Microsoft Warns Of Windows Graphics Vulnerability

Microsoft on Tuesday issued a security advisory about a publicly reported vulnerability in the Windows Graphics Rendering Engine, warning that the successful exploitation of this vulnerability could allow the execution of arbitrary code under the permissions granted by the victim's account.

The company said that it's not aware of attacks leveraging this vulnerability. Affected systems include Vista, Server 2003, and Windows XP, but not Windows 7 or Windows Server 2008 R2.

SANS Internet Storm center handler and security researcher Johannes Ullrich observes that the vulnerability could be exploited through malicious thumbnail images attached to Office documents and sent via e-mail or over a network. He says there's no patch available but there are steps that can be taken to mitigate the risk by preventing the rendering of thumbnail images.

The vulnerability was disclosed last month by security researchers Moti Joseph and Xu Hao at the Power of Community conference.

Angela Gunn, senior marketing communications manager with Microsoft's Trustworthy Compuing group, says that Microsoft is working to address the vulnerability and that it's not serious enough to warrant an out-of-band patch. Microsoft's next scheduled set of security patches is due Tuesday, January 11.

Microsoft is also facing a zero-day Internet Explorer vulnerability. Google security researcher Michael Zalewski notified Microsoft about the flaw in July, though his account of the notification process differs somewhat from Microsoft's.

On January 1, 2011, Microsoft issued a statement chiding Zalewski for failing to accommodate its request to delay the release of his security tool, cross_fuzz, which helped find the vulnerability. The company said that it is committed to working with companies and security researchers to resolve vulnerabilities before they're made public. "In this case, risk has now been amplified," said Jerry Bryant, group manager, response communications, Trustworthy Computing at Microsoft, in a statement.

Zalewski countered on his blog that at least one unknown party in China appeared to already know about the vulnerability, making disclosure necessary. Last summer, Zalewski was among the signatories of a Google blog post calling on the security community to update its disclosure practices.