Vulnerability Note VU#106516
Microsoft Windows graphics engine thumbnail stack buffer overflow
Microsoft Windows contains a stack-based buffer overflow vulnerability in the graphics rendering engine, which may allow an attacker to execute arbitrary code.
Microsoft Windows contains a stack-based buffer overflow vulnerability caused by a signedness error in the "CreateSizedDIBSECTION()" function within the shimgvw.dll library when parsing thumbnail bitmaps containing a negative "biClrUsed" value.
Exploit code for this vulnerability is publicly available.
By convincing a user to view a specially crafted file containing a malicious thumbnail bitmap value, an attacker may be able to execute arbitrary code with the privileges of the user.
Apply an update
Modify the Access Control List (ACL) on shimgvw.dll
Vendor Information (Learn More)
Windows 7 and Windows Server 2008 R2 are not affected by this vulnerability
|Vendor||Status||Date Notified||Date Updated|
|Microsoft Corporation||Affected||-||08 Feb 2011|
CVSS Metrics (Learn More)
This document was written by Michael Orlando.
- CVE IDs: CVE-2010-3970
- Date Public: 04 Jan 2011
- Date First Published: 05 Jan 2011
- Date Last Updated: 08 Feb 2011
- Severity Metric: 57.32
- Document Revision: 16
If you have feedback, comments, or additional information about this vulnerability, please send us email.