Thread-topic: iDefense Security Advisory 04.03.07: Microsoft Windows WMF TriggerableKernel Design Error DoS Vulnerability
> -----Original Message-----
> @idefense.com] On Behalf Of iDefense Labs Security Advisories
> Sent: Tuesday, April 03, 2007 10:06 PM
> To: iDefense Labs Security Advisories
> Subject: iDefense Security Advisory 04.03.07: Microsoft
> Windows WMF TriggerableKernel Design Error DoS Vulnerability
> Microsoft Windows WMF Triggerable Kernel Design Error DoS
> iDefense Security Advisory 04.03.07
> Apr 03, 2007
> I. BACKGROUND
> The Microsoft Windows kernel controls which processes are
> allowed to run
> and is responsible for accessing hardware such as storage devices and
> video adapters, scheduling time for each process to execute, managing
> memory, and other system control tasks. For more information on on the
> Windows kernel visit MSDN at the URL shown below.
> II. DESCRIPTION
> Remote exploitation of a design error in certain kernel GDI
> functions in
> multiple versions of Microsoft Corp.'s Windows operating system may
> allow an attacker to cause a denial of service condition.
> During testing of the MS06-001 WMF (Windows Metafile) vulnerability, a
> flaw was found in the handling of WMF files. This flaw can cause the
> kernel to perform a bug check, also known as a "blue screen" or system
> crash, when it tries to parse the file. The cause of this bug check is
> an attempt by a function in a kernel system call to read a value
> obtained by dereferencing an offset into a kernel structure.
> This value
> had been previously created and then reset by previous system
> calls, and
> at the point it is accessed it does not contain a valid memory
> reference. This results in an access violation error, which in turn
> triggers the bug check.
> This vulnerability is different from both the Microsoft MS06-001 WMF
> vulnerability and the MS05-053 WMF vulnerability and is not fixed by
> either of these patches.
> III. ANALYSIS
> Exploitation of this vulnerability would allow a remote attacker to
> perform a denial of service against an affected system.
> Depending on where the file was saved and configuration details of the
> target, this could result in a persistent denial of service condition,
> causing an immediate reboot upon logging on after an attack. The
> results of testing this vulnerability suggest that in some
> cases it may
> cause corruption of the system in a manner that prevents the
> system from
> It is likely that Enhanced Windows Metafiles (EMF) are also affected,
> but this has not yet been confirmed.
> Currently, due to the type of location being referenced by the kernel,
> it appears that the vulnerability may only be exploitable by a remote
> attacker to cause a DoS condition. The vectors that could be used to
> remotely exploit this vulnerability would most likely be similar to
> those that the MS06-001 vulnerability used.
> IV. DETECTION
> This vulnerability has been confirmed to affect the following
> Windows operating systems:
> * Windows XP with Service Pack 2
> * Windows 2003 Server
> Other Windows operating systems may also be affected.
> V. WORKAROUND
> Blocking .wmf files at all e-mail and Web gateways is strongly
> recommended. However, this is not effective if blocking is done based
> on file extensions (e.g., .wmf), as an attacker can simply rename the
> file to a new extension.
> Reading e-mail in plain-text can prevent automatic exploitation via
> electronic mail.
> VI. VENDOR RESPONSE
> Microsoft has addressed this vulnerability within MS07-017. For more
> information, consult their bulletin at the following URL.
> VII. CVE INFORMATION
> The Common Vulnerabilities and Exposures (CVE) project has
> assigned the
> name CVE-2007-1211 to this issue. This is a candidate for inclusion in
> the CVE list (http://cve.mitre.org/), which standardizes names for
> security problems.
> VIII. DISCLOSURE TIMELINE
> 01/10/2006 Initial vendor notification
> 01/10/2006 Initial vendor response
> 04/03/2007 Coordinated public disclosure
> IX. CREDIT
> This vulnerability was discovered by Greg MacManus of iDefense Labs.
> Get paid for vulnerability research
> Free tools, research and upcoming events
> X. LEGAL NOTICES
> Copyright (c) 2007 iDefense, Inc.
> Permission is granted for the redistribution of this alert
> electronically. It may not be edited in any way without the express
> written consent of iDefense. If you wish to reprint the whole or any
> part of this alert in any other medium other than electronically,
> please e-mail customerservice@xxxxxxxxxxxx for permission.
> Disclaimer: The information in the advisory is believed to be accurate
> at the time of publishing based on currently available
> information. Use
> of the information constitutes acceptance for use in an AS IS
> There are no warranties with regard to this information. Neither the
> author nor the publisher accepts any liability for any direct,
> indirect, or consequential loss or damage arising from use of, or
> reliance on, this information.
> To unsubscribe, go here: