Chris Mosby at myITforum.com

Winamp buffer overflow

Published: 2006-02-25,
Last Updated: 2006-02-25 15:33:14 UTC by Brian Granier (Version: 1)

We have been monitoring a reported flaw with Winamp 5.12 and 5.13. A buffer overflow condition with a playlist containing a long file name can cause the application to crash at best and execute arbitrary code at worst. To date, we are not aware of any POC that uses this vulnerability sucesfully for malicious purposes. This problem is fixed in Winamp 5.2 so users are advised to update. More details about this issue can be found at http://secunia.com/advisories/18848.

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Thanks again to Ron for getting the blogs up and running again.

- Web site: http://go.microsoft.com/fwlink/?LinkId=61165

http://go.microsoft.com/fwlink/?LinkId=21131

W32/Feebs again (NEW)

Published: 2006-02-22,
Last Updated: 2006-02-22 10:26:13 UTC by Daniel Wesemann (Version: 1)

Looks like a new variant of W32/Feebs is making the rounds. Fellow handler Bojan has spent quite some time with de-obfuscating the JavaScript and VB code, and we're still looking at what it does besides downloading base64 encoded versions of W32/Feebs. You might want to zapp access to *.coconia.net / *.by.ru / *.kazan.bz / *.t35.com / *.freecoolsite.com / *.nm.ru until the AV vendors have the patterns lined up.

If some of these domains sound vaguely familiar.... http://isc.sans.org/diary.php?storyid=1035

Update 1023 UTC: Looks like it spreads as an email with subject "Secure Message from GMail.com user", and contains a ZIP attachment (data.zip in the sample at hand), which in turn contains a file "Encrypted Html File.hta", which contains the heavily obfuscated Javascript exploit code that triggers the W32/Feebs download from the above sites.

 

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

********************************************************************
Title: Microsoft Security Advisory Notification
Issued: February 21, 2006
********************************************************************

Security Advisories Updated or Released Today
==========================================

* Security Advisory (906267)

  - Title: A COM Object (Msdds.dll) Could Cause Internet Explorer to Unexpectedly Exit    

  - Web site: http://go.microsoft.com/fwlink/?LinkId=51466
  
  - Reason For Update: Advisory updated to direct customers to Security Bulletin MS05-052, "Cumulative Security
    Update for Internet Explorer".

Multiple Exploits Available for MS06-005 and MS06-006 (NEW)

Published: 2006-02-17,
Last Updated: 2006-02-17 13:28:51 UTC by Chris Carboni (Version: 1)

The 'sploit writers have been busy.

In the last 24 hours a total of four exploits have been released - two each for MS06-005 and MS06-006.

MS06-005 - Vulnerability in Windows Media Player Could Allow Remote Code Execution

MS06-006 - Vulnerability in Windows Media Player Plug-in with Non-Microsoft Internet Browsers Could Allow Remote Code Execution

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Australia: First WMF mass mailer ItW (phishing Trojan)

Gadi - February 16, 2006 on 1:59 pm | In Web, Commentary, Virus, Phishing |

The first worm (mass mailer) to (ab)use the WMF 0day is now spreading in Australia.

Our initial reports indicate the worm is not massive, however it steals financial information from users (Phishing Trojan from a known group) it infects and is causing quite a buzz in Australian media. We expect it to break as a full-blown media hype this morning, tops tomorrow morning.

The worm *does* do the said damage, but as we said does not seem to be widely spread. No reports outside of Australia have been received as of yet.

The emails themselves do not contain the payload, but rather a URL to sites that will infect users. Both the sites who did this are now down, I expect the next one to be up soon (or the bad guys will just get a new variant out in a few days). Abusing websites is mostly how WMF is exploited, but no much in the way of emails before today.

(almost) All anti virus vendors do not detect this worm (it’s new), a couple detect it heuristically. (almost) All anti virus vendors detect the attachment regardless because of the WMF exploit detection routines.

Hopefully, all AV companies will detect this soon. I know most will.

“Regular Phishing” as we all know it, asking us for information by means of simple email is alive, kickin` and will still be with us 10 years from now. However, it is slowly decreasing in volume while Phishing Trojan attacks are getting more and more common.

If you are in Australia, you already heard about this for sure.. but not clearly. Otherwise, this is it before the media gets their hands on it.

We will update as necessary when we know more. The Australians have done a good job on this.

Gadi Evron,
ge@linuxbox.org.

.

SecuriTeam Blogs » Australia: First WMF mass mailer ItW (phishing Trojan).

MS06-005 proof of concept exploit released (NEW)

Published: 2006-02-16,
Last Updated: 2006-02-16 04:03:36 UTC by Jason Lam (Version: 1)

The proof of concept exploit for MS06-005 has been released. The exploit craft a malicious BMP file to perform buffer overflow in Media Player. Keeping in mind as Microsoft has pointed out that the exploiting factor can include other graphics file as well (such as .wmp), it's a good idea to get it patched ASAP.

------------
Jason Lam

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Looks like Microsoft fixed that issue with MS06–007 deployment early this morning…

- http://www.microsoft.com/technet/security/bulletin/MS06-007.mspx

Problems with MS patch KB913446 (for the IGMP issue, MS06-007) (NEW)

Published: 2006-02-14,
Last Updated: 2006-02-14 19:58:30 UTC by Jim Clausing (Version: 1)

A number of our readers have written in (and some of the handlers have duplicated the issue) to report that when using Microsoft Update or autoupdate the patch (KB913446) downloads, but fails to install with Error Code: 0x80242006.  The version located here, however, does not appear to have this issue.  Until Microsoft fixes the former, you may want to install that one patch manually.  Our summary of all of the bulletins will be posted shortly.

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Information on IE Drag and Drop Issue

Hey – Brian here, As we’re gearing up for release tomorrow I wanted to take a second to discuss a recent posting of a security issue to some mailing lists. Matt Murphy, a well known security researcher posted an alert today regarding a “drag and drop” issue affecting Windows. I actually handled this case and worked with Matt. We’ve been working with Matt for quite some time on this issue, and I want to thank him for working with us.  We’ve had some long Instant Messenger sessions and E-mail threads while we worked together to understand the issue. 

To provide some insight on this issue, it is different from past drag-and-drop issues like MS05-014. For example, the issue fixed by MS05-014 could be exploited by taking a “drag-and-drop” action within IE, like using the scrollbar.  This issue is different. In working with Matt and our internal teams we found this issue has very exact and specific requirements. It is only problematic in specific circumstances that require the user to take a specific action timed very precisely.

The specific configuration consists of having two windows open: one an IE window, and the other a folder to a resource. The specific user action is the user clicking and dragging an object from the IE window over to the folder window. The timing is very exact: when this is happening the windows would flip back and forth visibly at a set interval. The user would have to time it such that they catch the windows as they’re flipping back and forth.

We will update the behavior, but in looking at the severity of the issue and balancing the risk inherent in any fix, we believe a future service pack is the best way to address this issue. Some thoughts on fixing issues in service packs – service pack allow for additional testing, including beta testing, to reduce the risk of quality issues impacting 3rd party applications.  This extra testing is especially important for complicated fixes that require extensive behavior changes.  That said we work hard to make sure that when we resolve issues found in service packs (as opposed to security updates) these are only for issues that are of a reduced severity, and we continually monitor those issues for a change in status.

I hope this provides some additional insight to this issue, and answers some questions. We’ll continue to work with Matt and others that have questions on this as we continue the investigation.

Published Monday, February 13, 2006 10:48 PM by stepto

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Bagle and Olympics	Posted by Katrin @ 17:07 GMT

A new Bagle is spreading in messages related to the Olympic games in Torino. It arrives in messages offering a free ticket for the games or to participate in a lottery to win a free ticket.

We added detection of it as Bagle.FY in update version number 2006-02-13_06.

F-Secure : News from the Lab - February of 2006.

Websense Security Labs(TM) has received reports of a new Internet Explorer "zero-day" vulnerability which could allow the launching of code without consent from the end-user. The vulnerability, which was discovered by Matthew Murphy, is similar to the "drag-and-drop" vulnerability that has been exploited in the past.

As the vulnerability outlines, a specially crafted website would have to dupe a user into dragging and dropping an item from one window to the other. Upon releasing the mouse in the newly focused window the code will run without consent.

