Article

Microsoft investigates new Windows zero-day flaw

SearchSecurity.com Staff

Microsoft is investigating reports of a new zero-day flaw in Windows attackers could exploit to access extra user privileges and launch malicious code.

Bill Sisk, security response communications manager for Microsoft, said in an email Thursday evening that the flaw allows for privilege escalation from authenticated user to LocalSystem in Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. The software giant issued

    Requires Free Membership to View

Security Advisory (951306) to offer affected customers some steps to mitigate the threat.

"Currently, Microsoft is not aware of any attacks attempting to exploit the potential vulnerability," the advisory said. "Upon completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through a service pack, our monthly security update release process, or an out-of-cycle security update, depending on customer needs."

Sisk's message follows alerts from such security vendors as McAfee, which warned of a potential ActiveX-based zero-day in the McAfee Avert Labs blog.

"A Microsoft Works ActiveX potential zero-day has been disclosed on a handful of Chinese blog sites," McAfee researcher Kevin Beets wrote in the blog. "This threat was originally posted as a proof of concept that caused a Windows host to crash, but very soon after, a working exploit was posted."

The flaw lies in an ActiveX component of Microsoft Works Image Server (WkImgSrv.dll) and successful exploitation could allow for code execution via a controlled pointer, Beets said. For this to occur, however, the victim would need to visit a malicious website.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: