Microsoft Warns of Publicly Disclosed Critical Windows Vulnerability

Microsoft has published a security advisory to warn users about a new zero-day vulnerability in the Windows Graphics Rendering Engine that could allow attackers to execute arbitrary code remotely.

The problem stems from an error in the way the Graphics Rendering Engine processes thumbnail images and can trigger a stack overflow.

The attack vector is similar to the one for the LNK vulnerability (CVE-2010-2568) exploited by Stuxnet, and requires the victim to open a location containing a malformed thumbnail image.

This can be a local folder, a network share or a remote WebDAV resource. But the flaw can also be exploiting by opening a specially crafted Web page or a Microsoft Word / PowerPoint document containing the thumbnail.

The vulnerability affects all supported Windows versions except for Windows 7 (32 and 64 bit) and Windows Server 2008 R2 (x64 and Itanium).

Since successful exploitation allows executing code with the permissions of the logged-on user, running on a non-administrative account can limit its impact.

The vulnerability, identified as CVE-2010-3970, was disclosed as zero-day by security researchers Moti Joseph and Xu Hao at the Power of Community (POC) security conference in mid-December 2010.

Angela Gunn, senior marketing communications manager for Microsoft's Trustworthy Computing Group, noted that there are currently no attacks targeting the vulnerability, which means that for the moment an out-of-band security patch is not being considered.

One workaround described in Microsoft's advisory involves restricting the Access Control List (ACL) for shimgvw.dll, but this will cause some media files to not be displayed properly.

A signature matching the exploit for this vulnerability was added to Microsoft's malware database so that its security products, like Forefront or Microsoft Security Essentials, can block it.

It is not entirely certain that a fix will be ready until the next Patch Tuesday, which is less than a week away. The company is already dealing with a zero-day vulnerability confirmed in Internet Explorer and is investigating another one disclosed a few days ago.