Microsoft warns of thumbnail hole in Windows
In a security advisory, Microsoft warns of a new, previously unknown security hole in Windows which can be exploited to inject and execute arbitrary code. Sample code that demonstrates how to go about an exploit is already in circulation.
In December, Moti and Xu Hao gave a presentation entitled "A Story about How Hackers' Heart Broken by 0-day" at the "Power of Community" security conference. Their presentation documents are available on the internet and describe a security hole in Windows that is connected to the display of thumbnails and can reportedly be exploited locally via Explorer as well as remotely via WebDAV. Displaying a file with a specially crafted thumbnail is all that's required for a successful attack. The vulnerability is exploited by setting a negative number of colour indexes in the colour table (biClrUsed).
According to Microsoft's security advisory, all versions of Windows except Windows 7 and Server 2008 R2 are vulnerable. Microsoft say that they are currently not aware of any attacks which try to exploit the reported vulnerability. However, this could soon change, as a Metasploit module for creating suitable malicious files was released almost simultaneously with Microsoft's advisory.
As a protective workaround until a patch becomes available, Microsoft has so far only released instructions on how to adjust the access rights to the shimgvw.dll library in such a way that thumbnails are no longer displayed – including those of harmless files. The advisory doesn't mention when an update to close the hole will be released. Microsoft's to-patch list already contains another critical hole in Internet Explorer disclosed just before Christmas.