Although we believe this vulnerability is not as easy to exploit as some in the past, (see WMF vulnerability) a risk still remains. We have experimented with deception scenarios and believe that users could be duped into following the necessary actions to be exploited.

Our honey clients are currently scanning for malicious websites that are using this vulnerability and have not detected any as of yet. Upon discovery additional information will be provided.

Vulnerability details:

  http://www.securiteam.com/windowsntfocus/5MP0B0UHPA.html

Websense® - Security Labs Alert: New I.E. Zero Day.

Here are some notes from the SecuriTeam bulletin listed above:

Vendor response:
Microsoft was informed of this vulnerability on August 3, 2005. Currently, the company has no plans to issue a security update to correct this vulnerability. Fixes for this issue are scheduled to be included in Service Pack 2 of Windows Server 2003 and Service Pack 3 of Windows XP. Of particular note is that Windows 2000 users will *NOT* receive an update to correct this vulnerability.

Microsoft's internal risk-assessment concluded that this issue was not sufficiently serious to be fixed in a security bulletin. This conclusion appears fundamentally inconsistent with the way related issues were handled by Microsoft. In particular, the drag-and-drop vulnerability patched by MS05-013 received an "Important" rating.

I disagree with the technical conclusion behind Microsoft's decision and I further find the timeframe of delivery and deployment for maintenance releases to be largely unsuitable for security fixes of any significant magnitude. I find the harm this decision could potentially inflict upon down-level users (most importantly, users of Windows 2000) to be unjustified by the technical concern Microsoft has raised to me. Microsoft also rejected a request that it consider the issue for inclusion in a later security update as a "Moderate" risk issue.

Due to Microsoft's noncommittal and generally unimpressive response to the issue, this advisory is being issued to inform users of this vulnerability such that defensive action may be taken as desired.

 Microsoft Anti-Spyware Deleting Norton Anti-Virus

Microsoft's Anti-Spyware program is causing troubles for people who also use Symantec's Norton Anti-Virus software; apparently, a recent update to Microsoft's anti-spyware application flags Norton as a password-stealing program and prompts users to remove it.

According to several different support threads over at Microsoft's user groups forum, the latest definitions file from Microsoft "(version 5805, 5807) detects Symantec Antivirus files as PWS.Bancos.A (Password Stealer)."

When Microsoft Anti-Spyware users remove the flagged Norton file as prompted, Symantec's product gets corrupted and no longer protects the user's machine. The Norton user then has to go through the Windows registry and delete multiple entries (registry editing is always a dicey affair that can quickly hose a system if the user doesn't know what he or she is doing) so that the program can be completely removed and re-installed.

I put in calls to Microsoft and to Symantec on this issue, but am still waiting to hear back from both companies.

Microsoft said it is shipping updates that fix this problem, but judging from the growing number of other threads on this in that forum, this is shaping up to be a pretty big issue for companies that have deployed Microsoft's free anti-spyware product inside their networks. It's a good idea to keep in mind that Microsoft's Anti-Spyware product is in beta mode: The company's product page explicitly says that Microsoft Anti-Spyware should not be deployed in production systems. I'm not apologizing for Redmond in any way; it just seems like too many people ignore warnings about beta products.

Security Fix - Brian Krebs on Computer and Internet Security - (washingtonpost.com).

Exploit #2 released for for Windows Services Insecure ACLs Local Privilege Escalation (NEW)

Published: 2006-02-12,
Last Updated: 2006-02-12 23:52:05 UTC by Patrick Nolan (Version: 1)

Exploit #2 has been released for the Windows Services Insecure ACLs Local Privilege Escalation Vulnerability, described in MS Security Advisory (914457) "Possible Vulnerability in Windows Service ACLs".

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Targeted Trojan attacks? (NEW)

Published: 2006-02-12,
Last Updated: 2006-02-12 21:05:27 UTC by Patrick Nolan (Version: 1)

You have to love it when malware blows through your ISP's Email gateway AV, hits your desktop, and only 2 vendors flag it. This has been occuring regularly over the last few months. Some of todays email details are below. At this time only F-Secure and Kaspersky catch it, F-Secure says "malware found Trojan-Spy.HTML.Bayfraud.in (virus)".

