Zero-day flaw hits most Windows versions

Microsoft has warned of a new zero-day flaw in all versions of Windows except Windows 7 and certain versions of Windows Server 2008.

The flaw in the Windows Graphics Rendering Engine could allow an attacker to gain full-user rights by tricking a user into viewing a ''specially crafted thumbnail image''. According to a security advisory published yesterday, such a thumbnail could be placed inside a Microsoft Word or PowerPoint document, or placed online or on a network share. As with most vulnerabilities of this type, attackers would need to use social engineering to convince a user to view or preview the thumbnail.

Various iterations of Windows Vista, Server 2003, and XP are impacted. Windows 7 and Server 2008 R2 are not affected.

A page in the Common Vulnerabilities and Exposures List suggests the flaw has been known to at least some members of the security community since mid-October last year. In a post on the Microsoft Security Response Center blog yesterday, Trustworthy Computing Senior Marketing Communications Manager Angela Gunn said Microsoft was not aware of any attempts to exploit the flaw at present.

''We are working to develop a security update to address this vulnerability. The circumstances around the issue do not currently meet the criteria for an out-of-band release; however, we are monitoring the threat landscape very closely,'' she said. Microsoft's next ''Patch Tuesday'' is due next week, but it is highly unlikely a fix will be included in that batch of security patches.

Workarounds are available, though Microsoft warns that using them will cause ''media files typically handled by the Graphics Rendering Engine will not be displayed properly.''

Report a problem with article
Previous Story

HTC Thunderbolt and Inspire 4G leak out

Next Story

LG press conference coverage

53 Comments

Commenting is disabled on this article.

. . .oh dare me. . .I can't afford to put out all that kind money. . .oh my what will I do. . .windows 7 is just so expensive. . .will one of you help me pay for windows 7. . .please, pretty please. Thank you in advance.

Pam14160 said,
. . .oh dare me. . .I can't afford to put out all that kind money. . .oh my what will I do. . .windows 7 is just so expensive. . .will one of you help me pay for windows 7. . .please, pretty please. Thank you in advance.

Only stupids buy Windows retail copies. You should get Windows 7 pre-installed with your PC. That way it costs about $20.

pezzonovante said,

Only stupids buy Windows retail copies. You should get Windows 7 pre-installed with your PC. That way it costs about $20.


Then will you pay for her new PC?

pezzonovante said,

Only stupids buy Windows retail copies. You should get Windows 7 pre-installed with your PC. That way it costs about $20.

Stupids... You mean little neowinian!

Me is hurt!

Pam14160 said,
. . .oh dare me. . .I can't afford to put out all that kind money. . .oh my what will I do. . .windows 7 is just so expensive. . .will one of you help me pay for windows 7. . .please, pretty please. Thank you in advance.

Try to purchase a oem, a academic license or check for some discount around the net.
Or
purchase the technet online with some folks and obtain 10xlicenses.
Or
piracy.

There was actually a "keynote" (Dude told people about this before his real keynote) at Defon last year (2010). was an interesting thing to listen to

So far as they know of anyway, Windows 7 is secure against this. Who's to say there isn't some other unknown way to execute this flaw so that it does effect Windows 7?

Anyway,
Glad to hear that so far Windows 7 isn't affected.

cork1958 said,
So far as they know of anyway, Windows 7 is secure against this. Who's to say there isn't some other unknown way to execute this flaw so that it does effect Windows 7?

Anyway,
Glad to hear that so far Windows 7 isn't affected.

They wrote it. I'm assuming they went and checked the source to make sure it wasn't written the same way still?

cork1958 said,
So far as they know of anyway, Windows 7 is secure against this. Who's to say there isn't some other unknown way to execute this flaw so that it does effect Windows 7?

Anyway,
Glad to hear that so far Windows 7 isn't affected.

Correct me if I'm wrong, but if this is a flaw in the GDI codecs, Win7 will not be affected since they were rewritten as a subset of Direct2D (the Paint.NET author said so somewhere in the Paint.NET forum) ;-)

Thank God for Windows 7 ^^, I have to have the latest shiny OS, Although if 8 is all this cloud nonsense, I may be slow to upgrade, sometimes Im without internet connection for weeks.

nkaHnt said,
Probably, Microsoft would never release a fix to this to convince them to move toward 7

They don't choose whether they release a fix or not, you know...

Aethec said,

They don't choose whether they release a fix or not, you know...

Who chooses? There are still plenty they have "chosen" not to fix/release from way back.

DARKFiB3R said,

Who chooses? There are still plenty they have "chosen" not to fix/release from way back.

They have to provide fixes...just look at all the companies running XP, do you think MS can say "sorry, you won't get a patch, just update to Win7" ?

"As with most vulnerabilities of this type, attackers would need to use social engineering to convince a user to view or preview the thumbnail."

Fake emails coming from everyone's favorite social site?

If this security hole has was already known, how is it a zero day flaw? Just because it might not have an official fix yet, doesn't make it a zero day security threat.

Another reason I enjoy running Windows 7. No worries about such exploits. It almost seems like if you want to risk your valuable data by continuing to run XP, you kind of deserve the damage that might be wrought from such attacks.

devHead said,
Another reason I enjoy running Windows 7. No worries about such exploits. It almost seems like if you want to risk your valuable data by continuing to run XP, you kind of deserve the damage that might be wrought from such attacks.

Not every computer is capable of running Windows 7, and not every person is capable of buying a new one. I'm not agaisnt of upgrading (I have upgraded all my home's machines to Windows 7) but there are cases in which it is not possible.

What about the boot sector virus that my customers have been dealing with on Windows 7 since jan 1st? Hmmmm my tiny little town can't possible be the only victims here. This thing is serious man. Renders Win 7 pc's USELESS with a blue screen of death on both safe mode and regular mode.

joemailey said,
What boot sector virus? I've never heard of if yet. Anymore details?

I was going to say, I have heard nothing about this, and I work with PCs lol

KavazovAngel said,

Copy-paste.

What virus?

LOL!

Well, I think he's referring to some boot-loader-type of virus that hijack the boot sequence, load itself, then boot win7 on its own. Fixing the boot with the Win7 DVD recovery console would work.

leojei said,

LOL!

Well, I think he's referring to some boot-loader-type of virus that hijack the boot sequence, load itself, then boot win7 on its own. Fixing the boot with the Win7 DVD recovery console would work.

TDSSKILLER gets rid of it, and it is identified as rootkit.win32.tdss.tdl4
I have had it on 5 computers since the first of the year. All 64bit Windows 7 pc's. Of course they didn't know what they were doing at the time to deserve it.
JF

jimmyfal said,

TDSSKILLER gets rid of it, and it is identified as rootkit.win32.tdss.tdl4
I have had it on 5 computers since the first of the year. All 64bit Windows 7 pc's. Of course they didn't know what they were doing at the time to deserve it.
JF

Honestly I don't know a lot about how this stuff works, I do know a lot about getting rid of this crap though. So does this have anything to do with this guy releasing the tool on New Years Day? I dont' know. I just know that's the day this crap started happening to my customers.
http://arstechnica.com/microso...y-bug-leads-to-squabble.ars

Microsoft said,
''We are working to develop a security update to address this vulnerability.

How does "Staying up to date" help in this case?

Majesticmerc said,

How does "Staying up to date" help in this case?


It means it is good to install updates/ patches.

Majesticmerc said,

How does "Staying up to date" help in this case?

Those who stayed up to date by installing Windows 7 are unaffected. I'd say that helps in this case.

Timble said,

Those who stayed up to date by installing Windows 7 are unaffected. I'd say that helps in this case.


Exactly! Staying up to date also means upgrading to the newest windows version.
WI

este said,
Nothing really major here but still another reason to stay updated...

This.. people who say "if it aint broke dont fix it" is not true with at least XP. move on people.

GP007 said,

Exactly! Staying up to date also means upgrading to the newest windows version.
WI
FYI Windows Vista, Server 2003, and XP are all still supported versions of Windows so your statement is flawed

Rudy said,
FYI Windows Vista, Server 2003, and XP are all still supported versions of Windows so your statement is flawed

He didn't say they were unsupported. He just said upgrade to the newest Windows version.

Timble said,
Those who stayed up to date by installing Windows 7 are unaffected. I'd say that helps in this case.

But not in all of the cases, there have been many others flaws affecting Windows 7 too, however, it is true that newer versions of Windows include better security technologies.

GreyWolf said,

He didn't say they were unsupported. He just said upgrade to the newest Windows version.

And I was just pointing out that it's not considered "staying up to date"

Rudy said,
And I was just pointing out that it's not considered "staying up to date"

What's not "up to date" if you are at the newest version of Windows, i.e. Windows 7?

Rudy said,
FYI Windows Vista, Server 2003, and XP are all still supported versions of Windows so your statement is flawed

No, it isn't. While they're supported, they aren't up to date. That's all the user was saying.

It's a problem at Microsoft HQ though, but that user wasn't Microsoft.