eEye Digital Security Discovers Two New Critical Security Flaws for Windows
ALISO VIEJO, Calif., November 8, 2005 — eEye Digital Security®, a leading developer of network security and vulnerability management software solutions, as well as the industry’s foremost contributor to security research and education, today announced details for two new critical vulnerabilities related to Microsoft (NASDAQ: MSFT) Windows®. If not immediately resolved, these security flaws can be detected and exploited remotely with the potential to cause serious damage, allowing an attacker to take complete control of an affected system and execute harmful action remotely, including installing programs, viewing, changing, or deleting data, and creating new accounts with full privileges. Both flaws involve metafile overflows and affect the Windows 2000 Operating System, which is currently found in a large percentage of business systems running Windows today. The critical discoveries also affect Windows Server 2003, Windows NT 4.0 and Windows XP machines. Microsoft will resolve both vulnerabilities with one patch during its November update.
Those organizations that are utilizing eEye’s Retina® Network Security Scanner can immediately scan for affected systems. Organizations that have deployed the Blink® Endpoint Intrusion Prevention System have been protected against these vulnerabilities since their discovery several months ago and can postpone patching to regularly-scheduled maintenance cycles.
“Given the enormous installed base of the affected programs in this month’s patch, it’s imperative that network administrators continue to scan their networks to identify vulnerable systems and take corrective action,” said Marc Maiffret, eEye’s co-founder and chief hacking officer. “Attacks exploiting vulnerabilities like these are costing enterprises millions of dollars annually in lost productivity and business disruption, particularly when non-scheduled patching is required. We continue to encourage enterprises to upgrade operating systems or deploy non-signature-based intrusion prevention systems in an effort to move back to regular patch-cycle maintenance.”
The first remotely exploitable security vulnerability is a graphics rendering issue that exists in Enhanced Metafile (EMF) and Windows Metafile (WMF) extensions within default installations across Windows 2000, Windows NT 4.0 and Windows Server 2003 platforms. The flaw was reported March 29—more than 200 days ago—and has been marked with a “high” severity rating by Microsoft, as it allows malicious code to be executed with minimal user interaction through commonly used media, such as HTML, email, a link to a web page or instant messenger. Specifically, it contains integer overflow flaws in the way the Windows Graphical Device Interface (GDI) processes EMF and WMF images that can lead to exploitable overflows through a number of specifically crafted metafile structures, allowing an attacker to execute code on an affected system at a user privilege level.
The other critical discovery is very similar, a high-risk heap overflow in WMF that was also discovered by eEye and will only be 68 days old when patched. It affects Windows 2000, Windows NT 4.0, Windows XP and Windows Server 2003 machines. The flaw also uses the code in GDI32.DLL that allows arbitrary code execution as a user attempts to view a malicious image. Similarly, an attacker who successfully exploits this vulnerability could take complete control of an affected system.
eEye Digital Security, a leading contributor to network security research, regularly identifies vulnerabilities and provides specific advisories on how enterprises can secure them. While Microsoft is addressing only two vulnerabilities with this month’s patch update, eEye’s upcoming advisories’ page continues to list six other discovered flaws related to Microsoft platforms, including five that are considered high risk, as they can be remotely exploited. The oldest vulnerability in that list was discovered and reported 187 days ago. For more information about upcoming advisories, please visit http://www.eeye.com/ctrack.asp?ref=uvml.
Today’s announcement marks the second and third vulnerabilities discovered by eEye’s research team to be patched in the past week, following a similar notification by Macromedia Flash Player on Friday, November 4, 2005. The high-risk memory access flaw affected Macromedia Flash 6 and 7 on all Windows platforms and was remediated 130 days after its discovery in June. The vulnerability will allow an attacker to run arbitrary code via the SWF file as a logged-in user. Additionally, two more eEye-discovered critical flaws for the RealNetworks media player are expected to be patched by RealNetworks on Thursday.
About eEye’s Security Research Team
Over the last five years, eEye has been recognized by industry experts as the preeminent organization in the discovery of the most critical vulnerabilities in various platforms and applications, including the vulnerabilities subsequently leveraged by the Sasser, Witty, Code Red and Sapphire worms, as well as the Microsoft ASN vulnerability and hundreds of other important discoveries. This expertise gives eEye a distinct advantage in designing services and software solutions for the assessment, remediation and prevention of vulnerabilities and the attacks that leverage them.
As a service to the network security community, eEye’s Research Team—headed by Marc Maiffret, eEye’s co-founder and chief hacking officer—conducts a Vulnerability Expert Forum web seminar during the second week of every month. These Vulnerability Expert Forums enable participants to stay current on the potential risks and remediation requirements, such as those announced today, by exploring the effect that high-risk vulnerabilities and exploits have on network environments and infrastructures. To register for the November Vulnerability Expert Forum, please visit
eEye’s integrated family of vulnerability management solutions helps IT and security professionals confidently safeguard their valuable digital assets. Working in conjunction with popular tools such as firewalls and intrusion detection systems, eEye’s products include: Retina Network Security Scanner, REMÃ¢â€ž? Security Management Console, Iris® Network Traffic Analyzer, SecureIISÃ¢â€ž? Web Server Protection, and Blink Endpoint Intrusion Prevention System.
About eEye Digital Security
eEye Digital Security is a leading developer of network security software, and the foremost contributor to security research and education. eEye’s award-winning software products provide a complete vulnerability management solution that addresses the full lifecycle of security threats: before, during and after attacks. eEye’s customers, Citigroup and US Department of Defense, represent the largest deployments of vulnerability assessment and prevention technology in the private and public sector. eEye protects the networks and digital assets of more than 8,400 corporate and government deployments worldwide, including Avon, Continental Airlines, Dow Jones, Prudential, University of Miami, Viacom, Vodafone, Warner Music and Wyeth. Founded in 1998, eEye Digital Security is a privately held, venture-backed firm with headquarters in Orange County, California. For more information, please visit www.eEye.com.