Microsoft issues advisory on new Windows Graphics Rendering zero-day

Microsoft said a publicly disclosed vulnerability affects the Windows Graphics Rendering Engine in Vista, Windows Server 2003 and Windows XP.

Microsoft has issued a security advisory warning of a publicly disclosed vulnerability in its Windows Graphics Rendering Engine, which could be used in drive-by attacks.

The flaw affects users of Windows XP, Windows Server 2003 and 2008 and Windows Vista.

Microsoft said it has not detected any attempts by attackers to target the vulnerability. The flaw could be exploited in drive-by attacks or by tricking a user to open a malicious Word or PowerPoint file, Microsoft said. If the remote code execution vulnerability is successfully exploited, an attacker could gain complete control of a victim's computer, install additional malware and steal data, Microsoft said.

The flaw is in the way Windows accesses an object to run an application. A malicious thumbnail image can cause the Graphics Rendering Engine to fail.

Microsoft engineers are working on a patch to address this vulnerability. The software giant said the vulnerability "does not meet the criteria for an out-of-band release." The flaw does not affect Windows 7 or Windows Server 2008 R2.

As a workaround, Microsoft said affected users can modify the access control list to restrict the Windows Picture and Fax Viewer from displaying files. As a result, the workaround will fail to display any media files it typically handles.

The vulnerability was first highlighted in a presentation by security researchers Moti Joseph and Xu Hao at the Power of Community security conference in Korea. The maintainers of the Metasploit Framework created a module for the zero-day flaw Tuesday.

Last month, Microsoft repaired seven vulnerabilities in Microsoft Office, including a flaw affecting Microsoft Office Graphics Filters that could be exploited by tricking a user to open a malicious image file. The flaws only affected users of Microsoft Works, Microsoft Office Converter Pack, Microsoft Office XP and Microsoft Office 2003.

~Robert Westervelt

Dig deeper on Windows Security: Alerts, Updates and Best Practices

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close