Zero-day flaw hits most Windows versions

Microsoft has warned of a new zero-day flaw in all versions of Windows except Windows 7 and certain versions of Windows Server 2008.

The flaw in the Windows Graphics Rendering Engine could allow an attacker to gain full-user rights by tricking a user into viewing a ''specially crafted thumbnail image''. According to a security advisory published yesterday, such a thumbnail could be placed inside a Microsoft Word or PowerPoint document, or placed online or on a network share. As with most vulnerabilities of this type, attackers would need to use social engineering to convince a user to view or preview the thumbnail.

Various iterations of Windows Vista, Server 2003, and XP are impacted. Windows 7 and Server 2008 R2 are not affected.

A page in the Common Vulnerabilities and Exposures List suggests the flaw has been known to at least some members of the security community since mid-October last year. In a post on the Microsoft Security Response Center blog yesterday, Trustworthy Computing Senior Marketing Communications Manager Angela Gunn said Microsoft was not aware of any attempts to exploit the flaw at present.

''We are working to develop a security update to address this vulnerability. The circumstances around the issue do not currently meet the criteria for an out-of-band release; however, we are monitoring the threat landscape very closely,'' she said. Microsoft's next ''Patch Tuesday'' is due next week, but it is highly unlikely a fix will be included in that batch of security patches.

Workarounds are available, though Microsoft warns that using them will cause ''media files typically handled by the Graphics Rendering Engine will not be displayed properly.''

Report a problem with article
Previous Story

HTC Thunderbolt and Inspire 4G leak out

Next Story

LG press conference coverage

53 Comments

View more comments

If this security hole has was already known, how is it a zero day flaw? Just because it might not have an official fix yet, doesn't make it a zero day security threat.

"As with most vulnerabilities of this type, attackers would need to use social engineering to convince a user to view or preview the thumbnail."

Fake emails coming from everyone's favorite social site?

nkaHnt said,
Probably, Microsoft would never release a fix to this to convince them to move toward 7

They don't choose whether they release a fix or not, you know...

Aethec said,

They don't choose whether they release a fix or not, you know...

Who chooses? There are still plenty they have "chosen" not to fix/release from way back.

DARKFiB3R said,

Who chooses? There are still plenty they have "chosen" not to fix/release from way back.

They have to provide fixes...just look at all the companies running XP, do you think MS can say "sorry, you won't get a patch, just update to Win7" ?

Thank God for Windows 7 ^^, I have to have the latest shiny OS, Although if 8 is all this cloud nonsense, I may be slow to upgrade, sometimes Im without internet connection for weeks.

So far as they know of anyway, Windows 7 is secure against this. Who's to say there isn't some other unknown way to execute this flaw so that it does effect Windows 7?

Anyway,
Glad to hear that so far Windows 7 isn't affected.

cork1958 said,
So far as they know of anyway, Windows 7 is secure against this. Who's to say there isn't some other unknown way to execute this flaw so that it does effect Windows 7?

Anyway,
Glad to hear that so far Windows 7 isn't affected.

They wrote it. I'm assuming they went and checked the source to make sure it wasn't written the same way still?

cork1958 said,
So far as they know of anyway, Windows 7 is secure against this. Who's to say there isn't some other unknown way to execute this flaw so that it does effect Windows 7?

Anyway,
Glad to hear that so far Windows 7 isn't affected.

Correct me if I'm wrong, but if this is a flaw in the GDI codecs, Win7 will not be affected since they were rewritten as a subset of Direct2D (the Paint.NET author said so somewhere in the Paint.NET forum) ;-)

There was actually a "keynote" (Dude told people about this before his real keynote) at Defon last year (2010). was an interesting thing to listen to

brominated said,
51% of the computing world is still using XP. 20% using Vista.

Yeah...it's a big deal.

No, it's not a big deal. Only 44% users use XP, while 40% use Vista/7. 90% XP users are either business users or Chinese pirated users. XP is dead and buried among home users in developed countries.

. . .oh dare me. . .I can't afford to put out all that kind money. . .oh my what will I do. . .windows 7 is just so expensive. . .will one of you help me pay for windows 7. . .please, pretty please. Thank you in advance.

Pam14160 said,
. . .oh dare me. . .I can't afford to put out all that kind money. . .oh my what will I do. . .windows 7 is just so expensive. . .will one of you help me pay for windows 7. . .please, pretty please. Thank you in advance.

Only stupids buy Windows retail copies. You should get Windows 7 pre-installed with your PC. That way it costs about $20.

pezzonovante said,

Only stupids buy Windows retail copies. You should get Windows 7 pre-installed with your PC. That way it costs about $20.


Then will you pay for her new PC?

pezzonovante said,

Only stupids buy Windows retail copies. You should get Windows 7 pre-installed with your PC. That way it costs about $20.

Stupids... You mean little neowinian!

Me is hurt!

Pam14160 said,
. . .oh dare me. . .I can't afford to put out all that kind money. . .oh my what will I do. . .windows 7 is just so expensive. . .will one of you help me pay for windows 7. . .please, pretty please. Thank you in advance.

Try to purchase a oem, a academic license or check for some discount around the net.
Or
purchase the technet online with some folks and obtain 10xlicenses.
Or
piracy.

Commenting is disabled on this article.