The recently disclosed Windows metafile exploit could damage many enterprise systems, not just those that directly use the affected processes, Gartner has warned.
The analyst firm advised companies to deploy Microsoft's newly released official patch, rather than the third-party patch that disables the use of custom abort code, which is available at www.hexblog.com/2005/12/wmf_vuln.html
The analyst firm said it recommends against the use of this unsupported patch – particularly by large enterprises – because the patch would require extensive testing and eventual deinstallation and could introduce additional risk.
Gartner notes that this critical vulnerability results from WMF allowing the insertion of custom abort code within a WMF object. Malicious WMF files can be used to gain user privileges when opened by the graphics rendering engine.
"This does not automatically provide remote privilege-escalation capabilities, but because users typically have administrative privileges, malicious code will likely gain full access to affected systems. Mitigating this vulnerability will be difficult, because it is within a dynamic link library (DLL) file used by an unknown number of applications, including the Windows Picture and fax Viewer, Lotus Notes and, reportedly, Google Desktop's indexer," stated a recent advisory written by Gartner analysts Amrit T. Williams, Jay Heiser and Neil MacDonald.
Even if the default file system association between the viewer and WMFs is changed, malicious WMF can be given a different extension and still be automatically processed by the vulnerable DLL file, the advisory added.
"For this reason, every image that is received must be inspected for malicious content. Moreover, compound documents, such as Word files, may contain embedded images, so it may be necessary to extend inspection to all attachments," Gartner warned.
Gartner went on to advise that, in order to maximize protection against the WMF flaw, firms should take the following steps: