Microsoft confirms new Windows zero-day bug
Hackers can use malformed images to hijack XP, Vista, Server 2003 and 2008
Computerworld - Microsoft today confirmed an unpatched vulnerability in Windows just hours after a hacking toolkit published an exploit for the bug.
A patch is under construction, but Microsoft does not plan to issue an emergency, or "out-of-band," update to fix the flaw.
The bug was first discussed Dec. 15 at a South Korean security conference, but got more attention Tuesday when the open-source Metasploit penetration tool posted an exploit module crafted by researcher Joshua Drake.
According to Metasploit, successful attacks are capable of compromising victimized PCs, then introducing malware to the machines to pillage them for information or enlist them in a criminal botnet.
The vulnerability exists in Windows' graphics rendering engine, which improperly handles thumbnail images, and can be triggered when a user views a folder containing a specially crafted thumbnail with Windows' file manager, or opens or views some Office documents.
Attackers could feed users malicious PowerPoint or Word documents containing a malformed thumbnail, then exploit their PCs if the document was opened or even previewed, said Microsoft. Alternately, hackers could hijack machines by convincing users to view a rigged thumbnail on a network shared folder or drive, or in an online WebDAV file-sharing folder.
"This is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system," Microsoft's advisory stated.
"The vulnerability is exploited by setting the number of color indexes in the color table [of the image file] to a negative number," added Johannes Ullrich, the chief research officer at the SANS Institute.
Microsoft recommended a temporary workaround that protects PCs against attack until a patch is released. The workaround, which adds more restrictions on the "shimgvw.dll" file -- the component that previews images within Windows -- requires users to type a string of characters at a command prompt. Doing so, however, means that "media files typically handled by the Graphics Rendering Engine will not be displayed properly," said Microsoft.
While Microsoft said it didn't know of any active attacks, the new bug is another to add to a growing list of unpatched vulnerabilities, said Andrew Storms, director of security at nCircle Security.
"The pressure is on Microsoft," said Storms in an instant message interview. "They already have an outstanding zero-day in [Internet Explorer] plus a WMI Active X bug that Secunia issued a warning about [on Dec. 22]. Combine those concerns with a much bigger side story regarding cross_fuzz and now [an] image handling bug all make it a happy new year for Microsoft."
Microsoft confirmed a critical bug in IE two weeks ago; on Sunday, Google security engineer Michal Zalewski said he had evidence that Chinese hackers were probing a different flaw in Microsoft's browser.
"With Microsoft just closing the door on its largest patch year yet, 2011 is not starting out in a positive direction," Storms said.
Last year, Microsoft issued a record 106 security bulletins to patch a record 266 vulnerabilities.
The next regularly-scheduled Microsoft Patch Tuesday is Jan. 11. If the company maintains its normal development and testing pace, a fix is very unlikely next week.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is firstname.lastname@example.org.
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts