Microsoft’s first security bulletin of the year was so
critical that Redmond released it early.


The first security bulletin of 2006 is so critical that Microsoft released
it on January 5
—a week before the usual patch cycle. Microsoft
Security Bulletin MS06-001
, “Vulnerability in Graphics Rendering
Engine Could Allow Remote Code Execution,” addresses a vulnerability that’s
so serious it even made the front page of some business newspapers, including
the Financial Times.

This might be the only security bulletin this month; the Microsoft
Security Bulletin Summaries and Webcasts page
lists the bulletin as from
both January 5 and 11. However, Microsoft purportedly plans to release
two additional security updates
—one for Windows and one for Microsoft
Office and Exchange Server.

This is a remote code execution threat due to a Graphics
Rendering Engine vulnerability (CVE-2005-4560).
The problem is due to a fault in the way the graphics engine handles Windows
Metafile (WMF) images. Microsoft
Security Advisory 912840
addressed this vulnerability in late December because
active exploitation was already under way.

Microsoft Baseline Security Analyzer (MBSA) versions 1.2.1
and 2.0, as well as Systems Management Server, will determine if the update is necessary
for particular systems. For more details about WMF and other image file formats,
see Microsoft Knowledge Base
Article 320314


All Microsoft operating systems from Windows 98 on are
vulnerable, including Windows XP Service Pack 2 and Windows Server 2003 SP1. However,
because this isn’t a critical threat Windows 98, Windows SE, or Windows ME, the
update doesn’t support these versions. (Microsoft has ended support for these OS
versions except for critical issues.)

Risk level – critical

Microsoft has rated this vulnerability as critical for Windows
2000, all versions of Windows XP (including SP2), and all versions of Windows
Server 2003 (including SP1). This rating also applies to x64 and Itanium-based

Mitigating factors

A successful attack would only give the attacker the same
rights as the local user. In addition, an image hosted on a malicious Web site initiates
the attack, so the user must actively visit a malicious Web site, either by
clicking an e-mail or instant messaging link. However, it’s important to note
that a user can also initiate an attack by opening a Word document that
contains an embedded malicious image.


Apply the update. This fix does affect functionality because
it removes support for the SETABORTPROC record type (META-ESCAPE WMF images).

In addition, there’s an available workaround, tested and
approved by Microsoft, to help block the attack from Web-based vectors: Unregister
the Windows Picture and Fax Viewer (Shimgvw.dll) on Windows XP and Windows
Server 2003 systems. Keep in mind that this recommendation may change, so see
the security bulletin for details.

Simply blocking WMF files doesn’t provide complete
protection because hackers may disguise the file format. The graphics engine
doesn’t read the file extension to determine how to process the image.

Final word

Congratulations to Microsoft for realizing the importance of
this threat and getting a patch out as soon as possible.

By the way, for those of you who don’t subscribe to the IT
Locksmith newsletter, you may have wondered where I’ve been the past few weeks.
Every year, I write an article or two looking back on the previous year and
offering predictions for the coming one. This year, I posted those reflections
in my new TechRepublic

My blog is your chance to get my
uncensored thoughts and opinions on what’s happening in the security arena.
It’s an opportunity for you to see what didn’t make the cut in my weekly
article and to see what I have to say when my editor isn’t around. So, if
you have any interest in my opinions based on 45 years of experience in IT,
bookmark my new blog.

Also watch for …

  • Google
    has announced plans to add on-demand
    , including CBS television programs and NBA basketball games, to
    the search giant’s offerings. Apple’s iTunes store already offers NBC and
    ABC television shows, and Google already offers free hosting for amateur
  • Serious
    flaws have emerged
    in BlackBerry software
    . There were originally three vulnerabilities, but
    has already patched one
    , which posed a DoS attack possibility, in
    versions 4.0.02 and later.

Miss a column?

Check out the IT Locksmith Archive,
and catch up on the most recent editions of John McCormick’s column.

Want to stay on top of
the latest security updates? Automatically
sign up for our free IT Locksmith newsletter
, delivered each Tuesday!

John McCormick is a
security consultant and well-known author in the field of IT, with more than
17,000 published articles. He has written the IT Locksmith column for
TechRepublic for more than four years.