You are here

T-532: Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution

January 11, 2011 - 2:30pm

Addthis

PROBLEM:

Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution.

 

PLATFORM:

Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008

 

ABSTRACT:

Microsoft is investigating new public reports of a vulnerability in the Windows Graphics Rendering Engine. An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the logged-on user.

reference LINKS:

Microsoft Security Advisory (2490606)
CVE-2010-3970
Microsoft Windows Vulnerability
Microsoft Support
Microsoft Security
SecurityTracker Alert ID: 1024932
 

IMPACT ASSESSMENT:

High

Discussion:

The vulnerability is caused when the Windows Graphics Rendering Engine improperly parses a specially crafted thumbnail image, resulting in a stack overflow.

Affected MS Software:

Windows XP Service Pack 3
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista Service Pack 1 and Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2**
Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2**
Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2

This is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

If a user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

This vulnerability requires that a user view a specially crafted thumbnail image.

In an e-mail attack scenario, an attacker could exploit the vulnerability by sending an e-mail message with an attached Microsoft Word or PowerPoint file containing a specially crafted thumbnail image and convincing the user to open or preview the file.

In a network attack scenario, an attacker could place a specially crafted thumbnail image or a file containing a specially crafted thumbnail image on a network share, such as in a UNC or WebDAV location, and then convince the user to browse to the location in Windows Explorer. When the user navigates to the share, the affected control path is triggered via the Graphics Rendering Engine. The specially crafted thumbnail image could then exploit the vulnerability and execute code in the security context of the logged-on user. An attacker would have no way to force users to visit a network share, UNC, or WebDAV location. Instead, an attacker would have to convince them to visit the share, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes them to the network share, UNC, or WebDAV location.

Solution:
 

Microsoft Mitigating Factors and Suggested Actions.

Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:

In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker's Web site.

The vulnerability cannot be exploited automatically through e-mail. For an attack to be successful, a user must open an attachment that is sent in an e-mail message.

An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

All Windows users should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit Windows Update, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have Automatic Updates enabled, the updates are delivered to you when they are released, but you have to make sure you install them.
Windows Update 

Addthis