Security Bulletin

Microsoft Security Bulletin MS06-026 - Critical

Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution (918547)

Published: June 13, 2006

Version: 1.0

Summary

Who Should Read this Document: Customers who use Microsoft Windows

Impact of Vulnerability: Critical

Maximum Severity Rating: Remote Code Execution

Recommendation: Customers should apply the update immediately.

Security Update Replacement: None

Caveats: Microsoft Knowledge Base Article 918547 documents the currently known issues that customers may experience when they install this security update. The article also documents recommended solutions for these issues. For more information, see Microsoft Knowledge Base Article 918547.

Tested Software and Security Update Download Locations:

Affected Software:

  • Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (Me) —See “FAQ Related to This Security Update” documented below.

Non-Affected Software:

  • Microsoft Windows 2000 Service Pack 4
  • Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2
  • Microsoft Windows XP Professional x64 Edition
  • Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
  • Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
  • Microsoft Windows Server 2003 x64 Edition

General Information

Executive Summary

Executive Summary:

This update resolves a newly discovered, privately reported vulnerability. The vulnerability is documented in the "Vulnerability Details" section of this bulletin.

We recommend that customers apply the update immediately

Severity Ratings and Vulnerability Identifiers:

Vulnerability Identifiers Impact of Vulnerability Windows 98, 98 SE, ME
Graphics Rendering Vulnerability - CVE-2006-2376 Remote Code Execution Critical

This assessment is based on the types of systems that are affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.

Are Windows 98, Windows 98 Second Edition, or Windows Millennium Edition critically affected by one or more of the vulnerabilities that are addressed in this security bulletin?
Yes. Windows 98, Windows 98 Second Edition, and Windows Millennium Edition are critically affected by this vulnerability. Critical security updates for these platforms are available and can be downloaded only from the Windows Update Web site. For more information about severity ratings, visit the following Web site. Note Updates for localized versions of Microsoft Windows Millennium Edition that are not supported by Windows Update are available for download at the following download locations:

Can I use the Microsoft Baseline Security Analyzer (MBSA) to determine whether this update is required?
The following table provides the MBSA detection summary for this security update.

Software MBSA 1.2.1 MBSA 2.0
Microsoft Windows 98 and Microsoft Windows 98 Second Edition No No
Microsoft Windows Millennium Edition No No

For more information about MBSA, visit the MBSA Web site. For more information about the software that Microsoft Update and MBSA 2.0 currently do not detect, see Microsoft Knowledge Base Article 895660.

Can I use Systems Management Server (SMS) to determine whether this update is required?
The following table provides the SMS detection summary for this security update.

Software SMS 2.0 SMS 2003
Microsoft Windows 98 and Microsoft Windows 98 Second Edition No No
Microsoft Windows Millennium Edition No No

SMS uses MBSA for detection. Therefore, SMS has the same limitation that is listed earlier in this bulletin related to software that MBSA does not detect.

For SMS 2.0, the SMS SUS Feature Pack, which includes the Security Update Inventory Tool, can be used by SMS to detect security updates. SMS SUIT uses the MBSA 1.2.1 engine for detection. For more information about the Security Update Inventory Tool, visit the following Microsoft Web site. For more information about the limitations of the Security Update Inventory Tool, see Microsoft Knowledge Base Article 306460. The SMS SUS Feature Pack also includes the Microsoft Office Inventory Tool to detect required updates for Microsoft Office applications.

For SMS 2003, the SMS 2003 Inventory Tool for Microsoft Updates can be used by SMS to detect security updates that are offered by Microsoft Update and that are supported by Windows Server Update Services. For more information about the SMS 2003 Inventory Tool for Microsoft Updates, visit the following Microsoft Web site. SMS 2003 can also use the Microsoft Office Inventory Tool to detect required updates for Microsoft Office applications.

For more information about SMS, visit the SMS Web site.

Vulnerability Details

Graphics Rendering Vulnerability - CVE-2006-2376

A remote code execution vulnerability exists in the Graphics Rendering Engine because of the way that it handles Windows Metafile (WMF) images. An attacker could exploit the vulnerability by constructing a specially crafted WMF image that could potentially allow remote code execution if a user visited a malicious Web site or opened a specially crafted attachment in e-mail. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

Mitigating Factors for Graphics Rendering Vulnerability - CVE-2006-2376:

  • In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. Also, Web sites that accept or host user-provided content or advertisements, and compromised Web sites, may contain malicious content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail or Instant Messenger request that takes users to the attacker's Web site.

Workarounds for Graphics Rendering Vulnerability - CVE-2006-2376:

We have not identified any workarounds for this vulnerability.

FAQ for Graphics Rendering Vulnerability - CVE-2006-2376:

What is the scope of the vulnerability?
This is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could remotely take complete control of an affected system. An attacker could then install programs; view, change, or delete data.

What causes the vulnerability?
A vulnerability exists in the way that the Graphics Rendering Engine handles specially crafted WMF images that could allow arbitrary code to be executed.

What is the Windows Metafile (WMF) image format?

A Windows Metafile (WMF) image is a 16-bit metafile format that can contain both vector information and bitmap information. It is optimized for the Windows operating system.

For more information about image types and formats, see Microsoft Knowledge Base Article 320314 or visit the MSDN Library Web site.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take complete control of the affected system.

How could an attacker exploit the vulnerability?
An attacker could exploit this vulnerability by creating a malicious Web page or a specially crafted attachment in e-mail and then persuading the user to visit the page or open the attachment. If the user visited the page or opened the attachment, the attacker could cause malicious code to run in the security context of the locally logged on user. It could also be possible to display specially crafted Web content by using banner advertisements or by using other methods to deliver Web content to affected systems.

What systems are primarily at risk from the vulnerability?
This vulnerability requires that a user is reading e-mail or visiting Web sites for any malicious action to occur. Therefore, any systems where e-mail is read or where Internet Explorer is used frequently are at the most risk from this vulnerability.

Does this vulnerability affect image formats other than Windows Metafile (WMF)?
The only image format that is affected is the Windows Metafile (WMF) format. It is possible, however, that an attacker could rename the file name extension of a WMF file to that of a different image format. In this situation, it is likely that the Graphics Rendering Engine would detect and render the file as a WMF image, which could allow exploitation.

If I block files that use the .wmf file name extension, can this protect me against attempts to exploit this vulnerability?
No. The Graphics Rendering Engine does not determine file types by the file name extensions that they use. Therefore, if an attacker alters the file name extension of a WMF file, the Graphics Rendering Engine could still render the file in a way that could exploit the vulnerability.

Are Windows 2000, Windows XP or Windows Server 2003 affected by this vulnerability?
No. Windows 2000, Windows XP, and Windows Server 2003 do not contain the affected component.

Could the vulnerability be exploited over the Internet?
An attacker could try to exploit this vulnerability over the Internet. Firewall best practices and standard default firewall configurations can help protect against attacks that originate from the Internet. Microsoft has provided information about how you can help protect your PC. End users can visit the Protect Your PC Web site. IT professionals can visit the Security Guidance Center Web site.

What does the update do?
The update removes the vulnerability by modifying the way that Windows Metafile (WMF) images are handled.

When this security bulletin was issued, had this vulnerability been publicly disclosed?
No. Microsoft received information about this vulnerability through responsible disclosure. Microsoft had not received any information to indicate that this vulnerability had been publicly disclosed when this security bulletin was originally issued.

When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.

How does this vulnerability relate to the vulnerabilities that were corrected by MS06-001?
Both vulnerabilities were in the Graphics Rendering Engine. However, this update addresses a new vulnerability that was not addressed as part of MS06-001. MS06-001 does not help protect against the vulnerability that is discussed in this bulletin, and does not address this new vulnerability.

Other Information

Acknowledgments

Microsoft thanks the following for working with us to help protect customers:

  • Peter Ferrie of Symantec for reporting the Graphics Rendering Vulnerability - CVE-2006-2376

Obtaining Other Security Updates:

Updates for other security issues are available at the following locations:

Support:

  • Customers in the U.S. and Canada can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates.
  • International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.

Security Resources:

Software Update Services:

By using Microsoft Software Update Services (SUS), administrators can quickly and reliably deploy the latest critical updates and security updates to Windows 2000 and Windows Server 2003-based servers, and to desktop systems that are running Windows 2000 Professional or Windows XP Professional.

For more information about how to deploy security updates by using Software Update Services, visit the Software Update Services Web site.

Windows Server Update Services:

By using Windows Server Update Services (WSUS), administrators can quickly and reliably deploy the latest critical updates and security updates for Windows 2000 operating systems and later, Office XP and later, Exchange Server 2003, and SQL Server 2000 onto Windows 2000 and later operating systems.

For more information about how to deploy security updates using Windows Server Update Services, visit the Windows Server Update Services Web site.

Systems Management Server:

Microsoft Systems Management Server (SMS) delivers a highly configurable enterprise solution for managing updates. By using SMS, administrators can identify Windows-based systems that require security updates and can perform controlled deployment of these updates throughout the enterprise with minimal disruption to end users. For more information about how administrators can use SMS 2003 to deploy security updates, visit the SMS 2003 Security Patch Management Web site. SMS 2.0 users can also use Software Updates Service Feature Pack to help deploy security updates. For information about SMS, visit the SMS Web site.

Note SMS uses the Microsoft Baseline Security Analyzer, the Microsoft Office Detection Tool, and the Enterprise Update Scanning Tool to provide broad support for security bulletin update detection and deployment. Some software updates may not be detected by these tools. Administrators can use the inventory capabilities of the SMS in these cases to target updates to specific systems. For more information about this procedure, visit the following Web site. Some security updates require administrative rights following a restart of the system. Administrators can use the Elevated Rights Deployment Tool (available in the SMS 2003 Administration Feature Pack and in the SMS 2.0 Administration Feature Pack) to install these updates.

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

  • V1.0 (June 13, 2006): Bulletin published.

Built at 2014-04-18T13:49:36Z-07:00