Disclosed last month, a flaw in the Windows Graphics Rendering Engine could be used to execute malicious code.

Thomas Claburn, Editor at Large, Enterprise Mobility

January 4, 2011

2 Min Read

Microsoft on Tuesday issued a security advisory about a publicly reported vulnerability in the Windows Graphics Rendering Engine, warning that the successful exploitation of this vulnerability could allow the execution of arbitrary code under the permissions granted by the victim's account.

The company said that it's not aware of attacks leveraging this vulnerability. Affected systems include Vista, Server 2003, and Windows XP, but not Windows 7 or Windows Server 2008 R2.

SANS Internet Storm center handler and security researcher Johannes Ullrich observes that the vulnerability could be exploited through malicious thumbnail images attached to Office documents and sent via e-mail or over a network. He says there's no patch available but there are steps that can be taken to mitigate the risk by preventing the rendering of thumbnail images.

The vulnerability was disclosed last month by security researchers Moti Joseph and Xu Hao at the Power of Community conference.

Angela Gunn, senior marketing communications manager with Microsoft's Trustworthy Compuing group, says that Microsoft is working to address the vulnerability and that it's not serious enough to warrant an out-of-band patch. Microsoft's next scheduled set of security patches is due Tuesday, January 11.

Microsoft is also facing a zero-day Internet Explorer vulnerability. Google security researcher Michael Zalewski notified Microsoft about the flaw in July, though his account of the notification process differs somewhat from Microsoft's.

On January 1, 2011, Microsoft issued a statement chiding Zalewski for failing to accommodate its request to delay the release of his security tool, cross_fuzz, which helped find the vulnerability. The company said that it is committed to working with companies and security researchers to resolve vulnerabilities before they're made public. "In this case, risk has now been amplified," said Jerry Bryant, group manager, response communications, Trustworthy Computing at Microsoft, in a statement.

Zalewski countered on his blog that at least one unknown party in China appeared to already know about the vulnerability, making disclosure necessary. Last summer, Zalewski was among the signatories of a Google blog post calling on the security community to update its disclosure practices.

About the Author(s)

Thomas Claburn

Editor at Large, Enterprise Mobility

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful master's degree in film production. He wrote the original treatment for 3DO's Killing Time, a short story that appeared in On Spec, and the screenplay for an independent film called The Hanged Man, which he would later direct. He's the author of a science fiction novel, Reflecting Fires, and a sadly neglected blog, Lot 49. His iPhone game, Blocfall, is available through the iTunes App Store. His wife is a talented jazz singer; he does not sing, which is for the best.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights