Microsoft investigates Windows zero-day flaw

Microsoft is looking into a fresh flaw affecting the Windows Graphics Rendering Engine.

Security

Microsoft has warned about yet another zero-day flaw affecting Windows.

The vulnerability could allow malware to be installed on a computer if users simply view a malicious image in a browser or document.

It could also enable an attacker to install other programs, view, alter or delete data, and even create new accounts with full user rights, Microsoft said in an advisory released last night.

Advertisement - Article continues below

The Redmond giant said it was investigating the vulnerability, which resided in the Windows Graphics Rendering Engine, but no patch or workaround has yet been promised.

The flaw affects Windows Vista, Server 2003 and Windows XP, but not the latest iteration of the operating system, Windows 7.

Microsoft said it was not aware of any active attacks exploiting the vulnerability.

"Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers," the firm said.

"This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs."

The bug was detailed at a hacking convention in Korea and, according to Sophos' Paul Ducklin, a working exploit was recently added to the Metasploit Framework, which is free to access.

"Fortunately, the Metasploit exploit code is rather limited, officially targeting only Windows 2000 and Windows XP SP3, but it does serve as a documented proof-of-concept for anyone who cares to study it," Ducklin said in a blog post.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

"Sadly, our increasing insistence that everything we see on the internet to be served up in a sea of graphical gewgaws comes with considerable risk: greatly increased code complexity, the unrelenting enemy of computer security."

Graham Cluley, senior technology consultant at Sophos, told IT PRO it was likely Microsoft would be very busy this year issuing fixes.

"Microsoft are sure to remain busy plugging holes and protecting their users," Cluley said.

"For their part, Windows users should remember to take security alerts from firms such as Microsoft seriously and keep their software up-to-date."

With Patch Tuesday due next week, Microsoft may fix numerous issues, including a flaw affecting all versions of Internet Explorer.

Hackers could have take advantage of the security hole through a technique which lets attackers get around two important security defences in Windows 7 and Vista.

Meanwhile, a Google researcher has warned details on a potentially serious vulnerability affecting the Microsoft browser could be in the hands of Chinese hackers.

Featured Resources

Key considerations for implementing secure telework at scale

Identifying the security risks and advanced requirements of a remote workforce

Download now

The State of Salesforce 2020

Your guide to getting the most from Salesforce

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Rethink your cybersecurity strategy for the new world

5 steps to secure the enterprise and be fit for a flexible future

Download now
Advertisement

Recommended

Sophos Central Endpoint Protection review: Because you’re worth it
endpoint security

Sophos Central Endpoint Protection review: Because you’re worth it

3 Aug 2020
Andrew Daniels joins Druva as CIO and CISO
Cloud

Andrew Daniels joins Druva as CIO and CISO

22 Jul 2020
Virtualise Windows 7 under Windows 10
Microsoft Windows

Virtualise Windows 7 under Windows 10

5 Jul 2020
University of California gets fleeced by hackers for $1.14 million
ransomware

University of California gets fleeced by hackers for $1.14 million

30 Jun 2020

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

3 Aug 2020
How to use Chromecast without Wi-Fi
Mobile

How to use Chromecast without Wi-Fi

4 Aug 2020
Police use of facial recognition ruled unlawful in the UK
privacy

Police use of facial recognition ruled unlawful in the UK

11 Aug 2020