Microsoft Advisory: Vulnerability in Graphics Rendering Engine
---
Update #3: A "Fix-it" tool is now available to make it easier to apply the work around. Don't forget to reboot just in case. The work around does have some side effects, read the advisory for details.
---
Microsoft published KB Article 2490606 [1] . It describes a vulnerability in the Windows Graphics Rendering engine that could lead to remote code execution. The vulnerability has been assigned CVE # 2010-3970.
All current versions of Windows, with the exception of Windows 7 and 2008 R2, are vulnerable.
The vulnerability is exploited via malicious thumbnail images that may be attached to various documents (e.g. Microsoft Office documents). The most likely exploit vector would use e-mail attachments. However, it is also possible to use network shares.
There is currently no patch available. However, it is possible to modify the access control list on shimgvw.dll to prevent rendering of thumbnails (this would affect all thumbnails, not just malicious once). See the Microsoft advisory for details.
This particular vulnerability was disclosed in December 2010 by Moti and Xu Hao at the "Power of Community" conference. The conference presentation outlines in some detail how to create a file to exploit this vulnerability. The thumbnail itself is stored in the file as a bitmap. The vulnerability is exploited by setting the number of color indexes in the color table to a negative number (biClrUsed).
The published slides do provide hints on how to exploit this vulnerability including bypassing SafeSEH and DEP.
Update: There is now an MSRC blog about this issue [3]
Update #2 (by jcb): There is also a metasploit module out to exploit this vulnerability.
[1] http://www.microsoft.com/technet/security/advisory/2490606.mspx
[2] http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3970
[3] http://blogs.technet.com/b/msrc/archive/2011/01/04/microsoft-releases-security-advisory-2490606.aspx
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
Network Monitoring and Threat Detection In-Depth | Singapore | Nov 18th - Nov 23rd 2024 |
Comments
Anonymous
Jan 5th 2011
1 decade ago
Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/2490606.mspx
• V1.1 (January 5, 2011): Added a link* to the automated Microsoft Fix it solution for the Modify the Access Control List (ACL) on shimgvw.dll workaround.
* http://support.microsoft.com/kb/2490606#FixItForMe
January 5, 2011 - Revision: 2.1
---
[Impact of Workaround: Media files typically handled by the Graphics Rendering Engine will not be displayed properly...]
PC.Tech
Jan 5th 2011
1 decade ago
Then there's the network share/WebDAV/UNC vector. I've got a lot of single user home PC types asking about this. What would be the best way to prevent exploiting vulnerabilities like this through network shares/WebDAV/UNC locations, considering that the user does not need to do any file or printer or any kind of sharing, just one PC with one user using the internet, and there's just Windows firewall, no routers or other external hardware? Any quick & safe way to completely disable access to any network shares, WebDAV and UNC locations in Win XP?
Thanks for any ideas, guys
mitigations?
Jan 6th 2011
1 decade ago
http://www.deansale.com/
wow gold
Jan 10th 2011
1 decade ago
http://www.microsoft.com/technet/security/advisory/2490606.mspx under workaround section => http://support.microsoft.com/kb/2490606 > fixit #50590
http://www.microsoft.com/technet/security/advisory/2488013.mspx under suggested actions => http://support.microsoft.com/kb/2488013 => with links to fixit #50590
Does the same Fix It work for both?
grrrrrrr
thegeeknme
Jan 11th 2011
1 decade ago
No, the links etc. in KB2488013 regarding the Fix It are plain simple false (surprise). The ment to link to Fix It 50591 and 50592 to undo the changes. While Fix It 50590 has been revised without note yesterday too (it now works correctly on localized Windows XP versions too by not using "everyone" but the localized user string for that "group"), the correct links for the Fix It(s) for KB/Advisory 2488013 are mentioned in http://blogs.technet.com/b/srd/archive/2011/01/11/new-workaround-included-in-security-advisory-2488013.aspx - including a comprehensive description.
Ottmar Freudenberger
Jan 12th 2011
1 decade ago
Ottmar Freudenberger
Jan 12th 2011
1 decade ago