Microsoft confirms new Windows zero-day bug
Hackers can use malformed images to hijack XP, Vista, Server 2003 and 2008
Computerworld - Microsoft today confirmed an unpatched vulnerability in Windows just hours after a hacking toolkit published an exploit for the bug.
A patch is under construction, but Microsoft does not plan to issue an emergency, or "out-of-band," update to fix the flaw.
The bug was first discussed Dec. 15 at a South Korean security conference, but got more attention Tuesday when the open-source Metasploit penetration tool posted an exploit module crafted by researcher Joshua Drake.
According to Metasploit, successful attacks are capable of compromising victimized PCs, then introducing malware to the machines to pillage them for information or enlist them in a criminal botnet.
The vulnerability exists in Windows' graphics rendering engine, which improperly handles thumbnail images, and can be triggered when a user views a folder containing a specially crafted thumbnail with Windows' file manager, or opens or views some Office documents.
Attackers could feed users malicious PowerPoint or Word documents containing a malformed thumbnail, then exploit their PCs if the document was opened or even previewed, said Microsoft. Alternately, hackers could hijack machines by convincing users to view a rigged thumbnail on a network shared folder or drive, or in an online WebDAV file-sharing folder.
"This is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system," Microsoft's advisory stated.
"The vulnerability is exploited by setting the number of color indexes in the color table [of the image file] to a negative number," added Johannes Ullrich, the chief research officer at the SANS Institute.
Microsoft recommended a temporary workaround that protects PCs against attack until a patch is released. The workaround, which adds more restrictions on the "shimgvw.dll" file -- the component that previews images within Windows -- requires users to type a string of characters at a command prompt. Doing so, however, means that "media files typically handled by the Graphics Rendering Engine will not be displayed properly," said Microsoft.
While Microsoft said it didn't know of any active attacks, the new bug is another to add to a growing list of unpatched vulnerabilities, said Andrew Storms, director of security at nCircle Security.
"The pressure is on Microsoft," said Storms in an instant message interview. "They already have an outstanding zero-day in [Internet Explorer] plus a WMI Active X bug that Secunia issued a warning about [on Dec. 22]. Combine those concerns with a much bigger side story regarding cross_fuzz and now [an] image handling bug all make it a happy new year for Microsoft."
Microsoft confirmed a critical bug in IE two weeks ago; on Sunday, Google security engineer Michal Zalewski said he had evidence that Chinese hackers were probing a different flaw in Microsoft's browser.
"With Microsoft just closing the door on its largest patch year yet, 2011 is not starting out in a positive direction," Storms said.
Last year, Microsoft issued a record 106 security bulletins to patch a record 266 vulnerabilities.
The next regularly-scheduled Microsoft Patch Tuesday is Jan. 11. If the company maintains its normal development and testing pace, a fix is very unlikely next week.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is firstname.lastname@example.org.
Read more about Security in Computerworld's Security Topic Center.
- Best Practices for Securing Hadoop Historically, Apache Hadoop has provided limited security capabilities. To protect sensitive data being stored and analyzed in Hadoop, security architects should use a...
- Top Tips for Securing Big Data Environments: Why Big Data Doesn't Have to Mean Big Security Challenges Organizations must come to terms with the security challenges they introduce. As big data environments ingest more data, organizations will face significant risks...
- 5 Ways Dropbox for Business Keeps Your Data Protected Protecting your data isn't a feature on a checklist, something to be tacked on as an afterthought. Download here to find out how...
- The Keys to Securing Data in a Collaborative Workplace Losing data is costly. IT professionals have spent years learning how to protect their organizations from hackers, but how do you ward off...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!