After Googling the Subject of the email I'm writing about, "eBay Customer Notice: Details Confirmation", I saw a few returns, one was at archives.java.sun.com. Sun has been notified.

That page also references the trojan I was sent, only the image name is different, at the sun site it's named illicit.GIF [image/gif] and there's date/time visible on the page display [Fri, 21 Oct 2005 23:44:45 +0100], who knows how trustworthy that date information is. If it's accurate and based on the Jotti and Virustotal results next, it's a touch troubling.

If you're seeing any of these please drop us a note. Thanks!



illicit.GIF analysis results at Jotti and Virustotal.

Jotti.Org says
File:  illicit.GIF 
Status:  INFECTED/MALWARE 
MD5  15492310e33e16810c4d880b8f343f8d 
Packers detected:  -
Scanner results 
AntiVir  Found nothing
ArcaVir  Found nothing
Avast  Found nothing
AVG Antivirus  Found nothing
BitDefender  Found nothing
ClamAV  Found nothing
Dr.Web  Found nothing
F-Prot Antivirus  Found nothing
Fortinet  Found nothing
Kaspersky Anti-Virus  Found Trojan-Spy.HTML.Bayfraud.in 
NOD32  Found nothing
Norman Virus Control  Found nothing
UNA  Found nothing
VBA32  Found nothing

This is a report processed by VirusTotal on 02/12/2006 at 20:13:06 (CET) after scanning the file "illicit.GIF" file.
Antivirus Version Update Result
AntiVir 6.33.0.81 02.11.2006 no virus found
Avast 4.6.695.0 02.10.2006 no virus found
AVG 718 02.10.2006 no virus found
Avira 6.33.0.81 02.11.2006 no virus found
BitDefender 7.2 02.12.2006 no virus found
CAT-QuickHeal 8.00 02.11.2006 no virus found
ClamAV devel-20060126 02.12.2006 no virus found
DrWeb 4.33 02.12.2006 no virus found
eTrust-InoculateIT 23.71.74 02.11.2006 no virus found
eTrust-Vet 12.4.2074 02.10.2006 no virus found
Ewido 3.5 02.11.2006 no virus found
Fortinet 2.54.0.0 02.12.2006 no virus found
F-Prot 3.16c 02.09.2006 no virus found
Ikarus 0.2.59.0 02.10.2006 no virus found
Kaspersky 4.0.2.24 02.12.2006 Trojan-Spy.HTML.Bayfraud.in
McAfee 4694 02.10.2006 no virus found
NOD32v2 1.1404 02.11.2006 no virus found
Norman 5.70.10 02.10.2006 no virus found
Panda 9.0.0.4 02.12.2006 no virus found
Sophos 4.02.0 02.11.2006 no virus found
Symantec 8.0 02.12.2006 no virus found
TheHacker 5.9.4.094 02.10.2006 no virus found
UNA 1.83 02.09.2006 no virus found
VBA32 3.10.5 02.11.2006 no virus found

Some Email details;

Return-path: <support_num_3381305590018@ebay.com>
**snip**
Received: from ppp85-141-237-194.pppoe.mtu-net.ru ([85.141.237.194])
 by orngca-mx-08.mgw.rr.com with SMTP; Sun, 12 Feb 2006 13:52:34 -0500
Date: Sun, 12 Feb 2006 14:43:23 -0400
From: eBay <support_num_3381305590018@ebay.com>
Subject: eBay Customer Notice: Details Confirmation [Sun, 12 Feb 2006 21:46:23 +0300]
To: pnk@nycap.rr.com
Message-id: <4oomdf$ha2v4r@orngca-mx-08.mgw.rr.com>
MIME-version: 1.0
X-Accept-Language: en-us, en
Fcc: mailbox://support_num_3381305590018@ebay.com/Sent
X-Identity-Key: Id7
X-Virus-Scanned: Symantec AntiVirus Scan Engine <=== Gateway AV
Original-recipient: rfc822;pnolan
Content-Type: multipart/mixed;
  boundary="----=_cKusyvfBPGgnaHbQBgKUeaDHKTZHAlKYr"

Attachment name patch.GIF

Subject eBay Customer Notice: Details Confirmation

UPDATE I received a different piece of malware five minutes later ( ; ^ ), through the ISP Email Gateway AV undetected. There was no attachment, Subject is "Please Check Your Account !"

