ssj100 Security Forums
Would you like to react to this message? Create an account in a few clicks or log in to continue.

Vulnerability in Graphics Rendering Engine

2 posters

Go down

Vulnerability in Graphics Rendering Engine Empty Vulnerability in Graphics Rendering Engine

Post by p2u 5/1/2011, 11:40

Well, here's one of those really nasty vulnerabilities: Microsoft Security Advisory (2490606) - "Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution."

Windows7 (x32 and x64) are not affected. For now, infection after exploitation doesn't seem to occur automatically; you have to open a file attachment for the exploit to work. Besides being careful, there's nothing you can really do about it, but it's worth looking at the workarounds MS suggests (down the page) + installing an alternative for the images typically handled by the Graphics Rendering Engine (shimgvw.dll). I would also disable thumbnail view system-wide, just in case.

Paul

p2u
Valued Member
Valued Member

Posts : 211
Join date : 2010-12-14

Back to top Go down

Vulnerability in Graphics Rendering Engine Empty Re: Vulnerability in Graphics Rendering Engine

Post by ssj100 5/1/2011, 11:45

Another reason I use Sandboxie to open newly introduced files. However, it would be nice to get hold of a POC to prove that Sandboxie can contain this. Please PM me if a POC surfaces.
ssj100
ssj100
Administrator
Administrator

Posts : 1390
Join date : 2010-04-14

https://ssj100.forumotion.com

Back to top Go down

Vulnerability in Graphics Rendering Engine Empty Re: Vulnerability in Graphics Rendering Engine

Post by p2u 5/1/2011, 11:48

ssj100 wrote:Another reason I use Sandboxie to open newly introduced files. However, it would be nice to get hold of a POC to prove that Sandboxie can contain this. Please PM me if a POC surfaces.
OK, I'll do that if I get one.
P.S.: I'd rather stop it dead if you ask me. Trouble with image rendering is quite ... hm... risky.

Paul

p2u
Valued Member
Valued Member

Posts : 211
Join date : 2010-12-14

Back to top Go down

Vulnerability in Graphics Rendering Engine Empty Re: Vulnerability in Graphics Rendering Engine

Post by ssj100 5/1/2011, 11:50

Any similarity to the 2005 wmf exploit?
ssj100
ssj100
Administrator
Administrator

Posts : 1390
Join date : 2010-04-14

https://ssj100.forumotion.com

Back to top Go down

Vulnerability in Graphics Rendering Engine Empty Re: Vulnerability in Graphics Rendering Engine

Post by p2u 5/1/2011, 12:08

ssj100 wrote:Any similarity to the 2005 wmf exploit?

Not sure, but I don't think so. One of the mitigation measures back then was to unregister that same dll like this:
Code:
regsvr32 -u shimgvw.dll
but they don't offer that as a workaround now. Instead they suggest limiting access for the "Everyone" group (see advisory). I have a habit of never undoing mitigation measures. shimgvw.dll has been unregistered since the WMF exploit and I implemented that same workaround again when I bought my Vista laptop. Actually I renamed it after having taken ownership. This means that thumbnail view is disabled system-wide.
P.S.: I also systematically apply all workarounds for OLD vulnerabilities (disabling Server, disabling Web Client, for example). Icons for shortcuts still don't show since the .lnk vulnerability surfaced.

Paul

p2u
Valued Member
Valued Member

Posts : 211
Join date : 2010-12-14

Back to top Go down

Vulnerability in Graphics Rendering Engine Empty Re: Vulnerability in Graphics Rendering Engine

Post by p2u 5/1/2011, 14:54

Update: To be able to implement the workaround you may have to keep the following in mind:
1) Logging out and back in may be required for the DLL to be freed from memory (or maybe better reboot).
2) For Vista in the third suggested command, I got an error "no identifier - EVERYONE", and I had to replace "EVERYONE" with the Russian "BCE" (means "ALL") like this for the workaround to be successful:

Code:
icacls %WINDIR%\SYSTEM32\SHIMGVW.DLL /deny everyone:(F)
becomes
Code:
icacls %WINDIR%\SYSTEM32\SHIMGVW.DLL /deny BCE:(F)

If your Windows has another language, you may have to do that as well.
3) The image preview utility is effectively disabled by the workaround (you get no error messages or anything). When double-clicking on an image file, nothing happens at all with files that are set to be opened with the in-built viewer.

Paul

p2u
Valued Member
Valued Member

Posts : 211
Join date : 2010-12-14

Back to top Go down

Vulnerability in Graphics Rendering Engine Empty Re: Vulnerability in Graphics Rendering Engine

Post by Sponsored content


Sponsored content


Back to top Go down

Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum