Vulnerability in Graphics Rendering Engine
2 posters
Page 1 of 1
Vulnerability in Graphics Rendering Engine
Well, here's one of those really nasty vulnerabilities: Microsoft Security Advisory (2490606) - "Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution."
Windows7 (x32 and x64) are not affected. For now, infection after exploitation doesn't seem to occur automatically; you have to open a file attachment for the exploit to work. Besides being careful, there's nothing you can really do about it, but it's worth looking at the workarounds MS suggests (down the page) + installing an alternative for the images typically handled by the Graphics Rendering Engine (shimgvw.dll). I would also disable thumbnail view system-wide, just in case.
Paul
Windows7 (x32 and x64) are not affected. For now, infection after exploitation doesn't seem to occur automatically; you have to open a file attachment for the exploit to work. Besides being careful, there's nothing you can really do about it, but it's worth looking at the workarounds MS suggests (down the page) + installing an alternative for the images typically handled by the Graphics Rendering Engine (shimgvw.dll). I would also disable thumbnail view system-wide, just in case.
Paul
p2u- Valued Member
- Posts : 211
Join date : 2010-12-14
Re: Vulnerability in Graphics Rendering Engine
Another reason I use Sandboxie to open newly introduced files. However, it would be nice to get hold of a POC to prove that Sandboxie can contain this. Please PM me if a POC surfaces.
Re: Vulnerability in Graphics Rendering Engine
OK, I'll do that if I get one.ssj100 wrote:Another reason I use Sandboxie to open newly introduced files. However, it would be nice to get hold of a POC to prove that Sandboxie can contain this. Please PM me if a POC surfaces.
P.S.: I'd rather stop it dead if you ask me. Trouble with image rendering is quite ... hm... risky.
Paul
p2u- Valued Member
- Posts : 211
Join date : 2010-12-14
Re: Vulnerability in Graphics Rendering Engine
ssj100 wrote:Any similarity to the 2005 wmf exploit?
Not sure, but I don't think so. One of the mitigation measures back then was to unregister that same dll like this:
- Code:
regsvr32 -u shimgvw.dll
P.S.: I also systematically apply all workarounds for OLD vulnerabilities (disabling Server, disabling Web Client, for example). Icons for shortcuts still don't show since the .lnk vulnerability surfaced.
Paul
p2u- Valued Member
- Posts : 211
Join date : 2010-12-14
Re: Vulnerability in Graphics Rendering Engine
Update: To be able to implement the workaround you may have to keep the following in mind:
1) Logging out and back in may be required for the DLL to be freed from memory (or maybe better reboot).
2) For Vista in the third suggested command, I got an error "no identifier - EVERYONE", and I had to replace "EVERYONE" with the Russian "BCE" (means "ALL") like this for the workaround to be successful:
If your Windows has another language, you may have to do that as well.
3) The image preview utility is effectively disabled by the workaround (you get no error messages or anything). When double-clicking on an image file, nothing happens at all with files that are set to be opened with the in-built viewer.
Paul
1) Logging out and back in may be required for the DLL to be freed from memory (or maybe better reboot).
2) For Vista in the third suggested command, I got an error "no identifier - EVERYONE", and I had to replace "EVERYONE" with the Russian "BCE" (means "ALL") like this for the workaround to be successful:
- Code:
icacls %WINDIR%\SYSTEM32\SHIMGVW.DLL /deny everyone:(F)
- Code:
icacls %WINDIR%\SYSTEM32\SHIMGVW.DLL /deny BCE:(F)
If your Windows has another language, you may have to do that as well.
3) The image preview utility is effectively disabled by the workaround (you get no error messages or anything). When double-clicking on an image file, nothing happens at all with files that are set to be opened with the in-built viewer.
Paul
p2u- Valued Member
- Posts : 211
Join date : 2010-12-14
Similar topics
» LNK vulnerability POC re-test
» ASLR vulnerability and EMET remedy
» New critical vulnerability in VLC Media Player
» Vulnerability in TCP/IP Could Allow Remote Code Execution
» BluePoint Security 1.0.35.99 Released, Shortcut Vulnerability Mitigated
» ASLR vulnerability and EMET remedy
» New critical vulnerability in VLC Media Player
» Vulnerability in TCP/IP Could Allow Remote Code Execution
» BluePoint Security 1.0.35.99 Released, Shortcut Vulnerability Mitigated
Page 1 of 1
Permissions in this forum:
You cannot reply to topics in this forum