January 05, 2011

Microsoft advises of zero-day flaw in its Graphics Engine

Microsoft is warning of an unpatched vulnerability in its Windows Graphics Rendering Engine, which supports image formats, that could lead to remote code execution.

The flaw can enable an attacker to install malicious programs, access data or create accounts with full user rights, according to an advisory released Tuesday.

"To target this vulnerability, an attacker must convince a user to visit a specially crafted malicious web page, or to open a malicious Word or PowerPoint file," Angela Gunn, senior marketing communications manager for Microsoft Trustworthy Computing, wrote on a company blog post. "Furthermore, users whose accounts are configured to have fewer user rights on the system would be less affected by an attack then those running with administrative rights." 

The bug was revealed at a Korean hacker conference in mid-December, said Paul Ducklin, head of technology for the Asia-Pacific region at anti-virus firm Sophos. Exploit code has been added to the Metasploit hacking toolkit.

In its advisory, though, Microsoft said it was not aware of any in-the-wild attacks or customer impact.

The software giant is working on a fix. Its next round of patches are due out Tuesday.

Related Articles
Related Topics

Sign up to our newsletters

More in News

House Intelligence Committee OKs amended version of controversial CISPA

Despite the 18-to-2 vote in favor of the bill proposal, privacy advocates likely will not be satisfied, considering two key amendments reportedly were shot down.

Judge rules hospital can ask ISP for help in ID'ing alleged hackers

The case stems from two incidents where at least one individual is accused of accessing the hospital's network to spread "defamatory" messages to employees.

Three LulzSec members plead guilty in London

Ryan Ackroyd, 26; Jake Davis, 20; and Mustafa al-Bassam, 18, who was not named until now because of his age, all admitted their involvement in the hacktivist gang's attack spree.