No Patches For Internet Explorer Vulnerabilities This Month

Martin Brinkmann
Jan 7, 2011
Updated • Apr 22, 2012
Internet Explorer, Security, Windows
|
1

Microsoft will be releasing two security bulletins on this January's patch day leaving two security vulnerabilities affecting Internet Explorer and one issue affecting the Windows graphics rendering engine unaddressed.

The first vulnerability affects Internet Explorer 6 to Internet Explorer 8 on all versions of the Windows operating system starting with Windows XP and ending at Windows 7 and Windows Server 2008 R2. Carlene Chmaj confirms that Microsoft has "started to see targeted attacks" and that customers should check the mitigating factors outlined in the security advisory.

The mitigating factors however describe that it is possible to reduce the impact of a successful exploit on the system but that it is not possible to block exploits completely which means that Internet Explorer users, with the exception of Internet Explorer 9 users, are vulnerable to this attack whenever they use the browser on the Internet. The Internet Explorer user needs to visit a specifically crafted web page to trigger the vulnerability which means that it is recommended to stay away from untrustworthy websites.

The second vulnerability that Chmaj mentioned in the announcement affects the graphics rendering engine which could allow remote code execution as well. The issue affects only some Microsoft operating systems, namely Windows XP, Windows Vista and their server variants Windows Server 2003 and Windows Server 2008. The latest operating systems Windows 7 and Windows Server 2008 R2 are not affected.

Microsoft at this time is not aware of attacks exploiting the vulnerability. The issue can only be exploited on a specifically prepared website or with email attachments that need to be opened by the user. A workaround was posted on the security advisory page that requires an administrator to issue commands on the command line (a Fix It solution is also available)

Modify the Access Control List (ACL) on shimgvw.dll

Note See Microsoft Knowledge Base Article 2490606 to use the automated Microsoft Fix it solution to enable or disable this workaround.

To modify the ACL on shimgvw.dll to be more restrictive, run the following commands from a command prompt as an administrator:

For 32-bit editions of Windows XP and Windows Server 2003:

Echo y| cacls %WINDIR%\SYSTEM32\shimgvw.dll /E /P everyone:N

For 64-bit editions of Windows XP and Windows Server 2003:

Echo y| cacls %WINDIR%\SYSTEM32\shimgvw.dll /E /P everyone:N
Echo y| cacls %WINDIR%\SYSWOW64\shimgvw.dll /E /P everyone:N

For 32-bit editions of Windows Vista and Windows Server 2008:

takeown /f %WINDIR%\SYSTEM32\SHIMGVW.DLL
icacls %WINDIR%\SYSTEM32\SHIMGVW.DLL /save %TEMP%\SHIMGVW_ACL.TXT
icacls %WINDIR%\SYSTEM32\SHIMGVW.DLL /deny everyone:(F)

For 64-bit editions of Windows Vista and Windows Server 2008:

takeown /f %WINDIR%\SYSTEM32\SHIMGVW.DLL
takeown /f %WINDIR%\SYSWOW64\SHIMGVW.DLL
icacls %WINDIR%\SYSTEM32\SHIMGVW.DLL /save %TEMP%\SHIMGVW_ACL32.TXT
icacls %WINDIR%\SYSWOW64\SHIMGVW.DLL /save %TEMP%\SHIMGVW_ACL64.TXT
icacls %WINDIR%\SYSTEM32\SHIMGVW.DLL /deny everyone:(F)
icacls %WINDIR%\SYSWOW64\SHIMGVW.DLL /deny everyone:(F)

Impact of Workaround: Media files typically handled by the Graphics Rendering Engine will not be displayed properly.

How to undo the workaround:

Run the following commands from a command prompt as an administrator:

For 32-bit editions of Windows XP and Windows Server 2003:

cacls %WINDIR%\SYSTEM32\shimgvw.dll /E /R everyone

For 64-bit editions of Windows XP and Windows Server 2003:
cacls %WINDIR%\SYSTEM32\shimgvw.dll /E /R everyone
cacls %WINDIR%\SYSWOW64\shimgvw.dll /E /R everyone

For 32-bit editions of Windows Vista and Windows Server 2008:

icacls %WINDIR%\SYSTEM32 /restore %TEMP%\SHIMGVW_ACL.TXT

For 64-bit editions of Windows Vista and Windows Server 2008:

icacls %WINDIR%\SYSTEM32 /restore %TEMP%\SHIMGVW_ACL32.TXT
icacls %WINDIR%\SYSWOW64 /restore %TEMP%\SHIMGVW_ACL64.TXT

The last vulnerability, or set of, was discovered by Michal Zalewski. Browser vendors were contacted in July 2010 and as of now all have not completely managed to resolve the issues reported to them.

Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.