Microsoft zero-day: Exploited by just viewing thumbnail

Steve Ballmer (Der Tommy @ Picasaweb)
By Richi Jennings. January 5, 2011.

Another day, another unpatched remote code execution vulnerability in Windows. This time, Microsoft is scrambling to deal with a bug that allows a crafty image thumbnail to take over your PC. In IT Blogwatch, bloggers feel the fear.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention Begin feeling...


Gregg Keizer has the bad news:

The vulnerability exists in Windows' graphics rendering engine ... and can be triggered when a user views a folder ... with Windows' file manager, or opens or views some Office documents. ... Attackers could feed users malicious PowerPoint or Word documents containing a malformed thumbnail, then exploit their PCs if the document was opened or even previewed. ... Alternately, hackers could ... convince users to view a rigged thumbnail on a network shared folder or drive, or in an online WebDAV file-sharing folder.


Microsoft acknowledged the bug ... and said Windows XP, Vista, Server 2003 and Server 2008 were vulnerable ... Windows 7 and Server 2008 R2 were not. ... A patch is under construction, but Microsoft does not plan to issue an emergency, or "out-of-band," update to fix the flaw. ... The next regularly-scheduled Microsoft Patch Tuesday is Jan. 11. ... A fix is very unlikely next week.

Tony Bradley adds:

There are not yet any reported attacks exploiting this flaw. That being said ... now that it is public knowledge the threat of an attack being developed goes up substantially. ... As a temporary workaround ... Microsoft recommends modifying the access control list (ACL) for the shimgvw.dll file. ... Just be warned that modifying the ACL will result in files that are typically handled by the graphics rendering engine not displaying properly.


If the vulnerability ... starts to be actively used to compromise systems in the wild, it is possible that Microsoft could rush an out-of-band patch before the February Patch Tuesday [on] February 8.

Microsoft's Angela Gunn breaks out the abbreviations:

We have initiated our Software Security Incident Response Process (SSIRP) ... and we are sharing detailed information through the Microsoft Active Protections Program (MAPP). Our 70 global MAPP partners, including leading providers of anti-virus and anti-malware products, provide protections for an estimated one billion customers worldwide.


If your protection provider is in our MAPP program, you can contact them concerning the status of providing protections for this issue as it is likely that updated malware signatures in these products will offer further protection.


Happy New Year.

Larry Seltzer searches for meaning:

No real details on the problem were provided. The CVE entry for the vulnerability ... lists as a reference, but nothing on that page looks obviously relevant.

But Robert Westervelt gives credit where credit's due:

The vulnerability was first highlighted in a presentation by security researchers Moti Joseph and Xu Hao at the Power of Community security conference in Korea. The maintainers of the Metasploit Framework created a module for the zero-day flaw Tuesday.

Meanwhile, Julie Bort is even-handed:

Microsoft said its tests show it's not an e-mail drive-by ... users have to open an attachment. ... That's the good news. The bad news is that it can also be exploited by users who visit a Website that is hosting an evil graphic.

 If that should happen, the hacker could practically own the PC.


And Finally...

Begin feeling

Don't miss out on IT Blogwatch:

Richi Jennings, your humble blogwatcher
  Richi Jennings is an independent analyst/consultant, specializing in blogging, email, and security. A cross-functional IT geek since 1985, you can follow him as @richi on Twitter, pretend to be richij's friend on Facebook, or just use good old email:

You can also read Richi's full profile and disclosure of his industry affiliations.

Copyright © 2011 IDG Communications, Inc.

Shop Tech Products at Amazon