Microsoft investigates Windows zero-day flaw

Microsoft is looking into a fresh flaw affecting the Windows Graphics Rendering Engine.


Microsoft has warned about yet another zero-day flaw affecting Windows.

The vulnerability could allow malware to be installed on a computer if users simply view a malicious image in a browser or document.

It could also enable an attacker to install other programs, view, alter or delete data, and even create new accounts with full user rights, Microsoft said in an advisory released last night.

Advertisement - Article continues below

The Redmond giant said it was investigating the vulnerability, which resided in the Windows Graphics Rendering Engine, but no patch or workaround has yet been promised.

The flaw affects Windows Vista, Server 2003 and Windows XP, but not the latest iteration of the operating system, Windows 7.

Microsoft said it was not aware of any active attacks exploiting the vulnerability.

"Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers," the firm said.

"This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs."

The bug was detailed at a hacking convention in Korea and, according to Sophos' Paul Ducklin, a working exploit was recently added to the Metasploit Framework, which is free to access.

"Fortunately, the Metasploit exploit code is rather limited, officially targeting only Windows 2000 and Windows XP SP3, but it does serve as a documented proof-of-concept for anyone who cares to study it," Ducklin said in a blog post.

Advertisement - Article continues below
Advertisement - Article continues below

"Sadly, our increasing insistence that everything we see on the internet to be served up in a sea of graphical gewgaws comes with considerable risk: greatly increased code complexity, the unrelenting enemy of computer security."

Graham Cluley, senior technology consultant at Sophos, told IT PRO it was likely Microsoft would be very busy this year issuing fixes.

"Microsoft are sure to remain busy plugging holes and protecting their users," Cluley said.

"For their part, Windows users should remember to take security alerts from firms such as Microsoft seriously and keep their software up-to-date."

With Patch Tuesday due next week, Microsoft may fix numerous issues, including a flaw affecting all versions of Internet Explorer.

Hackers could have take advantage of the security hole through a technique which lets attackers get around two important security defences in Windows 7 and Vista.

Meanwhile, a Google researcher has warned details on a potentially serious vulnerability affecting the Microsoft browser could be in the hands of Chinese hackers.

Featured Resources

Successful digital transformations are future ready - now

Research findings identify key ingredients to complete your transformation journey

Download now

Cyber security for accountants

3 ways to protect yourself and your clients online

Download now

The future of database administrators in the era of the autonomous database

Autonomous databases are here. So who needs database administrators anymore?

Download now

The IT expert’s guide to AI and content management

Your guide to the biggest opportunities for IT teams when it comes to AI and content management

Download now



Businesses brace for second 'Fujiwhara effect' of 2020 as Patch Tuesday looms

9 Apr 2020
cyber security

Zoom hires ex-Facebook CSO Alex Stamos to boost platform security

8 Apr 2020

HP Support Assistant flaws leave Windows devices open to attack

6 Apr 2020
cyber security

Safari bug let hackers access cameras on iPhones and Macs

6 Apr 2020

Most Popular

video conferencing

Taiwan becomes first country to ban Zoom amid security concerns

8 Apr 2020
cyber security

Microsoft gobbles up domain to keep it from hackers

8 Apr 2020
Mobile Phones

Microsoft patents a mobile device with a third screen

6 Apr 2020