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

New Exploit for HTML Help Workshop vulnerability (NEW)

Published: 2006-02-11,
Last Updated: 2006-02-12 05:11:36 UTC by Tony Carothers (Version: 1)

Only 5 days after the release of the vulnerability, two exploits are on the street.  Both exploits, tested on WINXP SP2, will give the attacker the ability to run code of her or his choosing on the compromised machine.  As of this writing, a patch has not been made available, as far as we know.

Windows XP SP2 is not vulnerable in its default configuration. Microsoft noted that the HTML Help Workshop SDK has to be installed in order for the exploit to work. This SDK is a self contained download and at this point we are not aware of anything that would bundle this SDK. Given that is is an issue with this particular application, there is a chance that it may be exploitable on Windows versions other then XP SP2.

Summary:
- Vulnerability in HTML Help Workshop SDK, which is not installed by default.
- Exploit tested on Windows XP SP2.
- Exploit may work on other platforms that have HTML Help Workshop SDK installed, but we haven't tested it yet.

Please let us know if you have this SDK installed, in particular if it came bundled with other software.

See this URL for more details:

http://users.pandora.be/bratax/advisories/b008.html

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/htmlhelp/html/vsconhh1start.asp

Tony Carothers
Handler on Duty

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

A little info from our TAM

http://www.microsoft.com/technet/security/advisory/914457.mspx

http://www.microsoft.com/technet/security/advisory/default.mspx

Its about time he got knocked down a notch…

Busch sentenced to community service
The Associated Press
February 8, 2006
04:11 PM EST (21:11 GMT)

PHOENIX -- Kurt Busch was ordered Wednesday to perform 50 hours of community service as part of a plea agreement over a reckless driving citation he received near Phoenix International Raceway.


His lawyer, Lee Stein, said his client admitted to speeding, a misdemeanor, and two civil citations: following too closely and passing in a no-passing zone. In exchange, the reckless driving charge was dropped. The community service must be completed within a year, Stein said. Busch also paid $580 in court fines.

Busch was stopped in suburban Tolleson in November after allegedly running a stop sign while speeding. A police report said the deputy smelled alcohol on Busch, and the driver became belligerent. A breath test showed Busch was far below the legal limit for DUI.

Busch said he was returning from dinner with his fiancee.

"You're only doing this because you're a Jeff Gordon fan," Busch was quoted as saying to the officer in a police report.

Busch later apologized for being "disrespectful."

The traffic stop came the night before the Checker Auto Parts 500 at the Phoenix track. As a result of his run-in, Busch was suspended from the final two NASCAR races of the season by his former team.

NASCAR.COM - Busch sentenced to community service - Feb 8, 2006.

I was just looking through the list of breakout sessions for MMS  that Rod announced and I came across a session that has me a bit confused.

I mean there is this session:

This probably wont be the last we hear of this new variant, Trend Micro has a new Bagle description as well: WORM_BAGLE.EN

New Bagle mass-mailer found Posted by Alexey @ 14:19 GMT

We have received a new Bagle mass-mailer. It spreads in e-mails sometimes pretending to be an antivirus definition file from Symantec. We detect this new mass mailer as W32/Bagle.FM@mm with the 2006-02-09_03 updates.

F-Secure : News from the Lab.

Symantec has updated their W32.Kinman removal tool to clean infections of W32.Kinman.B.  This variant is  just as nasty as the first variant, which I described in an earlier post.

You can download this tool here: http://securityresponse.symantec.com/avcenter/venc/data/w32.kiman.removal.tool.html

I you are not sure if you are a NASCAR fan or not, here is how you tell.

You know you are a NASCAR fan if.......
1) You teach your pre schooler to count Truex 1,Rusty 2, Earnhardt 3

2) If at every green light, you yell "GREEN GREEN GREEN!" (or "BOOGITY BOOGITY BOOGITY")

3) If you say "But officer, I wan't tailgating, I was drafting!"

