Exploit code for a new Windows security bug has gone public, prompting Microsoft today to issue an advisory to warn users.
So far, no attacks taking advantage of the bug have been seen in the wild, Microsoft reported. The vulnerability lies in the Windows Graphic Rendering Engine and, according to Microsoft, can be used by an attacker to run arbitrary code in the context of the logged-on user.
“Today we released Security Advisory 2490606, which addresses a publicly disclosed vulnerability affecting Microsoft Windows Graphics Rendering Engine on Vista, Server 2003, and Windows XP. … The vulnerability does not affect Windows 7 or Windows Server 2008 R2, the newest versions of our operating system,” blogged Angela Gunn, senior marketing communications manager of Trustworthy Computing at Microsoft.
“To target this vulnerability, an attacker must convince a user to visit a specially crafted malicious Web page, or to open a malicious Word or PowerPoint file,” Gunn added. “Furthermore, users whose accounts are configured to have fewer user rights on the system would be less affected by an attack than those running with administrative rights. The Advisory includes further mitigations and workarounds to protect our customers.”
According to HD Moore, chief security officer at Rapid7, the bug was first presented at a Korean security conference last month. Exploit code for it has been added to Rapid7’s Metasploit Framework, a penetration testing tool.
“The biggest challenge was working around DEP [data execution prevention] and ASLR [addresses space layout randomization], but the current exploit is reliable on XP SP3 and Windows 2000,” Moore said. “It should be possible to port this to Windows 7 and embed it in a variety of file types (DOC, PPT, etc.), but the current version has a somewhat limited use case.”
He explained the attacker must persuade the user to browse a directory containing the file in Thumbnails mode and that the exploit relies on a complicated return path using ROP (return-oriented programming) that may not work when a certain multimedia codec is updated.
“Until the exploit is ported to work within OLE containers (DOC/PPT/etc.), I don’t think we will see widespread exploitation for the reasons above,” he said.
Jerry Bryant, group manager of response communications for Microsoft, said the issue does not currently rise to the level where it would require an out-of-band patch, but the company is working on a fix. Microsoft’s first Patch Tuesday update of the year is scheduled for Jan. 11.
As a workaround, users can follow the directions in the advisory to modify the access control list on shimgvw.dll.
“The real danger this vulnerability poses is that it can be exploited simply by getting a user to view a malicious thumbnail image associated with a number of different document types, including Microsoft Word,” explained Joshua Talbot, security intelligence manager for Symantec Security Response. “Although a fix for this issue is not currently available, Microsoft has provided a workaround to help mitigate the impact of this vulnerability until it is patched. Users of all the affected operating systems-which range from Windows 2000 to Windows Vista to Windows Server 2008-should use caution when handling untrusted files and avoid following untrusted links. Monitoring networks for unexpected traffic to file shares might also aid in detecting attempted attacks.”