Microsoft has warned of a new zero-day flaw in all versions of Windows except Windows 7 and certain versions of Windows Server 2008.
The flaw in the Windows Graphics Rendering Engine could allow an attacker to gain full-user rights by tricking a user into viewing a ''specially crafted thumbnail image''. According to a security advisory published yesterday, such a thumbnail could be placed inside a Microsoft Word or PowerPoint document, or placed online or on a network share. As with most vulnerabilities of this type, attackers would need to use social engineering to convince a user to view or preview the thumbnail.
Various iterations of Windows Vista, Server 2003, and XP are impacted. Windows 7 and Server 2008 R2 are not affected.
A page in the Common Vulnerabilities and Exposures List suggests the flaw has been known to at least some members of the security community since mid-October last year. In a post on the Microsoft Security Response Center blog yesterday, Trustworthy Computing Senior Marketing Communications Manager Angela Gunn said Microsoft was not aware of any attempts to exploit the flaw at present.
''We are working to develop a security update to address this vulnerability. The circumstances around the issue do not currently meet the criteria for an out-of-band release; however, we are monitoring the threat landscape very closely,'' she said. Microsoft's next ''Patch Tuesday'' is due next week, but it is highly unlikely a fix will be included in that batch of security patches.
Workarounds are available, though Microsoft warns that using them will cause ''media files typically handled by the Graphics Rendering Engine will not be displayed properly.''