[NT] ART Image Rendering Remote Code Execution (MS06-022)
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 14 Jun 2006 12:13:11 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
ART Image Rendering Remote Code Execution (MS06-022)
------------------------------------------------------------------------
SUMMARY
There is a remote code execution vulnerability in the way that Windows
handles ART images. An attacker could exploit the vulnerability by
constructing a specially crafted ART image that could potentially allow
remote code execution if a user visited a Web site or viewed a specially
crafted e-mail message. An attacker who successfully exploited this
vulnerability could take complete control of an affected system.
A vulnerability in ART image rendering could allow remote code execution.
DETAILS
Vulnerable Systems:
* Microsoft Windows XP Service Pack 1 -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=F6328F82-457E-44CB-95FB-2DB0E8C9EE3C> Download the update
* Microsoft Windows XP Service Pack 2 -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=71022EA1-94CB-4FE9-B89E-46876D068B9A> Download the update
* Microsoft Windows XP Professional x64 Edition -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=A386523E-96AB-43ED-B189-E13AF497B685> Download the update
* Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service
Pack 1 -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=56DF0CF2-9214-4B23-9034-C59E8B7126D6> Download the update
* Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft
Windows Server 2003 with SP1 for Itanium-based Systems -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=5E1B95C3-7E75-4468-829C-1DC7B4ECE5D0> Download the update
* Microsoft Windows Server 2003 x64 Edition -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=4DC13B7C-01AB-4BB6-9766-0FE0D02E410D> Download the update
* Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and
Microsoft Windows Millennium Edition (Me)
Affected Components:
* Windows 2000 with the
<http://www.microsoft.com/windows2000/downloads/recommended/aolfix/default.asp> Windows 2000 AOL Image Support Update installed:
* Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000
Service Pack 4 -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=AE6D8DA7-B170-416D-8812-265FFA757301> Download the update
* Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service
Pack 4 -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=F6328F82-457E-44CB-95FB-2DB0E8C9EE3C> Download the update
Note:
The security updates for Microsoft Windows Server 2003, Windows Server
2003 Service Pack 1, and Windows Server 2003 x64 Edition also apply to
Windows Server 2003 R2.
Mitigating Factors for ART Image Rendering Vulnerability:
In a Web-based attack scenario, an attacker could host a Web site that
contains a Web page that is used to exploit this vulnerability. In
addition, compromised Web sites and Web sites that accept or host
user-provided content or advertisements could contain specially crafted
content that could exploit this vulnerability. In all cases, however, an
attacker would have no way to force users to visit these Web sites.
Instead, an attacker would have to persuade users to visit the Web site,
typically by getting them to click a link in an e-mail message or instant
messenger message that takes users to the attacker's Web site.
An attacker who successfully exploited this vulnerability could gain the
same user rights as the local user. Users whose accounts are configured to
have fewer user rights on the system could be less impacted than users who
operate with administrative user rights.
Windows 2000 does not support AOL ART images by default. Windows 2000 is
only affected if the
<http://www.microsoft.com/windows2000/downloads/recommended/aolfix/default.asp> Windows 2000 AOL Image Support Update has been installed. The files being updated with this security update does not exist on a Windows 2000 system without this AOL Image Support Update.
Workarounds for ART Image Rendering Vulnerability:
Microsoft has tested the following workarounds. Although these workarounds
will not correct the underlying vulnerability, they help block known
attack vectors. When a workaround reduces functionality, it is identified
in the following section.
* Modify the Access Control List on the AOL ART files to temporarily
prevent them from being displayed in Internet Explorer
To modify the Access Control List (ACL) on the AOL ART files to be more
restrictive, follow these steps:
1. Click Start, click Run, type cmd, and then click OK.
2. Type the following commands at a command prompt. Make a note of the
current files ACLs, including inheritance settings. You may need this list
if you have to undo these modifications:
cacls %windir%\system32\jgdw400.dll
cacls %windir%\system32\jgpl400.dll
3.Type the following command at a command prompt to deny the everyone
group access to this file:
echo y|cacls %windir%\system32\jgdw400.dll /d everyone
echo y|cacls %windir%\system32\jgpl400.dll /d everyone
4. Close Internet Explorer, and reopen it for the changes to take effect.
Impact of Workaround:
Applications and Web sites that contain AOL ART files will no longer
display those images. To regain functionality, you must undo the
modifications to the Access Control List on the AOL ART files.
