Microsoft issues an advisory on a Windows security vulnerability after exploit code went public. The bug is not under attack, according to the company.
Exploit code for a new Windows security bug has gone public,
prompting Microsoft today to issue an advisory to warn users.
So far, no attacks taking advantage of the bug have been seen in the
wild, Microsoft reported. The vulnerability lies in the Windows Graphic
Rendering Engine and, according to Microsoft, can be used by an attacker to run
arbitrary code in the context of the logged-on user.
"Today we released Security
Advisory 2490606, which addresses a publicly disclosed vulnerability
affecting Microsoft Windows Graphics Rendering Engine on Vista,
Server 2003, and Windows XP. ... The vulnerability does not affect Windows 7 or
Windows Server 2008 R2, the newest versions of our operating system,"
blogged Angela Gunn, senior marketing communications manager of Trustworthy
Computing at Microsoft.
"To target this vulnerability, an attacker must convince a user to
visit a specially crafted malicious Web page, or to open a malicious Word or
PowerPoint file," Gunn added. "Furthermore, users whose accounts are
configured to have fewer user rights on the system would be less affected by an
attack than those running with administrative rights. The Advisory includes
further mitigations and workarounds to protect our customers."
According to HD Moore, chief security officer at Rapid7, the bug was first
presented at a Korean security conference last month. Exploit code for it has
been added to Rapid7's Metasploit Framework, a penetration testing tool.
"The biggest challenge was working around DEP [data execution
prevention] and ASLR [addresses space layout randomization], but the current
exploit is reliable on XP SP3 and Windows 2000," Moore
said. "It should be possible to port this to Windows 7 and embed it in a
variety of file types (DOC, PPT, etc.), but
the current version has a somewhat limited use case."
He explained the attacker must persuade the user to browse a directory
containing the file in Thumbnails mode and that the exploit relies on a
complicated return path using ROP
(return-oriented programming) that may not work when a certain multimedia
codec is updated.
"Until the exploit is ported to work within OLE containers (DOC/PPT/etc.),
I don't think we will see widespread exploitation for the reasons above,"
Jerry Bryant, group manager of response communications for Microsoft, said
the issue does not currently rise to the level where it would require an
out-of-band patch, but the company is working on a fix. Microsoft's first Patch
Tuesday update of the year is scheduled for Jan. 11.
As a workaround, users can follow the directions in the advisory to modify
the access control list on shimgvw.dll.
"The real danger this vulnerability poses is that it can be exploited
simply by getting a user to view a malicious thumbnail image associated with a
number of different document types, including Microsoft Word," explained
Joshua Talbot, security intelligence manager for Symantec Security Response. "Although
a fix for this issue is not currently available, Microsoft has provided a workaround
to help mitigate the impact of this vulnerability until it is patched. Users of
all the affected operating systems-which range from Windows 2000 to Windows
Vista to Windows Server 2008-should use caution when handling untrusted files
and avoid following untrusted links. Monitoring networks for unexpected traffic
to file shares might also aid in detecting attempted attacks."