Vulnerability in Graphics Rendering Engine

Well, here's one of those really nasty vulnerabilities: Microsoft Security Advisory (2490606) - "Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution."

Windows7 (x32 and x64) are not affected. For now, infection after exploitation doesn't seem to occur automatically; you have to open a file attachment for the exploit to work. Besides being careful, there's nothing you can really do about it, but it's worth looking at the workarounds MS suggests (down the page) + installing an alternative for the images typically handled by the Graphics Rendering Engine (shimgvw.dll). I would also disable thumbnail view system-wide, just in case.

Paul

Another reason I use Sandboxie to open newly introduced files. However, it would be nice to get hold of a POC to prove that Sandboxie can contain this. Please PM me if a POC surfaces.

ssj100 wrote:Another reason I use Sandboxie to open newly introduced files. However, it would be nice to get hold of a POC to prove that Sandboxie can contain this. Please PM me if a POC surfaces.

OK, I'll do that if I get one.
P.S.: I'd rather stop it dead if you ask me. Trouble with image rendering is quite ... hm... risky.

Paul

Any similarity to the 2005 wmf exploit?

ssj100 wrote:Any similarity to the 2005 wmf exploit?

Not sure, but I don't think so. One of the mitigation measures back then was to unregister that same dll like this:

Code:

regsvr32 -u shimgvw.dll

but they don't offer that as a workaround now. Instead they suggest limiting access for the "Everyone" group (see advisory). I have a habit of never undoing mitigation measures. shimgvw.dll has been unregistered since the WMF exploit and I implemented that same workaround again when I bought my Vista laptop. Actually I renamed it after having taken ownership. This means that thumbnail view is disabled system-wide.
P.S.: I also systematically apply all workarounds for OLD vulnerabilities (disabling Server, disabling Web Client, for example). Icons for shortcuts still don't show since the .lnk vulnerability surfaced.

Paul

Update: To be able to implement the workaround you may have to keep the following in mind:
1) Logging out and back in may be required for the DLL to be freed from memory (or maybe better reboot).
2) For Vista in the third suggested command, I got an error "no identifier - EVERYONE", and I had to replace "EVERYONE" with the Russian "BCE" (means "ALL") like this for the workaround to be successful:

Code:

icacls %WINDIR%\SYSTEM32\SHIMGVW.DLL /deny everyone:(F)

becomes

Code:

icacls %WINDIR%\SYSTEM32\SHIMGVW.DLL /deny BCE:(F)

If your Windows has another language, you may have to do that as well.
3) The image preview utility is effectively disabled by the workaround (you get no error messages or anything). When double-clicking on an image file, nothing happens at all with files that are set to be opened with the in-built viewer.

Paul