January 5, 2011

New Windows Zero-day Bug Warning Issued By Microsoft

Just hours after a hacking toolkit published an exploit for a computer bug, Microsoft confirmed an unpatched vulnerability in its Windows browser that could pick it up, but did say a patch for the bug was under construction for its next update.

Microsoft said Tuesday that it would not issue an emergency update for the bug, however. The patch will not be available until January 11.

"Microsoft already has an outstanding zero-day in IE, a WMI active X control bug that Secunia issued a warning about, a much bigger side story regarding "Ëœcross_fuzz' and, today, a new zero-day image handling bug. It's just three days into 2011 the security trend line for Microsoft doesn't look good," Andrew Storms, director of security operations for nCircle, said in an email to PC World.

The bug was first revealed on December 15 at a South Korean security conference, but got more attention Tuesday when the open-source Metasploit penetration tool posted an exploit module crafted by researcher Joshua Drake.

Successful attacks are capable of harming infected PCs, then introducing malicious software to the machines to steal personal information or enlist them in a criminal botnet, according to Metasploit.

The vulnerability exists in Windows' graphics rendering engine, which improperly handles thumbnail images, and can be triggered when a user views a folder containing a specially crafted thumbnail with Windows' file manager, or opens or views some Office documents.

According to the Microsoft security advisory, "An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the logged-on user. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."

Microsoft acknowledged that the bug could affect users running Windows XP, Vista, Server 2003 and Server 2008. The newest operating systems, Windows 7 and Server 2008 R2, were not harmed.

Attackers could feed malware to PowerPoint and Word documents containing a malformed thumbnail, then exploit users PCs if the document was opened or even previewed, according to Microsoft. Also, hackers can hijack machines by convincing users to view an infected thumbnail on a network shared folder or drive, or even in an online WebDAV file-sharing folder.

"What's news is a new vulnerability appears to have been discovered in the Windows graphics rendering engine that can be exploited via a rigged .WMF image file. Since it doesn't require much user involvement (i.e. simply viewing an image) and can run arbitrary code including installing rootkits/Trojans, the vulnerability has the potential to be severe," Anup Ghosh, founder and chief scientist of Invincea, told PC World magazine.

"This is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system," said Microsoft's advisory.

"The vulnerability is exploited by setting the number of color indexes in the color table [of the image file] to a negative number," Johannes Ullrich, the chief research officer at the SANS Institute, told Computer World.

Microsoft recommends a temporary workaround that protects computers against an attack until they release the patch next week. The workaround, which adds more restrictions on the "shimgvw.dll" file -- the component that previews images within Windows -- requires users to type a string of characters at a command prompt. Doing so, however, means that "media files typically handled by the Graphics Rendering Engine will not be displayed properly," said Microsoft.

While Microsoft said it didn't know of any active attacks, the new bug is among a growing list of unpatched vulnerabilities, said Storms.

Microsoft confirmed a critical bug in IE two weeks ago. On Sunday, Google security engineer Michal Zalewski said he had evidence that Chinese hackers were working on utilizing another flaw in Microsoft's browser.

"With Microsoft just closing the door on its largest patch year yet, 2011 is not starting out in a positive direction," said Storms.

Last year, Microsoft issued a record 106 security bulletins to patch a record 266 vulnerabilities. The next regularly-scheduled Microsoft Patch Tuesday is January 11. However, if the company maintains its normal development and testing pace, a fix is very unlikely next week. 


On the Net: