New Windows Thumbnail Image Zero-Day Attack
According to TheRegister, “Microsoft has confirmed reports that several versions of Windows are vulnerable to exploits that allow remote attackers to take full control of users’ computers using booby-trapped emails and websites.”
Apparently, remote code execution is possible when a specially crafted thumbnail image is viewed. The attack works against Windows XP & Vista, and Server 2003 & 2008. Windows 7 and Server 2008 R2 is immune to the exploit. It works not only against Office documents and E-mails, but also through network shares.
According to the article, the exploit was made public at the South Korean “Power of Community” security conference. The exploit code has already been added to the popular security testing software Metasploit.
According to documentation in the exploit code on Metasploit’s site:
This module exploits a stack-based buffer overflow in the handling of thumbnails within .MIC files and various Office documents. When processing a thumbnail bitmap containing a negative ‘biClrUsed’ value, a stack-based buffer overflow occurs. This leads to arbitrary code execution. In order to trigger the vulnerable code, the folder containing the document must be viewed using the “Thumbnails” view.
Microsoft was concerned enough about it to release a warning statement, but has no plans to create an out of band security patch for it. We will have to wait until the next standard security update next week, if the fix is even ready by then.
~ by D. Dieterle on January 5, 2011.