My next class:

Microsoft Advisory: Vulnerability in Graphics Rendering Engine

Published: 2011-01-04. Last Updated: 2011-01-05 19:39:23 UTC
by Johannes Ullrich (Version: 1)
7 comment(s)

---
Update #3: A "Fix-it" tool is now available to make it easier to apply the work around. Don't forget to reboot just in case. The work around does have some side effects, read the advisory for details.
---

 

Microsoft published KB Article 2490606 [1] . It describes a vulnerability in the Windows Graphics Rendering engine that could lead to remote code execution. The vulnerability has been assigned CVE # 2010-3970.

All current versions of Windows, with the exception of Windows 7 and 2008 R2, are vulnerable.

The vulnerability is exploited via malicious thumbnail images that may be attached to various documents (e.g. Microsoft Office documents). The most likely exploit vector would use e-mail attachments. However, it is also possible to use network shares.

There is currently no patch available. However, it is possible to modify the access control list on shimgvw.dll to prevent rendering of thumbnails (this would affect all thumbnails, not just malicious once). See the Microsoft advisory for details.

This particular vulnerability was disclosed in December 2010 by Moti and Xu Hao at the "Power of Community" conference. The conference presentation outlines in some detail how to create a file to exploit this vulnerability. The thumbnail itself is stored in the file as a bitmap. The vulnerability is exploited by setting the number of color indexes in the color table to a negative number (biClrUsed).

The published slides do provide hints on how to exploit this vulnerability including bypassing SafeSEH and DEP.

Update: There is now an MSRC blog about this issue [3]

Update #2 (by jcb): There is also a metasploit module out to exploit this vulnerability.

 

[1] http://www.microsoft.com/technet/security/advisory/2490606.mspx
[2] http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3970
[3] http://blogs.technet.com/b/msrc/archive/2011/01/04/microsoft-releases-security-advisory-2490606.aspx

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

7 comment(s)
My next class:

Comments

Two notes on the workaround. Rebooting (or at least logging out and back in) may be required for the DLL to be freed from memory. One observed side effect under Windows XP is that the image preview utility stops opening (no error message - double-clicking on an image file just fails to work).
Microsoft Security Advisory (2490606)
Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/2490606.mspx
• V1.1 (January 5, 2011): Added a link* to the automated Microsoft Fix it solution for the Modify the Access Control List (ACL) on shimgvw.dll workaround.
* http://support.microsoft.com/kb/2490606#FixItForMe
January 5, 2011 - Revision: 2.1
---
[Impact of Workaround: Media files typically handled by the Graphics Rendering Engine will not be displayed properly...]
It's a little unclear how this works. Is the vulnerability specific to some strange thumbnail file format and/or the thumbnails Windows Explorer can display in file view? So it couldn't be exploited by spreading malicious jpgs or pngs etc?

Then there's the network share/WebDAV/UNC vector. I've got a lot of single user home PC types asking about this. What would be the best way to prevent exploiting vulnerabilities like this through network shares/WebDAV/UNC locations, considering that the user does not need to do any file or printer or any kind of sharing, just one PC with one user using the internet, and there's just Windows firewall, no routers or other external hardware? Any quick & safe way to completely disable access to any network shares, WebDAV and UNC locations in Win XP?

Thanks for any ideas, guys
The published slides do provide hints on how to exploit this vulnerability including bypassing SafeSEH and DEP.

http://www.deansale.com/


anyone understand why the 'fix it' for both zero-day advisories are the same?
http://www.microsoft.com/technet/security/advisory/2490606.mspx under workaround section => http://support.microsoft.com/kb/2490606 > fixit #50590

http://www.microsoft.com/technet/security/advisory/2488013.mspx under suggested actions => http://support.microsoft.com/kb/2488013 => with links to fixit #50590

Does the same Fix It work for both?

grrrrrrr
@thegeeknme
No, the links etc. in KB2488013 regarding the Fix It are plain simple false (surprise). The ment to link to Fix It 50591 and 50592 to undo the changes. While Fix It 50590 has been revised without note yesterday too (it now works correctly on localized Windows XP versions too by not using "everyone" but the localized user string for that "group"), the correct links for the Fix It(s) for KB/Advisory 2488013 are mentioned in http://blogs.technet.com/b/srd/archive/2011/01/11/new-workaround-included-in-security-advisory-2488013.aspx - including a comprehensive description.
They've corrected the links in KB2488013 to the accurate Fix It versions in the meantime. "Nice" to see an MSKB article in "Version 3.0" only 15 hours after MS released it...

Diary Archives