Microsoft confirms new Windows zero-day bug

Computerworld - Microsoft today confirmed an unpatched vulnerability in Windows just hours after a hacking toolkit published an exploit for the bug.

A patch is under construction, but Microsoft does not plan to issue an emergency, or "out-of-band," update to fix the flaw.

The bug was first discussed Dec. 15 at a South Korean security conference, but got more attention Tuesday when the open-source Metasploit penetration tool posted an exploit module crafted by researcher Joshua Drake.

According to Metasploit, successful attacks are capable of compromising victimized PCs, then introducing malware to the machines to pillage them for information or enlist them in a criminal botnet.

The vulnerability exists in Windows' graphics rendering engine, which improperly handles thumbnail images, and can be triggered when a user views a folder containing a specially crafted thumbnail with Windows' file manager, or opens or views some Office documents.

Microsoft acknowledged the bug in a security advisory, and said Windows XP, Vista, Server 2003 and Server 2008 were vulnerable. The newest operating systems, Windows 7 and Server 2008 R2, were not.

Attackers could feed users malicious PowerPoint or Word documents containing a malformed thumbnail, then exploit their PCs if the document was opened or even previewed, said Microsoft. Alternately, hackers could hijack machines by convincing users to view a rigged thumbnail on a network shared folder or drive, or in an online WebDAV file-sharing folder.

"This is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system," Microsoft's advisory stated.

"The vulnerability is exploited by setting the number of color indexes in the color table [of the image file] to a negative number," added Johannes Ullrich, the chief research officer at the SANS Institute.

Microsoft recommended a temporary workaround that protects PCs against attack until a patch is released. The workaround, which adds more restrictions on the "shimgvw.dll" file -- the component that previews images within Windows -- requires users to type a string of characters at a command prompt. Doing so, however, means that "media files typically handled by the Graphics Rendering Engine will not be displayed properly," said Microsoft.

While Microsoft said it didn't know of any active attacks, the new bug is another to add to a growing list of unpatched vulnerabilities, said Andrew Storms, director of security at nCircle Security.

"The pressure is on Microsoft," said Storms in an instant message interview. "They already have an outstanding zero-day in [Internet Explorer] plus a WMI Active X bug that Secunia issued a warning about [on Dec. 22]. Combine those concerns with a much bigger side story regarding cross_fuzz and now [an] image handling bug all make it a happy new year for Microsoft."

Microsoft confirmed a critical bug in IE two weeks ago; on Sunday, Google security engineer Michal Zalewski said he had evidence that Chinese hackers were probing a different flaw in Microsoft's browser.

"With Microsoft just closing the door on its largest patch year yet, 2011 is not starting out in a positive direction," Storms said.

Last year, Microsoft issued a record 106 security bulletins to patch a record 266 vulnerabilities.

The next regularly-scheduled Microsoft Patch Tuesday is Jan. 11. If the company maintains its normal development and testing pace, a fix is very unlikely next week.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@computerworld.com.

Read more about Security in Computerworld's Security Topic Center.