Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Microsoft Advisory: Vulnerability in Graphics Rendering Engine

Published: 2011-01-04
Last Updated: 2011-01-05 19:39:23 UTC
by Johannes Ullrich (Version: 1)
7 comment(s)

---
Update #3: A "Fix-it" tool is now available to make it easier to apply the work around. Don't forget to reboot just in case. The work around does have some side effects, read the advisory for details.
---

 

Microsoft published KB Article 2490606 [1] . It describes a vulnerability in the Windows Graphics Rendering engine that could lead to remote code execution. The vulnerability has been assigned CVE # 2010-3970.

All current versions of Windows, with the exception of Windows 7 and 2008 R2, are vulnerable.

The vulnerability is exploited via malicious thumbnail images that may be attached to various documents (e.g. Microsoft Office documents). The most likely exploit vector would use e-mail attachments. However, it is also possible to use network shares.

There is currently no patch available. However, it is possible to modify the access control list on shimgvw.dll to prevent rendering of thumbnails (this would affect all thumbnails, not just malicious once). See the Microsoft advisory for details.

This particular vulnerability was disclosed in December 2010 by Moti and Xu Hao at the "Power of Community" conference. The conference presentation outlines in some detail how to create a file to exploit this vulnerability. The thumbnail itself is stored in the file as a bitmap. The vulnerability is exploited by setting the number of color indexes in the color table to a negative number (biClrUsed).

The published slides do provide hints on how to exploit this vulnerability including bypassing SafeSEH and DEP.

Update: There is now an MSRC blog about this issue [3]

Update #2 (by jcb): There is also a metasploit module out to exploit this vulnerability.

 

[1] http://www.microsoft.com/technet/security/advisory/2490606.mspx
[2] http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3970
[3] http://blogs.technet.com/b/msrc/archive/2011/01/04/microsoft-releases-security-advisory-2490606.aspx

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

7 comment(s)
We had some e-mail hickups this weekend and are now receiving some stalled e-mail. Sorry if we didn't respond in time.
Diary Archives