4) When you have an accident, the first thing you do is pull off the steering wheel. The second thing you do.... Is blame Kurt Busch.

5)On an Interstate exit ramp you stay on the outside to keep the RPMs up.

6) If you watch tapes of old rain delays

7) When you pass someone on the highway you refer to it as taking them on the inside.

8) When your buddy is passing someone on the interstate, you're in the passenger seat yelling, "CAR HIGH!!!!.... CLEAR!"

9) Only the driver's side of your windshield gets cleaned

10) You get caught stealing the life-size cut out of your favorite driver from the grocery store.

11) Your mechanic has to remind you to stop referring to him as your "crew chief".

12) The big story at your parties is how you put Kurt Busch into the wall at Talladega in your NASCAR Racing 2 game

13) You think the first car at a stoplight is "on the pole"

14) You have planned out a route to work where you only have to turn left

15) If you suit up in a fire suit and put on racing gloves and a racing helmet just to play NASCAR Racing on the computer

Martin Truex Jr. - You know you are a NASCAR fan if....... - Official Fan Club Message Board For The Leading NASCAR Driver.

I know Craig and some others don’t care about this, but I know I do!! 

It is finally here, the first event of the 2006 NASCAR season, the Bud Shootout.

This race isn’t for points, just price money, so it is always exciting since the drivers aren’t worried about tearing up cars

Here is some more information from NASCAR.com

Format: The 70-lap event is divided into two segments: 20 laps followed by a 10-minute break, then 50 laps. (Teams are allowed to make changes to the car during the break.)

Eligible drivers: Bud pole winners during the previous season, and past Bud Shootout winners.

On TV: Feb. 11 at 8 p.m. ET on TNT

Looks like the CME bunch is really trying to make an effort to make their site a useful resource. 

Now that they are adding links to all the vendors, and planning on  adding more information about each virus in the future lets hope this site turns out to be what we hope it to be.

The latest addition is CME-328, which is one of the new Bagle variants that I had mentioned in an earlier post.

Here is the info on it.  I haven’t check on any of these links yet, so lets hope they are all pointing to the same variant.

Corrupted Nyxems

Published: 2006-02-07,
Last Updated: 2006-02-07 02:31:31 UTC by Bojan Zdrnja (Version: 1)

The news about Nyxem (CME-24) are slowly ending, but the number of infected messages which are sent around still seems to be pretty high. Besides "normal" e-mails with Nyxem, we had couple of submissions (and noted this on couple of servers as well) about corrupted attachments.

Message bodies in these samples are completely the same as those being sent with working attachments, and the only difference seems to be in corrupted attachments.

If you remember, in some cases Nyxem will send MIME attachments; this was probably an attempt by the author to circumvent various filtering engines which may not expect an uuencoded file embedded in a base64 encoded MIME message part.

Beginning of those encoded files is almost always OK, and after couple of lines it gets corrupted.
The corrupted part will look similar to the one below (first line is from the good version, second from corrupted):

M3%!T;T10``!#;U1A<VM-96U&<F5E````1V5T1$,`````````!X;<,@````#V
M3%!T;T10``!#;U1A<VM-96U&<F5E````1V5T1$,`````````````````

The letter 'M' at the start of each line indicate the unencoded line length, which in this case should be 60 (77d - 32d = 45d = M; 45 characters were encoded to 60). You can see that the line length in the second example is less than 60, so it is clear that the encoding is damaged.

If you now try to decode this (for example, uudecode will try to decode this and will complain about an error), you'll get a corrupted executable. This file still has a valid header, so if you policy dictates blocking of executables on the e-mail gateway, this will be blocked.

Majority of AV vendors doesn't detect this. Of course, the file is harmless so theoretically there is no reason why they should detect this, but it would probably be nice to add definitions for these corrupted attachments, just so they don't confuse end users.
We've received submission from one of our readers that McAfee detects this as Generic Malware.a!zip.

Thanks to Mark Ackermans for a nice analysis of what's going on with the corrupted attachments.

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Another one from our TAM.  This one involves WMF files again, but older versions of IE.

—————————————————————————————————————————————————