Last Updated: 2011-01-05 19:39:23 UTC
by Johannes Ullrich (Version: 1)
Update #3: A "Fix-it" tool is now available to make it easier to apply the work around. Don't forget to reboot just in case. The work around does have some side effects, read the advisory for details.
Microsoft published KB Article 2490606  . It describes a vulnerability in the Windows Graphics Rendering engine that could lead to remote code execution. The vulnerability has been assigned CVE # 2010-3970.
All current versions of Windows, with the exception of Windows 7 and 2008 R2, are vulnerable.
The vulnerability is exploited via malicious thumbnail images that may be attached to various documents (e.g. Microsoft Office documents). The most likely exploit vector would use e-mail attachments. However, it is also possible to use network shares.
There is currently no patch available. However, it is possible to modify the access control list on shimgvw.dll to prevent rendering of thumbnails (this would affect all thumbnails, not just malicious once). See the Microsoft advisory for details.
This particular vulnerability was disclosed in December 2010 by Moti and Xu Hao at the "Power of Community" conference. The conference presentation outlines in some detail how to create a file to exploit this vulnerability. The thumbnail itself is stored in the file as a bitmap. The vulnerability is exploited by setting the number of color indexes in the color table to a negative number (biClrUsed).
The published slides do provide hints on how to exploit this vulnerability including bypassing SafeSEH and DEP.
Update: There is now an MSRC blog about this issue 
Update #2 (by jcb): There is also a metasploit module out to exploit this vulnerability.