Microsoft investigates Windows zero-day flaw


Microsoft has warned about yet another zero-day flaw affecting Windows.

The vulnerability could allow malware to be installed on a computer if users simply view a malicious image in a browser or document.

It could also enable an attacker to install other programs, view, alter or delete data, and even create new accounts with full user rights, Microsoft said in an advisory released last night.

The Redmond giant said it was investigating the vulnerability, which resided in the Windows Graphics Rendering Engine, but no patch or workaround has yet been promised.

The flaw affects Windows Vista, Server 2003 and Windows XP, but not the latest iteration of the operating system, Windows 7.

Microsoft said it was not aware of any active attacks exploiting the vulnerability.

"Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers," the firm said.

"This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs."

The bug was detailed at a hacking convention in Korea and, according to Sophos' Paul Ducklin, a working exploit was recently added to the Metasploit Framework, which is free to access.

"Fortunately, the Metasploit exploit code is rather limited, officially targeting only Windows 2000 and Windows XP SP3, but it does serve as a documented proof-of-concept for anyone who cares to study it," Ducklin said in a blog post.

"Sadly, our increasing insistence that everything we see on the internet to be served up in a sea of graphical gewgaws comes with considerable risk: greatly increased code complexity, the unrelenting enemy of computer security."

Graham Cluley, senior technology consultant at Sophos, told IT PRO it was likely Microsoft would be very busy this year issuing fixes.

"Microsoft are sure to remain busy plugging holes and protecting their users," Cluley said.

"For their part, Windows users should remember to take security alerts from firms such as Microsoft seriously and keep their software up-to-date."

With Patch Tuesday due next week, Microsoft may fix numerous issues, including a flaw affecting all versions of Internet Explorer.

Hackers could have take advantage of the security hole through a technique which lets attackers get around two important security defences in Windows 7 and Vista.

Meanwhile, a Google researcher has warned details on a potentially serious vulnerability affecting the Microsoft browser could be in the hands of Chinese hackers.

Tom Brewster

Tom Brewster is currently an associate editor at Forbes and an award-winning journalist who covers cyber security, surveillance, and privacy. Starting his career at ITPro as a staff writer and working up to a senior staff writer role, Tom has been covering the tech industry for more than ten years and is considered one of the leading journalists in his specialism.

He is a proud alum of the University of Sheffield where he secured an undergraduate degree in English Literature before undertaking a certification from General Assembly in web development.