Monday, January 9, 2006

More WMF Woes for Microsoft - DOS Vulnerability - UPDATED

Symantec issued a vulnerability alert on its DeepSight Threat Management System that warns customers of multiple memory corruption vulnerabilities in the same rendering engine that Microsoft just patched (MS06-001).

As far as the information on the ground, it looks more like a DOS vulnerability at this point, but code execution should never be ruled out. Microsoft should remember this lesson from the IE flaw discovered by Benjamin Tobias in March of 2005. Once thought just to be a DoS vulnerability, it turns out that it also allows execution of arbitrary code.

Right now, it would appear that the DOS applies to Windows 98, 2000-2003 and Vista. Fine tuning of this information will occur over time however.

Moral to the story, no threat is too small to examine and take into account.

Reminds me of our ever changing road system.

At first, there are five pretty small potholes in the road. DOT comes out and fixes the biggest one, which most likely causes the most complaints and the biggest headaches. But after a while, those four other holes, grow and cause just as much problems if not more than the original.

UPDATE - It has been barely an hour from my original post. Andrey Bayora posted the following information on the FD Security Mailing list. I have no tested this WMF files at this point. Just passing the new information.

Well here is the PoC for the 2 new WMf vulnerabilities discovered by cocoruder and is not covered by MS06-001.

You can download WMF images at -http://www.securityelf.org/files/WMF-DoS.rar

UPDATE x 2 - It would seem that the first WMF flaw took Microsoft by surprise. Kevin Kean, a director in Microsoft Security Response Center (MSRC), said the following in this CNET article.

“"It is not a common buffer overflow," Kean said.”The software has a behavior that people can take advantage of. Obviously we did not intend it to be used in that way."

I was hoping Microsoft had learned that valuable lesson by now. Attackers and hackers use things all the time in a way they were not intended. This “Intending” issue is one of the core secure coding software problems.

Programmers always “intended” users to use correct data inputs and never “intend” to let the users input data over the limit of a buffer…but it happens. Part of the secure coding idea, is to look at your code and find the places were attackers could use the code in ways that were not “intended”.

On a positive node, this situation will remind Microsoft why it can not leave old code laying around. This new security push can only help in my mind. No pain, No gain.

No comments:

Post a Comment