Malaysian Computer Emergency Response Team

Services

Advisories Cyber999 Help Centre Malware Research Centre Incident Statistics

MyCERT Statistic

Reported Incidents based on General Incident Classification Statistics 2013

Help Centre

Reporting Channels

Definitions of Incidents

Cyber999 - Service Level Agreement

MyCERT Advisories

MyCERT Advisories, Alerts and Summaries for the year 2011

MA-263.012011 : MyCERT Alert - Critical Vulnerability in Microsoft Windows

Date of publication: 2011-01-06

1.0 Introduction

A critical vulnerability has been identified in the Microsoft Windows Graphics Rendering Engine. The vulnerability, if successfully exploited will cause the application to crash and could potentially allow an attacker to take control of the affected system.

The vulnerability exists because of a stack overflow error in the "CreateSizedDIBSECTION()" function within the "shimgvw.dll" module when parsing a malformed thumbnail image, which could be exploited by attackers to execute arbitrary code by tricking a user into opening or previewing a malformed Office file or browsing to a network share, UNC, or WebDAV location containing a specially crafted thumbnail image.[1]

MyCERT is aware that '0-day' exploits are available in the wild at the time of the publication of this advisory.

2.0 Impact

An attacker who successfully exploits this vulnerability will be able to execute codes remotely and gain the same privilege as the user. Unsuccessful attacks may cause denial-of-service (DoS) outcomes.

3.0 Affected Products

The detail list of the vulnerable products and versions are as below:

Windows XP Service Pack 3
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista Service Pack 1 and Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation not affected)
Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation not affected)
Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2

4.0 Recommendations

As of the writing of this advisory, Microsoft has not released any security patches for this vulnerability. However, users can use the following steps as a temporary workaround:

Modify the Access Control List (ACL) on shimgvw.dll
Users are recommended to use the fixit solution provided by Microsoft. The FixIt is available here: http://support.microsoft.com/kb/2490606

However, if users want to apply it manually, you can refer to the following article: http://www.microsoft.com/technet/security/advisory/2490606.mspx#EGH

MyCERT would like to advise the users of Microsoft Windows to be vigilant of the latest security announcements by Microsoft and ensure that their operating systems are automatically updated. The article on how to enable the auto update feature in Microsoft is available at the following URL:

http://www.mycert.org.my/en/resources/os/main/main/detail/707/index.html

Users may also consider using a vulnerability management tool such as Secunia to ensure that all applications are updated:

http://secunia.com/vulnerability_scanning/personal/

MyCERT can be reached through the following channels for further assistance:
E-mail : mycert@mycert.org.my
Phone : 1-300-88-2999 (monitored during business hours)
Fax : +603 89453442
Handphone : +60 19 2665850 (24x7 call incident reporting)
SMS : CYBER999 REPORT <EMAIL> <COMPLAINT> to 15888
Business Hours : Mon - Fri 08:30 -17:30 MYT
Web: http://www.mycert.org.my

5.0 References

i. http://www.vupen.com/english/advisories/2011/0018
ii. http://www.microsoft.com/technet/security/advisory/2490606.mspx
iii. http://support.microsoft.com/kb/2490606
iv. http://www.kb.cert.org/vuls/id/106516