Windows graphics vulnerability disclosed

Stephen Withers
Wednesday, 05 January 2011 13:01

Business IT - Security

Microsoft has warned its customers of a vulnerability in Windows' graphics rendering engine. No patch is available yet, but the company is unaware of any attacks using the vulnerability.

A newly discovered flaw in the Windows Graphics Rendering Engine could allow an attacker to run arbitrary code, Microsoft has warned.

The flaw is not present in Windows 7 or Windows Server 2008 R2, but XP, Vista, Server 2003 and the original Server 2008 (excluding Server Core installations) are affected.

The problem is that a maliciously formed thumbnail image can cause a stack overflow. According to Microsoft, it could be exploited by attaching a Word or PowerPoint file containing such an image to an email message, or by placing a thumbnail or a file containing such an image in a shared network location.

Microsoft's security advisory explains a change that can be made to mitigate the issue, but it means media files typically handled by the Graphics Rendering Engine will not be displayed properly.

Angela Gunn, senior marketing communications manager in Microsoft's Trustworthy Computing group, said "we are working to develop a security update to address this vulnerability. The circumstances around the issue do not currently meet the criteria for an out-of-band release".

Details have been shared with Microsoft's partners, so various security packages should be updated by their developers to protect against the issue until Microsoft releases a patch. Given the timing, it seems unlikely that the fix will be ready for January's Patch Tuesday.

According to Jerry Bryant, group manager, response communications, "Microsoft is not aware of any affected customers or active attacks targeting this vulnerability."