January 5, 2011

New year, new exploits: 0-day found in Microsoft Graphical Rendering Engine

Tamas Rudnai

A new, potentially critical vulnerability in Microsoft Windows has come to our attention at Websense Security Labs. A specially-crafted Microsoft Office document can cause the GRE (Graphical Rendering Engine) to crash simply by opening a folder containing the file with Windows Explorer, or clicking on a Word or PowerPoint document email attachment. A compromised Web site can contain a link to an online WebDAV folder holding a malicious document which then opens automatically with Explorer when user clicks on the link.

The bug can be exploited by the attacker who can run arbitrary code on the user's computer. This code can then potentially download or drop files, and open the computer for malicious activities


Quick analysis shows that the problem lies in the CreateSizedDIBSECTION() function where an unhandled parameter of the thumbnail causes the crash. When the vulnerable document puts a negative number on the biClrUsed field, a stack-based buffer overrun occurs. 

The vulnerability was revealed in a security conference in Korea. In the presentation, the vulnerability was demonstrated and the audience could see a proof of concept code that exploits the bug. Unfortunately the POC code is already published on the underground Web sites, therefore here at Websense Security Labs we are expecting to see it in the wild.

Websense Security Labs is closely monitoring the issue and will provide updates to this blog as we find more informatuion.


Further information:

Microsoft Security Advisory


About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.