Microsoft is investigating reports of a new zero-day flaw in Windows attackers could exploit to access extra user privileges and launch malicious code.
Bill Sisk, security response communications manager for Microsoft, said in an email Thursday evening that the flaw allows for privilege escalation from authenticated user to LocalSystem in Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. The software giant issued Security Advisory (951306) to offer affected customers some steps to mitigate the threat.
"Currently, Microsoft is not aware of any attacks attempting to exploit the potential vulnerability," the advisory said. "Upon completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through a service pack, our monthly security update release process, or an out-of-cycle security update, depending on customer needs."
Sisk's message follows alerts from such security vendors as McAfee, which warned of a potential ActiveX-based zero-day in the McAfee Avert Labs blog.
"A Microsoft Works ActiveX potential zero-day has been disclosed on a handful of Chinese blog sites," McAfee researcher Kevin Beets wrote in the blog. "This threat was originally posted as a proof of concept that caused a Windows host to crash, but very soon after, a working exploit was posted."
The flaw lies in an ActiveX component of Microsoft Works Image Server (WkImgSrv.dll) and successful exploitation could allow for code execution via a controlled pointer, Beets said. For this to occur, however, the victim would need to visit a malicious website.