Microsoft Squashes Three New Windows Bugs

Microsoft's latest security bulletin, rated critical, patches security flaws in Windows 2000, XP and Windows Server 2003 that could allow an attacker to take control of a target system.
Microsoft on Tuesday released a single security bulletin that fixed three flaws in Windows, two of which the Redmond, Wash.-based developer dubbed critical.

The MS05-053 bulletin includes patches for Windows 2000, Windows XP (SP2 included), and Windows Server 2003.

The most dangerous of the three is a vulnerability in Windows' graphic rendering engine, and how it processes WMF and EMF ( Windows Metafile and Enhanced Metafile, respectively) images.

By enticing users to a malicious Web site with malformed WMF and/or EMF images, or sending such an image via HTML-formatted e-mail, an attacker could remotely grab control of a PC, said Microsoft. Other attack vectors could include Office documents -- an attack might embed a WMF or EMF image in a Word document, for instance -- or post an image onto a network share and get the user to preview the folder.

The vulnerability, while serious, probably won't result in a worm of any scale, said Neel Mehta, the team leader for Internet Security Systems' (ISS) X-Force research group. "I think it's doubtful that we'll see this widely exploited," said Mehta.

The MWF/EMF formats are legacy formats that are rarely used on Web sites, he noted, and although spyware writers and other malicious code creators may leverage this new bug, they have more effective ways to put their software on users' machines.

"But we may see some targeted attacks," continued Mehta. "The most credible would be to have these [image] files embedded within an e-mail."

Mark Maiffret, the chief hacking officer at eEye Digital Security, the security company credited or co-credited with two of the three bugs, agreed. "The general theme of these is that you have to be careful when opening e-mail or going to some Web page linked, say, through a chat session."

WMF and EMF images hark back to Windows 3.x and Windows 95, respectively, and can contain both vector and bitmap image data.

However, Maiffret and Tim Keanini, the chief technology officer of vulnerability manager nCircle, disagreed with Mehta over the vulnerabilities' impact.

"Two of the three allow remote execution of code," Keanini said. "Once you reach remote code execution, there's no [worse] place to go. It's game over."

"It doesn't matter if WMF is popular or in use," added Maiffret. "It only matters that Windows understands it and opens it."

The primary vulnerability in MS05-053 was first reported to Microsoft on March 29, 2005, by eEye, said Maiffret, making it the oldest acknowledged vulnerability on the company's list. In the past, Microsoft has been blasted for taking months to patch problems in its operating systems.

Users can obtain the month's patches via Windows' Automatic Update, from the Microsoft Update service, or through other software and services the company maintains, such as Windows Server Update Services (WSUS) or Software Update Services (SUS).

Also on Tuesday, Microsoft updated its Windows Malicious Software Removal Tool so that it now detects and removes five additional pieces of malicious code: Bugbear, Opaserv, Mabutu, Swen and Codbot. The update is automatically downloaded, installed, and run on Windows 2000, XP, and Server 2003 for systems set to grab patches from Windows Update or Microsoft Update. Users can also manually run the tool from the Microsoft Web site or download it from here.

Of the five new worms handled by Microsoft's sniffer, the most serious is Swen, a threat widely used two years ago but rarely seen since.

Editor's Choice
Brian T. Horowitz, Contributing Reporter
Samuel Greengard, Contributing Reporter
Nathan Eddy, Freelance Writer
Brandon Taylor, Digital Editorial Program Manager
Jessica Davis, Senior Editor
Cynthia Harvey, Freelance Journalist, InformationWeek
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing