Microsoft has issued a security advisory warning of a publicly disclosed vulnerability in its Windows Graphics Rendering Engine, which could be used in drive-by attacks.
The flaw affects users of Windows XP,
Microsoft said it has not detected any attempts by attackers to target the vulnerability. The flaw could be exploited in drive-by attacks or by tricking a user to open a malicious Word or PowerPoint file, Microsoft said. If the remote code execution vulnerability is successfully exploited, an attacker could gain complete control of a victim's computer, install additional malware and steal data, Microsoft said.
The flaw is in the way Windows accesses an object to run an application. A malicious thumbnail image can cause the Graphics Rendering Engine to fail.
Microsoft engineers are working on a patch to address this vulnerability. The software giant said the vulnerability "does not meet the criteria for an out-of-band release." The flaw does not affect Windows 7 or Windows Server 2008 R2.
As a workaround, Microsoft said affected users can modify the access control list to restrict the Windows Picture and Fax Viewer from displaying files. As a result, the workaround will fail to display any media files it typically handles.
The vulnerability was first highlighted in a presentation by security researchers Moti Joseph and Xu Hao at the Power of Community security conference in Korea. The maintainers of the Metasploit Framework created a module for the zero-day flaw Tuesday.
Last month, Microsoft repaired seven vulnerabilities in Microsoft Office, including a flaw affecting Microsoft Office Graphics Filters that could be exploited by tricking a user to open a malicious image file. The flaws only affected users of Microsoft Works, Microsoft Office Converter Pack, Microsoft Office XP and Microsoft Office 2003.