No Patches For Internet Explorer Vulnerabilities This Month - gHacks Tech News

No Patches For Internet Explorer Vulnerabilities This Month

Microsoft will be releasing two security bulletins on this January's patch day leaving two security vulnerabilities affecting Internet Explorer and one issue affecting the Windows graphics rendering engine unaddressed.

The first vulnerability affects Internet Explorer 6 to Internet Explorer 8 on all versions of the Windows operating system starting with Windows XP and ending at Windows 7 and Windows Server 2008 R2. Carlene Chmaj confirms that Microsoft has "started to see targeted attacks" and that customers should check the mitigating factors outlined in the security advisory.

The mitigating factors however describe that it is possible to reduce the impact of a successful exploit on the system but that it is not possible to block exploits completely which means that Internet Explorer users, with the exception of Internet Explorer 9 users, are vulnerable to this attack whenever they use the browser on the Internet. The Internet Explorer user needs to visit a specifically crafted web page to trigger the vulnerability which means that it is recommended to stay away from untrustworthy websites.

The second vulnerability that Chmaj mentioned in the announcement affects the graphics rendering engine which could allow remote code execution as well. The issue affects only some Microsoft operating systems, namely Windows XP, Windows Vista and their server variants Windows Server 2003 and Windows Server 2008. The latest operating systems Windows 7 and Windows Server 2008 R2 are not affected.

Microsoft at this time is not aware of attacks exploiting the vulnerability. The issue can only be exploited on a specifically prepared website or with email attachments that need to be opened by the user. A workaround was posted on the security advisory page that requires an administrator to issue commands on the command line (a Fix It solution is also available)

Modify the Access Control List (ACL) on shimgvw.dll

Note See Microsoft Knowledge Base Article 2490606 to use the automated Microsoft Fix it solution to enable or disable this workaround.

To modify the ACL on shimgvw.dll to be more restrictive, run the following commands from a command prompt as an administrator:

For 32-bit editions of Windows XP and Windows Server 2003:

Echo y| cacls %WINDIR%\SYSTEM32\shimgvw.dll /E /P everyone:N

For 64-bit editions of Windows XP and Windows Server 2003:

Echo y| cacls %WINDIR%\SYSTEM32\shimgvw.dll /E /P everyone:N
Echo y| cacls %WINDIR%\SYSWOW64\shimgvw.dll /E /P everyone:N

For 32-bit editions of Windows Vista and Windows Server 2008:

takeown /f %WINDIR%\SYSTEM32\SHIMGVW.DLL
icacls %WINDIR%\SYSTEM32\SHIMGVW.DLL /save %TEMP%\SHIMGVW_ACL.TXT
icacls %WINDIR%\SYSTEM32\SHIMGVW.DLL /deny everyone:(F)

For 64-bit editions of Windows Vista and Windows Server 2008:

takeown /f %WINDIR%\SYSTEM32\SHIMGVW.DLL
takeown /f %WINDIR%\SYSWOW64\SHIMGVW.DLL
icacls %WINDIR%\SYSTEM32\SHIMGVW.DLL /save %TEMP%\SHIMGVW_ACL32.TXT
icacls %WINDIR%\SYSWOW64\SHIMGVW.DLL /save %TEMP%\SHIMGVW_ACL64.TXT
icacls %WINDIR%\SYSTEM32\SHIMGVW.DLL /deny everyone:(F)
icacls %WINDIR%\SYSWOW64\SHIMGVW.DLL /deny everyone:(F)

Impact of Workaround: Media files typically handled by the Graphics Rendering Engine will not be displayed properly.

How to undo the workaround:

Run the following commands from a command prompt as an administrator:

For 32-bit editions of Windows XP and Windows Server 2003:

cacls %WINDIR%\SYSTEM32\shimgvw.dll /E /R everyone

For 64-bit editions of Windows XP and Windows Server 2003:
cacls %WINDIR%\SYSTEM32\shimgvw.dll /E /R everyone
cacls %WINDIR%\SYSWOW64\shimgvw.dll /E /R everyone

For 32-bit editions of Windows Vista and Windows Server 2008:

icacls %WINDIR%\SYSTEM32 /restore %TEMP%\SHIMGVW_ACL.TXT

For 64-bit editions of Windows Vista and Windows Server 2008:

icacls %WINDIR%\SYSTEM32 /restore %TEMP%\SHIMGVW_ACL32.TXT
icacls %WINDIR%\SYSWOW64 /restore %TEMP%\SHIMGVW_ACL64.TXT

The last vulnerability, or set of, was discovered by Michal Zalewski. Browser vendors were contacted in July 2010 and as of now all have not completely managed to resolve the issues reported to them.

Advertisement

We need your help

Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.

If you like our content, and would like to help, please consider making a contribution:


Previous Post: «
Next Post: »

Comments

    Leave a Reply

    Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

    Please note that your comment may not appear immediately after you post it.