Wednesday, February 8, 2006

WMF Vulnerability Returns for IE5

Microsoft issued a new security advisory yesterday. Yet another WMF vulnerabilitiy.

(91333) Vulnerability in Internet Explorer Could Allow Remote Code Execution

This new advisory only relates to the following two cases :

1) Internet Explorer 5.01 SP4 on Microsoft Windows 2000 SP4
2) Internet Explorer 5.5 SP2 on Microsoft Windows Millennium

Note - This is not the same issue as the one addressed by MS06-001

Secunia Advisories (SA18729) - Highly Critical - System Access

Candidate CVE-2006-0020

It would appear that this might be connected to the flaw pointed out by HD Moore on the FunSec mailing list in Jan.

More where that came from. The fun thing about these is that they DO apply to Windows 96, 98, 2000-2003, Vista. You can trigger it via RTF, directly inside IE, and anything else that loads metafiles. A fun bug you can find in a certain WMF parsing application...:

uint_size = wmf_header.size * 2;
ptr = malloc(uint_size);
read(fd, ptr, uint_size - sizeof(wmf_header));



Upgrading to IE 6 SP1 is the suggested action on Windows 2000 SP4 and Windows ME

No patch for the older IE5. My suggested action would to get off Windows ME as soon as possible. The Win9x kernel is dead as dead...

No comments:

Post a Comment