News

Microsoft issues advisory on new Windows Graphics Rendering zero-day

Robert Westervelt

Microsoft has issued a security advisory warning of a publicly disclosed vulnerability in its Windows Graphics Rendering Engine, which could be used in drive-by attacks.

The flaw affects users of Windows XP,

Requires Free Membership to View

Windows Server 2003 and 2008 and Windows Vista.

Microsoft said it has not detected any attempts by attackers to target the vulnerability. The flaw could be exploited in drive-by attacks or by tricking a user to open a malicious Word or PowerPoint file, Microsoft said. If the remote code execution vulnerability is successfully exploited, an attacker could gain complete control of a victim's computer, install additional malware and steal data, Microsoft said.

The flaw is in the way Windows accesses an object to run an application. A malicious thumbnail image can cause the Graphics Rendering Engine to fail.

Microsoft engineers are working on a patch to address this vulnerability. The software giant said the vulnerability "does not meet the criteria for an out-of-band release." The flaw does not affect Windows 7 or Windows Server 2008 R2.

As a workaround, Microsoft said affected users can modify the access control list to restrict the Windows Picture and Fax Viewer from displaying files. As a result, the workaround will fail to display any media files it typically handles.

The vulnerability was first highlighted in a presentation by security researchers Moti Joseph and Xu Hao at the Power of Community security conference in Korea. The maintainers of the Metasploit Framework created a module for the zero-day flaw Tuesday.

Last month, Microsoft repaired seven vulnerabilities in Microsoft Office, including a flaw affecting Microsoft Office Graphics Filters that could be exploited by tricking a user to open a malicious image file. The flaws only affected users of Microsoft Works, Microsoft Office Converter Pack, Microsoft Office XP and Microsoft Office 2003.