Microsoft Confirms New Windows Zero-Day Bug
Microsoft today confirmed an unpatched vulnerability in Windows just hours after a hacking toolkit published an exploit for the bug.
Tue, January 04, 2011
A patch is under construction, but Microsoft does not plan to issue an emergency, or "out-of-band," update to fix the flaw.
The bug was first discussed Dec. 15 at a South Korean security conference, but got more attention Tuesday when the open-source Metasploit penetration tool posted an exploit module crafted by researcher Joshua Drake.
According to Metasploit , successful attacks are capable of compromising victimized PCs, then introducing malware to the machines to pillage them for information or enlist them in a criminal botnet.
The vulnerability exists in Windows' graphics rendering engine, which improperly handles thumbnail images, and can be triggered when a user views a folder containing a specially crafted thumbnail with Windows' file manager, or opens or views some Office documents.
Attackers could feed users malicious PowerPoint or Word documents containing a malformed thumbnail, then exploit their PCs if the document was opened or even previewed, said Microsoft. Alternately, hackers could hijack machines by convincing users to view a rigged thumbnail on a network shared folder or drive, or in an online WebDAV file-sharing folder.
"This is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system," Microsoft's advisory stated.
"The vulnerability is exploited by setting the number of color indexes in the color table [of the image file] to a negative number," added Johannes Ullrich , the chief research officer at the SANS Institute.
Microsoft recommended a temporary workaround that protects PCs against attack until a patch is released. The workaround, which adds more restrictions on the "shimgvw.dll" file -- the component that previews images within Windows -- requires users to type a string of characters at a command prompt. Doing so, however, means that "media files typically handled by the Graphics Rendering Engine will not be displayed properly," said Microsoft.
While Microsoft said it didn't know of any active attacks, the new bug is another to add to a growing list of unpatched vulnerabilities, said Andrew Storms, director of security at nCircle Security.
"The pressure is on Microsoft," said Storms in an instant message interview. "They already have an outstanding zero-day in [Internet Explorer] plus a WMI Active X bug that Secunia issued a warning about [on Dec. 22]. Combine those concerns with a much bigger side story regarding cross_fuzz and now [an] image handling bug all make it a happy new year for Microsoft."