Microsoft Offers Band-Aid for New Windows Graphics Bug

Microsoft released a temporary fix on Wednesday for a vulnerability in its Windows Graphics Rendering Engine that it had warned users about only the previous day.

The vulnerability lets attackers run arbitrary code, taking over victims’ computers.

It affects the Windows Vista, Windows Server 2003 and Windows XP platforms.

“It’s rare for Microsoft to release a mitigation for a bug within 24 hours,” Chester Wisniewski, a senior security adviser at Sophos, told TechNewsWorld.

The Nature of the Flaw

Microsoft issued Security Advisory 2490606 about the flaw, explaining what it would let attackers do. It said the flaw is a remote code execution vulnerability that is caused when the Windows Graphics Rendering Engine improperly parses a specially crafted thumbnail image. This improper parsing would create a stack overflow.

Attackers can send an email with a Microsoft Word or PowerPoint attachment that contains a specially crafted thumbnail image and lure potential victims into opening the file, Microsoft said.

A network attack could be carried out by placing a specially crafted thumbnail image or a file containing such an image on a network share — such as in a UNC (Uniformed Naming Convention) or WebDAV location — and then sending an email or instant message to lure users into going to that location via the Internet Explorer browser.

Once the victim goes to the shared file, the attack is triggered.

Essentially, the vulnerability lets an attacker take over a victim’s computer. The attacker can then install programs; view, change or delete data; or create new accounts with full user rights if the victim is logged on with full administrative rights, Microsoft stated.

Preventing the Attack

Microsoft suggested in its advisory that users modify the access control list in the “shimgvw.dll” file to block attacks until it delivered a patch to resolve the vulnerability, and it gave detailed instructions on how to do this. However, it warned that this workaround would mean that the Windows Graphics Rendering Engine would not display files properly.

“All workarounds or mitigation efforts have potential downsides,” Andrew Storms, director of security operations at nCircle, told TechNewsWorld.

“For every vulnerability, enterprise security teams have to evaluate their options and decide on how best to minimize the risk, given their unique business and security requirements.”

The standard PC safety rules apply: Keep your Windows operating system updated and apply the latest security patches; enable a firewall and install antivirus software.

Further, don’t click on emails or links in emails or on attachments from anyone you don’t know — and if you do know them, try to verify with them that they did indeed send you the attachments or emails.

Devil Is in the Details

This latest vulnerability was discovered by researchers Moti Joseph and Xu Hao, who disclosed it at the POC2010 Power of Community security conference in Seoul in December.

However, Redmond didn’t fully explain the vulnerability. The details came from Johannes Ullrich of the SANS Technology Institute, who blogged that the vulnerability could be exploited by attackers setting the number of color indexes in the color table to a negative number.

“We agree with Johannes’ explanation,” Sophos’ Wisniewski said.

Redmond didn’t indicate when it would issue a full patch.

“Ultimately, Microsoft will decide how urgent the patch is based on the risk to their customers and their ability to deliver a quality patch,” nCircle’s Storms pointed out.

Microsoft did not respond to TechNewsWorld’s request for comment by press time.

Danger! Danger!

The risk posed by a vulnerability can change at any time, Storms said, and, like any other vendor, Microsoft will re-evaluate how it will respond when things change.

Redmond will likely issue a patch for the graphics flaw in February, but if the risk of attacks rises significantly, “we may see an out-of-band patch later in January,” he said.

“There is more risk in releasing a patch that hasn’t been adequately quality tested than there is in having a vulnerability in the wild,” Storms pointed out.

The threat from the graphics flaw may well rise significantly, Sophos’ Wisniewski fears.

“It’s readily exploitable, and we’re quite concerned about it,” he said. “The fact that someone can maliciously exploit a graphic image is quite disturbing.”

This is the fourth Windows vulnerability discovered by researchers in less than a month, Wisniewski noted.

The others include a bug that affects all versions of Internet Explorer.

“Most of the flaws hit in December, when IT folks are on vacation — which is a period cybercriminals like to exploit,” Wisniewski said. “But these were found by researchers, and weren’t part of the normal cybercriminal festival around the holiday period.”

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by Richard Adhikari
More in Security

CRM Buyer Channels