Vulnerability in Graphics Rendering Engine

View previous topic View next topic Go down

Vulnerability in Graphics Rendering Engine

Post by p2u on 5/1/2011, 11:40

Well, here's one of those really nasty vulnerabilities: Microsoft Security Advisory (2490606) - "Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution."

Windows7 (x32 and x64) are not affected. For now, infection after exploitation doesn't seem to occur automatically; you have to open a file attachment for the exploit to work. Besides being careful, there's nothing you can really do about it, but it's worth looking at the workarounds MS suggests (down the page) + installing an alternative for the images typically handled by the Graphics Rendering Engine (shimgvw.dll). I would also disable thumbnail view system-wide, just in case.

Paul

p2u
Valued Member
Valued Member

Posts : 211
Join date : 2010-12-14

View user profile

Back to top Go down

Re: Vulnerability in Graphics Rendering Engine

Post by ssj100 on 5/1/2011, 11:45

Another reason I use Sandboxie to open newly introduced files. However, it would be nice to get hold of a POC to prove that Sandboxie can contain this. Please PM me if a POC surfaces.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Vulnerability in Graphics Rendering Engine

Post by p2u on 5/1/2011, 11:48

ssj100 wrote:Another reason I use Sandboxie to open newly introduced files. However, it would be nice to get hold of a POC to prove that Sandboxie can contain this. Please PM me if a POC surfaces.
OK, I'll do that if I get one.
P.S.: I'd rather stop it dead if you ask me. Trouble with image rendering is quite ... hm... risky.

Paul

p2u
Valued Member
Valued Member

Posts : 211
Join date : 2010-12-14

View user profile

Back to top Go down

Re: Vulnerability in Graphics Rendering Engine

Post by ssj100 on 5/1/2011, 11:50

Any similarity to the 2005 wmf exploit?

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Vulnerability in Graphics Rendering Engine

Post by p2u on 5/1/2011, 12:08

ssj100 wrote:Any similarity to the 2005 wmf exploit?

Not sure, but I don't think so. One of the mitigation measures back then was to unregister that same dll like this:
Code:
regsvr32 -u shimgvw.dll
but they don't offer that as a workaround now. Instead they suggest limiting access for the "Everyone" group (see advisory). I have a habit of never undoing mitigation measures. shimgvw.dll has been unregistered since the WMF exploit and I implemented that same workaround again when I bought my Vista laptop. Actually I renamed it after having taken ownership. This means that thumbnail view is disabled system-wide.
P.S.: I also systematically apply all workarounds for OLD vulnerabilities (disabling Server, disabling Web Client, for example). Icons for shortcuts still don't show since the .lnk vulnerability surfaced.

Paul

p2u
Valued Member
Valued Member

Posts : 211
Join date : 2010-12-14

View user profile

Back to top Go down

Re: Vulnerability in Graphics Rendering Engine

Post by p2u on 5/1/2011, 14:54

Update: To be able to implement the workaround you may have to keep the following in mind:
1) Logging out and back in may be required for the DLL to be freed from memory (or maybe better reboot).
2) For Vista in the third suggested command, I got an error "no identifier - EVERYONE", and I had to replace "EVERYONE" with the Russian "BCE" (means "ALL") like this for the workaround to be successful:

Code:
icacls %WINDIR%\SYSTEM32\SHIMGVW.DLL /deny everyone:(F)
becomes
Code:
icacls %WINDIR%\SYSTEM32\SHIMGVW.DLL /deny BCE:(F)

If your Windows has another language, you may have to do that as well.
3) The image preview utility is effectively disabled by the workaround (you get no error messages or anything). When double-clicking on an image file, nothing happens at all with files that are set to be opened with the in-built viewer.

Paul

p2u
Valued Member
Valued Member

Posts : 211
Join date : 2010-12-14

View user profile

Back to top Go down

Re: Vulnerability in Graphics Rendering Engine

Post by Sponsored content


Sponsored content


Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum