Windows Graphics Engine Contains Security Flaw

Microsoft released a security advisory today concerning Windows Vista, Windows XP and Windows Server 2003.

The flaw is associated with the Windows graphics rendering engine, which improperly parses a specially crafted image file, leading to a stack overflow, according to Microsoft's security advisory 2490606. This remote code execution exploit can be used by a hacker to gain user rights on a system. However, Microsoft's blog describing the problem states that the company isn't aware of any active exploits occurring yet.

The issue is made more acute if the user has administrative rights, which may allow the attacker to modify network settings or change and delete data.

Typically, an attack using this exploit would attempt to get Windows users to click on an e-mail attachment containing a thumbnail image or an instant messaging link. An alternative attack method might be to direct a user to a thumbnail image located on a network sharing space.

The security advisory suggests keeping software updated and using firewalls and antivirus software. It also describes a few workarounds to increase protection, prior to Microsoft's release of patch.

Microsoft isn't planning to release an out-of-band patch, according to the blog. However, it may release a fix in one of its monthly security update releases. It's not clear when that might happen. Microsoft suggests monitoring its Twitter feed or its MSRC security blog.

Meanwhile, software security firm Sophos reported today that hackers have been sending fake Windows updates through e-mail attachments, which is something that Microsoft does not do. The attachment installs a worm associated with a Windows autorun exploit.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


  • Microsoft Warns IT Pros on Windows Netlogon Fix Coming Next Month

    Microsoft on Thursday issued a reminder to organizations to ensure that their systems are properly patched for a "Critical"-rated Windows Netlogon vulnerability before next month's "update Tuesday" patch distribution arrives.

  • Microsoft Nudging Skype for Business Users to Teams

    Microsoft on Thursday announced some perks and prods for Skype for Business unified communications users, with the aim of moving them to the Microsoft Teams collaboration service instead.

  • How To Improve Windows 10's Sound and Video Quality

    Windows 10 comes with built-in tools that can help users get the most out of their sound and video hardware.

  • Microsoft Offers More 'Solorigate' Advice Using Microsoft 365 Defender Tools

    Microsoft issued yet another article with advice on how to use its Microsoft 365 Defender suite of tools to protect against "Solorigate" advanced persistent threat types of attacks in a Thursday announcement.

comments powered by Disqus