Microsoft have announced a new security vulnerability which is related to the Windows Graphic Rendering Engine. Apparently it can be used by an attacker to run arbitrary code in the context of the logged on user.
Angela Gunn, senior marketing communications manager of Trustworthy computing at Microsoft said “Today we released Security Advisory 2490606, which addresses a publicly disclosed vulnerability affecting Microsoft Windows Graphics Rendering Engine on Vista, Server 2003, and Windows XP. … The vulnerability does not affect Windows 7 or Windows Server 2008 R2, the newest versions of our operating system.”
“To target this vulnerability, an attacker must convince a user to visit a specially crafted malicious Web page, or to open a malicious Word or PowerPoint file, Furthermore, users whose accounts are configured to have fewer user rights on the system would be less affected by an attack than those running with administrative rights. The Advisory includes further mitigations and workarounds to protect our customers.”
HD Moore, the chief security officer at Rapid7 said “The biggest challenge was working around DEP [data execution prevention] and ASLR [addresses space layout randomization], but the current exploit is reliable on XP SP3 and Windows 2000, It should be possible to port this to Windows 7 and embed it in a variety of file types (DOC, PPT, etc.), but the current version has a somewhat limited use case.”
The attacker has to persuade the user to browse a directory containing the file in Thumbnails mode and then the exploit relies on a complex return path using ROP (return-oriented programming), that may not work when a certain multimedia codec is updated.
“Until the exploit is ported to work within OLE containers (DOC/PPT/etc.), I don’t think we will see widespread exploitation for the reasons above.” said HD Moore.
KitGuru says: Microsoft are working on a patch which is scheduled for Jan 11th.