Microsoft Windows graphic rendering engine vulnerability on Jan 2011

1. Introduction

MS admitted its Windows' Zero-Day vulnerability(Windows Graphics Rendering Engine) on Jan 4, 2011.
Attacker can command from remote site and can acquire root permission.

* Reference sites http://www.microsoft.com/technet/security/advisory/2490606.mspx
http://nakedsecurity.sophos.com/2011/01/05/zero-day-windows-exploit/
http://www.f-secure.com/weblog/archives/00002081.html

2. Vulnerability details and prevention

Microsoft Security Advisory (2490606)
Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution

Attacker can execute certain code with Windows Graphics Rendering vulnerability and can see, modify, delete data.

Besides, this vulnerability has been figured out by Moti Joseph and Xu Hao on POC 2010 conference and can occur while modifying thumbnail image.

* Thumbnail image

Thumbnails are reduced-size versions of pictures, used to help in recognizing and organizing them, serving the same role for images as a normal text index does for words. In the age of digital images, visual search engines and image-organizing programs normally use thumbnails, as do most modern operating systems or desktop environments, such as Microsoft Windows, Mac OS X, KDE, and GNOME

[Affected Softwares]
 - Windows XP Service Pack 3
 - Windows XP Professional x64 Edition Service Pack 2
 - Windows Server 2003 Service Pack 2
 - Windows Server 2003 x64 Edition Service Pack 2
 - Windows Server 2003 with SP2 for Itanium-based Systems
 - Windows Vista Service Pack 1 and Windows Vista Service Pack 2
 - Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2
 - Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2
 - Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2
 - Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2

[Unaffected Softwares]
 - Windows 7 for 32-bit Systems
 - Windows 7 for x64-based Systems
 - Windows Server 2008 R2 for x64-based Systems
 - Windows Server 2008 R2 for Itanium-based Systems

[Temporary solution]
Before releasing security patch for this vulnerability, user can avoid damage with modifying command on following file.

Modifying Access Control List(ACL) of shimgvw.dll on CMD will help user to avoid damage.

Windows XP and Windows Server 2003 (32bit):
 - Echo y| cacls %WINDIR%\SYSTEM32\shimgvw.dll /E /P everyone:N

Windows XP and Windows Server 2003 (64bit):
 - Echo y| cacls %WINDIR%\SYSTEM32\shimgvw.dll /E /P everyone:N
 - Echo y| cacls %WINDIR%\SYSWOW64\shimgvw.dll /E /P everyone:N

Windows Vista and Windows Server 2008 (32bit):
 - takeown /f %WINDIR%\SYSTEM32\SHIMGVW.DLL
 - icacls %WINDIR%\SYSTEM32\SHIMGVW.DLL /save %TEMP%\SHIMGVW_ACL.TXT
 - icacls %WINDIR%\SYSTEM32\SHIMGVW.DLL /deny everyone:(F)

Windows Vista and Windows Server 2008 (64bit):
 - takeown /f %WINDIR%\SYSTEM32\SHIMGVW.DLL
 - takeown /f %WINDIR%\SYSWOW64\SHIMGVW.DLL
 - icacls %WINDIR%\SYSTEM32\SHIMGVW.DLL /save %TEMP%\SHIMGVW_ACL32.TXT
 - icacls %WINDIR%\SYSWOW64\SHIMGVW.DLL /save %TEMP%\SHIMGVW_ACL64.TXT
 - icacls %WINDIR%\SYSTEM32\SHIMGVW.DLL /deny everyone:(F)
 - icacls %WINDIR%\SYSWOW64\SHIMGVW.DLL /deny everyone:(F)

However, it can occur error on playing media file.

[Recover process to apply security patch]

For user who already followed the process above, user have to recover before applying official security.

Windows XP and Windows Server 2003 (32bit):
 - cacls %WINDIR%\SYSTEM32\shimgvw.dll /E /R everyone

Windows XP and Windows Server 2003 (64bit):
 - cacls %WINDIR%\SYSTEM32\shimgvw.dll /E /R everyone
 - cacls %WINDIR%\SYSWOW64\shimgvw.dll /E /R everyone

Windows Vista and Windows Server 2008 (32bit):
 - icacls %WINDIR%\SYSTEM32 /restore %TEMP%\SHIMGVW_ACL.TXT

Windows Vista and Windows Server 2008 (64bit):
 - icacls %WINDIR%\SYSTEM32 /restore %TEMP%\SHIMGVW_ACL32.TXT
 - icacls %WINDIR%\SYSWOW64 /restore %TEMP%\SHIMGVW_ACL64.TXT

[Microsoft Fix it]

MS distributes "Fixit" on following URL.

- Download Fixit
- http://support.microsoft.com/kb/2490606

To use PC safely from security threats of this vulnerability, we recommend following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.
5. Execute downloaded file after scan with anti-virus SW.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with nProtect Anti-Virus/Spyware for detecting such as malicious file stated above and runs responding system against various security threats.