Secunia

A vulnerability has been discovered in Microsoft Windows, which can be exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to an error in the handling of Windows Metafile files (".wmf") containing specially crafted SETABORTPROC "Escape" records. Such records allow arbitrary user-defined function to be executed when the rendering of a WMF file fails. This can be exploited to execute arbitrary code by tricking a user into opening a malicious ".wmf" file in "Windows Picture and Fax Viewer" or previewing a malicious ".wmf" file in explorer (i.e. opening a folder containing a malicious image file).

The vulnerability can also be exploited automatically when a user visits a malicious web site using Microsoft Internet Explorer.

NOTE: Exploit code is publicly available. This is being exploited in the wild. The vulnerability can also be triggered from explorer if the malicious file has been saved to a folder and renamed to other image file extensions like ".jpg", ".gif, ".tif", and ".png" etc.

The vulnerability has been confirmed on a fully patched system running Microsoft Windows XP SP2. Microsoft Windows 2000, Windows XP SP1 and Microsoft Windows Server 2003 SP0 / SP1 are also affected.

Solution
Apply patches.
Further details available in Customer Area

Provided and/or discovered by
The vendor credits Dan Hubbard, WebSense.

First reported in the wild by "noemailpls".

Exploit code and additional information provided by H D Moore.

Changelog
Further details available in Customer Area

Original Advisory
MS06-001 (KB912919):
http://www.microsoft.com/technet/security/Bulletin/MS06-001.mspx

Microsoft (KB912840):
http://www.microsoft.com/technet/security/advisory/912840.mspx

Other references
Further details available in Customer Area

Deep Links
Links available in Customer Area