IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Microsoft investigates Windows zero-day flaw

Microsoft is looking into a fresh flaw affecting the Windows Graphics Rendering Engine.

Security

Microsoft has warned about yet another zero-day flaw affecting Windows.

The vulnerability could allow malware to be installed on a computer if users simply view a malicious image in a browser or document.

It could also enable an attacker to install other programs, view, alter or delete data, and even create new accounts with full user rights, Microsoft said in an advisory released last night.

The Redmond giant said it was investigating the vulnerability, which resided in the Windows Graphics Rendering Engine, but no patch or workaround has yet been promised.

The flaw affects Windows Vista, Server 2003 and Windows XP, but not the latest iteration of the operating system, Windows 7.

Microsoft said it was not aware of any active attacks exploiting the vulnerability.

"Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers," the firm said.

"This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs."

The bug was detailed at a hacking convention in Korea and, according to Sophos' Paul Ducklin, a working exploit was recently added to the Metasploit Framework, which is free to access.

"Fortunately, the Metasploit exploit code is rather limited, officially targeting only Windows 2000 and Windows XP SP3, but it does serve as a documented proof-of-concept for anyone who cares to study it," Ducklin said in a blog post.

"Sadly, our increasing insistence that everything we see on the internet to be served up in a sea of graphical gewgaws comes with considerable risk: greatly increased code complexity, the unrelenting enemy of computer security."

Graham Cluley, senior technology consultant at Sophos, told IT PRO it was likely Microsoft would be very busy this year issuing fixes.

"Microsoft are sure to remain busy plugging holes and protecting their users," Cluley said.

"For their part, Windows users should remember to take security alerts from firms such as Microsoft seriously and keep their software up-to-date."

With Patch Tuesday due next week, Microsoft may fix numerous issues, including a flaw affecting all versions of Internet Explorer.

Hackers could have take advantage of the security hole through a technique which lets attackers get around two important security defences in Windows 7 and Vista.

Meanwhile, a Google researcher has warned details on a potentially serious vulnerability affecting the Microsoft browser could be in the hands of Chinese hackers.

Featured Resources

Meeting the future of education with confidence

How the switch to digital learning has created an opportunity to meet the needs of every student, always

Free Download

The Total Economic Impact™ of IBM Cloud Pak® for Watson AIOps with Instana

Cost savings and business benefits

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

Technology reimagined

Why PCaaS is perfect for modern schools

Free Download

Recommended

16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022
The IT Pro Products of the Year 2021: The year’s best hardware and software
Hardware

The IT Pro Products of the Year 2021: The year’s best hardware and software

31 Dec 2021
Sophos Intercept X Advanced review: AI-powered protection
endpoint security

Sophos Intercept X Advanced review: AI-powered protection

30 Nov 2021
Kaspersky exposes MysterySnail zero-day exploit in Windows
zero-day exploit

Kaspersky exposes MysterySnail zero-day exploit in Windows

13 Oct 2021

Most Popular

How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

7 Jun 2022
The top programming languages you need to learn for 2022
Careers & training

The top programming languages you need to learn for 2022

23 Jun 2022
Attracting and retaining talent through training
Sponsored

Attracting and retaining talent through training

13 Jun 2022