Content

Gartner: WMF flaw could have ‘far-reaching enterprise impact’

The recently disclosed Windows metafile exploit could damage many enterprise systems, not just those that directly use the affected processes, Gartner has warned.

The analyst firm advised companies to deploy Microsoft's newly released official patch, rather than the third-party patch that disables the use of custom abort code, which is available at www.hexblog.com/2005/12/wmf_vuln.html

The analyst firm said it recommends against the use of this unsupported patch - particularly by large enterprises - because the patch would require extensive testing and eventual deinstallation and could introduce additional risk.

Gartner notes that this critical vulnerability results from WMF allowing the insertion of custom abort code within a WMF object. Malicious WMF files can be used to gain user privileges when opened by the graphics rendering engine.

"This does not automatically provide remote privilege-escalation capabilities, but because users typically have administrative privileges, malicious code will likely gain full access to affected systems. Mitigating this vulnerability will be difficult, because it is within a dynamic link library (DLL) file used by an unknown number of applications, including the Windows Picture and fax Viewer, Lotus Notes and, reportedly, Google Desktop's indexer," stated a recent advisory written by Gartner analysts Amrit T. Williams, Jay Heiser and Neil MacDonald.

Even if the default file system association between the viewer and WMFs is changed, malicious WMF can be given a different extension and still be automatically processed by the vulnerable DLL file, the advisory added.

"For this reason, every image that is received must be inspected for malicious content. Moreover, compound documents, such as Word files, may contain embedded images, so it may be necessary to extend inspection to all attachments," Gartner warned.

Gartner went on to advise that, in order to maximize protection against the WMF flaw, firms should take the following steps:

  • Distribute the Microsoft patch as soon as logistically possible;
  • Block WMFs in email attachments and web downloads for immediate, partial protection until a patch can be deployed;
  • Ensure that URL filtering products are deployed, activated and regularly updated.
  • Update inline network intrusion prevention systems (IPSs) with the latest signature updates and follow the IPS providers' latest threat-blocking recommendations.
  • Ensure that host protection mechanisms - including antivirus and anti-spyware tools and host-based intrusion prevention system (HIPSs) - are working properly and reliably updated with the latest signature files, and closely monitor announcements from their vendors.
  • Prepare for the possibility that it may become necessary to unregister the vulnerable library from Windows. This would affect any application or image that uses Microsoft's image rendering.
  • Get daily email updates

    SC Media's daily must-read of the most current and pressing daily news

    By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.