Zero-day Windows exploit - Microsoft issues advisory

Filed Under: Malware, Microsoft, Vulnerability, Windows

Microsoft has just published an advisory about a remotely-exploitable vulnerability in the Windows graphics rendering engine. A patch isn't available yet, but with Patch Tuesday just a week away, we can hope that it will be knocked on the head then.

The bug was presented as a sort-of "hacker case study" at a recent hacking convention in Korea, and a working exploit was recently added to the freely-available Metaspolit Framework by a developer named jduck.

Fortunately, the Metasploit exploit code is rather limited, officially targeting only Windows 2000 and Windows XP SP3, but it does serve as a documented proof-of-concept for anyone who cares to study it.

According to jduck (no relation to me - his real name is Joshua Drake, geddit?), the vulnerability exists in code which processes a DIB (device-independent bitmap), allowing a "stack-based buffer overflow in the handling of thumbnails within .MIC files and various Office documents."

This isn't the first time that Microsoft has been hit by security problems processing graphical objects.

A calculation flaw in handling JPEG files led to a remotely exploitable hole in September 2004, a long-forgotten feature-turned-bug in WMF (Windows Metafile) handling forced an out-of-band security fix in January 2006, and in August 2010, bitmap-handling code was the culprit in a kernel vulnerability which allowed unprivileged users to crash Windows computers at will.

Sadly, our increasing insistence that everything we see on the internet to be served up in a sea of graphical gewgaws comes with considerable risk: greatly increased code complexity, the unrelenting enemy of computer security.

(Note: Sophos detects and blocks files containing the necessary malformed data to trigger this vulnerability, officially known as CVE-2010-3970, as Mal/CVE3970-A. Additional information is available in Sophos Knowledgebase article 112818.)

, , , , , , , , , ,

You might like

5 Responses to Zero-day Windows exploit - Microsoft issues advisory

  1. "Fortunately, the Metasploit exploit code is rather limited, officially targeting only Windows 2000 and Windows XP SP3"

    Really? Odd, since the very article you linked lists:
    Affected Software

    Windows XP Service Pack 3
    Windows XP Professional x64 Edition Service Pack 2
    Windows Server 2003 Service Pack 2
    Windows Server 2003 x64 Edition Service Pack 2
    Windows Server 2003 with SP2 for Itanium-based Systems
    Windows Vista Service Pack 1 and Windows Vista Service Pack 2
    Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2
    Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2**
    Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2**
    Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2

    • Paul Ducklin · 1200 days ago

      Not odd - just fortunate :-) Microsoft has listed the potentially vulnerable platforms, which is, thankfully, a superset of those currenty exploitable by Metasploit code.

      Perhaps the author of the Metasploit code thought it would be better for the world at large if he didn't reveal how to hit any and every potentially vulnerable system? Sort of "partial responsible disclosure"?

      (Only joking. That's not the Metasploit way. Guess he just didn't figure out how to attack the other potential victim platforms yet - there's a snippet of code for Win2K3 SP2, but it's incomplete and commented out with a note that it's "not clear" how to make things work there.)

      • Paul Ducklin · 1200 days ago

        Doh. Replying to self.

        I see what you mean - no Windows 2000 on the Microsoft list. I think that's deliberate - it's not considered a "platform" any more. In euphemistic modern jargon, it's been end-of-lifed.

        As the Metasploit code observes, in what one hopes is a rhetorical question, "Windows 2000 is a soft target... You're not still using it are you?"

  2. Paul · 1200 days ago

    Use Linux (Ubuntu)

    Its free, safe and secure.

  3. Greg Weldon · 1171 days ago

    Well, I believe Microsoft should label their operating systems with promise numbers instead of release numbers. I stopped using Windoze since they promised to fix Windoze NT 3.51 with Windoze promise number 4. Windows NT 1 & 2 are not even promises as they went straight into the crapper. These promises were more like used toilet paper. They were a little too rough and already full of crap. Did anyone see what happened to Windows promise # 5?

    Microsoft, putting the No in innovation.

    And still the people eat poo because they are told it is good for them!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog