from .WMF to any of the following,
the exploit could still execute -
.bmp
.dib
.rle
.jpg
.jpeg
.jpe
.jfif
.gif
.emf
.wmf
.tif
.tiff
.png
.ico
The vulnerability is unpatched as of the time of this writing, also known as
a "zero-day" exploit. Zero refers to the number of days between exploit
discovery and release of an exploit to the public through various means. Examples
of this exploit exist on some security sites, and some variations of working
code exist on several hosted sites.
Viewing either the example code or the working Trojanized WMF files will execute
in Microsoft Windows, including all known and existing security updates for
Windows XP SP2. Microsoft
posted an acknowledgement of the vulnerability, and recommended at least
one workaround
to unregister SHIMGVW.DLL.
Additional Resources
Advisories were posted on numerous security sites including the following -
|