Microsoft warns of critical unpatched bug for Vista, XP

Zero-day in Windows Graphics Rendering Engine affects XP, Vista, Windows Server 2003

Microsoft today confirmed that a publicly disclosed critical bug affects all of the current but older versions of Windows, and issued workaround advice but not an out-of-bound patch. The bug attacks the Windows’ Graphics Rendering Engine in Vista, XP and Windows Server 2003. It does not affect Windows 7 or Windows Server 2008 R2.

Enterprises using these versions of Windows can set up a workaround, which involves modifying the Access Control List (ACL) on shimgvw.dll to be more restrictive. Downside is, media files that rely on the GRE won't run properly.

The Internet Storm Center reports, "The vulnerability is exploited via malicious thumbnail images that may be attached to various documents (e.g. Microsoft Office documents). The most likely exploit vector would use e-mail attachments. However, it is also possible to use network shares."

Although this bug is in the public domain, Microsoft said its tests show it's not an e-mail drive-by ... users have to open an attachment with the malware. That's the good news. The bad news is that it can also be exploited by users who visit a Website that is hosting an evil graphic.

If that should happen, the hacker could practically own the PC ... as the whole allows a successful exploit to "run arbitrary code in the security context of the logged-on user. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights," warns Microsoft.

Microsoft says that it has not seen this attack in the wild. However, that doesn't mean much as the bug has already been fairly well publicized. The ISS reports the hole was disclosed in December 2010 at the "Power of Community" conference and it has already been added to Metasploit. "The conference presentation outlines in some detail how to create a file to exploit this vulnerability. The thumbnail itself is stored in the file as a bitmap. ... The published slides do provide hints on how to exploit this vulnerability including bypassing SafeSEH and DEP."

Microsoft said it is investigating a patch, but did not conclude that the hole required an out-of-band emergency patch.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2011 IDG Communications, Inc.