Sophos Cloud Optix
Microsoft has just published an advisory about a remotely-exploitable vulnerability in the Windows graphics rendering engine. A patch isn’t available yet, but with Patch Tuesday just a week away, we can hope that it will be knocked on the head then.
The bug was presented as a sort-of “hacker case study” at a recent hacking convention in Korea, and a working exploit was recently added to the freely-available Metaspolit Framework by a developer named jduck.
Fortunately, the Metasploit exploit code is rather limited, officially targeting only Windows 2000 and Windows XP SP3, but it does serve as a documented proof-of-concept for anyone who cares to study it.
According to jduck (no relation to me – his real name is Joshua Drake, geddit?), the vulnerability exists in code which processes a DIB (device-independent bitmap), allowing a “stack-based buffer overflow in the handling of thumbnails within .MIC files and various Office documents.”
This isn’t the first time that Microsoft has been hit by security problems processing graphical objects.
A calculation flaw in handling JPEG files led to a remotely exploitable hole in September 2004, a long-forgotten feature-turned-bug in WMF (Windows Metafile) handling forced an out-of-band security fix in January 2006, and in August 2010, bitmap-handling code was the culprit in a kernel vulnerability which allowed unprivileged users to crash Windows computers at will.
Sadly, our increasing insistence that everything we see on the internet to be served up in a sea of graphical gewgaws comes with considerable risk: greatly increased code complexity, the unrelenting enemy of computer security.
(Note: Sophos detects and blocks files containing the necessary malformed data to trigger this vulnerability, officially known as CVE-2010-3970, as Mal/CVE3970-A. Additional information is available in Sophos Knowledgebase article 112818.)
"Fortunately, the Metasploit exploit code is rather limited, officially targeting only Windows 2000 and Windows XP SP3"
Really? Odd, since the very article you linked lists:
Affected Software
Windows XP Service Pack 3
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista Service Pack 1 and Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2**
Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2**
Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2
Not odd – just fortunate 🙂 Microsoft has listed the potentially vulnerable platforms, which is, thankfully, a superset of those currenty exploitable by Metasploit code.
Perhaps the author of the Metasploit code thought it would be better for the world at large if he didn't reveal how to hit any and every potentially vulnerable system? Sort of "partial responsible disclosure"?
(Only joking. That's not the Metasploit way. Guess he just didn't figure out how to attack the other potential victim platforms yet – there's a snippet of code for Win2K3 SP2, but it's incomplete and commented out with a note that it's "not clear" how to make things work there.)
Doh. Replying to self.
I see what you mean – no Windows 2000 on the Microsoft list. I think that's deliberate – it's not considered a "platform" any more. In euphemistic modern jargon, it's been end-of-lifed.
As the Metasploit code observes, in what one hopes is a rhetorical question, "Windows 2000 is a soft target… You're not still using it are you?"
Use Linux (Ubuntu)
Its free, safe and secure.
Well, I believe Microsoft should label their operating systems with promise numbers instead of release numbers. I stopped using Windoze since they promised to fix Windoze NT 3.51 with Windoze promise number 4. Windows NT 1 & 2 are not even promises as they went straight into the crapper. These promises were more like used toilet paper. They were a little too rough and already full of crap. Did anyone see what happened to Windows promise # 5?
Microsoft, putting the No in innovation.
And still the people eat poo because they are told it is good for them!