* Install Microsoft Security Bulletin MS06-021, Cumulative Security
Update for Internet Explorer (916281)
After installation of <http://go.microsoft.com/fwlink/?LinkId=66973>
Microsoft Security Bulletin MS06-021: Cumulative Security Update for
Internet Explorer (916281), ART files will no longer be displayed in
Internet Explorer.
FAQ for ART Image Rendering Vulnerability:
What is the scope of the vulnerability?
This is a remote code execution vulnerability. If a user is logged on with
administrative user rights, an attacker who successfully exploited this
vulnerability could take complete control of an affected system. An
attacker could then install programs; view, change, or delete data; or
create new accounts with full user rights. Users whose accounts are
configured to have fewer user rights on the system could be less impacted
than users who operate with administrative user rights.
What causes the vulnerability?
An unchecked buffer in the ART image rendering library causes this
vulnerability.
What is ART?
ART is an image file format used by the America Online (AOL) client
software. Windows also includes the library and Internet Explorer displays
ART images.
Note After installation of <http://go.microsoft.com/fwlink/?LinkId=66973>
Microsoft Security Bulletin MS06-021: Cumulative Security Update for
Internet Explorer (916281), ART files will no longer be displayed in
Internet Explorer. We recommend installing both updates.
What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take
complete control of the affected system.
How could an attacker exploit the vulnerability?
An attacker could host a specially crafted Web site or HTML e-mail message
that is designed to exploit this vulnerability through Internet Explorer
and then persuade a user to view the Web site or HTML e-mail message. This
can also include Web sites that accept user-provided content or
advertisements, Web sites that host user-provided content or
advertisements, and compromised Web sites. These Web sites could contain
specially crafted content that could exploit this vulnerability. In all
cases, however, an attacker would have no way to force users to visit
these Web sites. Instead, an attacker would have to persuade users to
visit the Web site, typically by getting them to click a link in an e-mail
message or in an Instant Messenger request that takes users to the
attacker's Web site. It could also be possible to display specially
crafted Web content by using banner advertisements or by using other
methods to deliver Web content to affected systems.
What systems are primarily at risk from the vulnerability?
Workstations and terminal servers are primarily at risk. Servers could be
at more risk if users who do not have sufficient administrative
permissions are given the ability to log on to servers and to run
programs. However, best practices strongly discourage allowing this.
Windows 2000 does not support AOL ART images by default. Windows 2000 is
only affected if the
<http://www.microsoft.com/windows2000/downloads/recommended/aolfix/default.asp> Windows 2000 AOL Image Support Update has been installed.
Are Windows 98, Windows 98 Second Edition or Windows Millennium Edition
critically affected by this vulnerability?
Yes. Windows 98, Windows 98 Second Edition, and Windows Millennium Edition
are critically affected by the vulnerabilities that are addressed in this
security bulletin. Critical security updates for these platforms are
available, are provided as part of this security bulletin, and can be
downloaded only from the <http://go.microsoft.com/fwlink/?LinkId=21130>
Windows Update Web site. For more information about severity ratings,
visit the following <http://go.microsoft.com/fwlink/?LinkId=21140> Web
site.
What does the update do?
The update removes the vulnerability by modifying the way that the ART
image rendering library validates the length of a message before it passes
the message to the allocated buffer.
When this security bulletin was issued, had this vulnerability been
publicly disclosed?
No. Microsoft received information about this vulnerability through
responsible disclosure.
When this security bulletin was issued, had Microsoft received any reports
that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this
vulnerability had been publicly used to attack customers and had not seen
any examples of proof of concept code published when this security
bulletin was originally issued.
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2378>
CVE-2006-2378
ADDITIONAL INFORMATION
The information has been provided by Microsoft Security.
The original article can be found at:
<http://www.microsoft.com/technet/security/bulletin/ms06-022.mspx>
http://www.microsoft.com/technet/security/bulletin/ms06-022.mspx
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [NT] Cumulative Security Update for Internet Explorer (MS06-021)
- Next by Date: [NT] Windows Media Player PNG Chunk Decoding Stack-Based Buffer Overflow
- Previous by thread: [NT] Cumulative Security Update for Internet Explorer (MS06-021)
- Next by thread: [NT] Windows Media Player PNG Chunk Decoding Stack-Based Buffer Overflow
- Index(es):
Relevant Pages
|
