Zero-day Windows exploit – Microsoft issues advisory

Microsoft has just published an advisory about a remotely-exploitable vulnerability in the Windows graphics rendering engine. A patch isn’t available yet, but with Patch Tuesday just a week away, we can hope that it will be knocked on the head then.

The bug was presented as a sort-of “hacker case study” at a recent hacking convention in Korea, and a working exploit was recently added to the freely-available Metaspolit Framework by a developer named jduck.

Fortunately, the Metasploit exploit code is rather limited, officially targeting only Windows 2000 and Windows XP SP3, but it does serve as a documented proof-of-concept for anyone who cares to study it.

According to jduck (no relation to me – his real name is Joshua Drake, geddit?), the vulnerability exists in code which processes a DIB (device-independent bitmap), allowing a “stack-based buffer overflow in the handling of thumbnails within .MIC files and various Office documents.”

This isn’t the first time that Microsoft has been hit by security problems processing graphical objects.

A calculation flaw in handling JPEG files led to a remotely exploitable hole in September 2004, a long-forgotten feature-turned-bug in WMF (Windows Metafile) handling forced an out-of-band security fix in January 2006, and in August 2010, bitmap-handling code was the culprit in a kernel vulnerability which allowed unprivileged users to crash Windows computers at will.

Sadly, our increasing insistence that everything we see on the internet to be served up in a sea of graphical gewgaws comes with considerable risk: greatly increased code complexity, the unrelenting enemy of computer security.

(Note: Sophos detects and blocks files containing the necessary malformed data to trigger this vulnerability, officially known as CVE-2010-3970, as Mal/CVE3970-A. Additional information is available in Sophos Knowledgebase article 112818.)