Skip to main content

Microsoft confirms Windows zero-day flaw

Software giant Microsoft has confirmed reports of a zero-day vulnerability affecting the graphics rendering engine in Windows that allows a remote attacker to run arbitrary code and take over an affected machine.

Although the company has stated that it is "not aware of attacks that try to use the reported vulnerability or of customer impact at this time," it's a serious vulnerability - and one which leaves the company's customers wide open to exploitation from ne'er-do-wells as the details of the flaw percolate through the digital underground.

The good news is that users of Microsoft's latest operating system, Windows 7, are not thought to be affected by the flaw - and likewise users of Windows Server 2008 R2, which uses the same code base. Users of older Windows releases - including non-R2 versions of Windows Server 2008, Windows Vista, Windows Server 2003, and Windows XP - are confirmed as being vulnerable to attack.

The flaw is believed to have been first discovered by security researchers Moti Joseph and Xu Hao, who have previously spoken on the development of a so-called zero-day vulnerability at the Power of Community security conference.

Currently, there is no official patch for the flaw - which has been assigned the CVE reference CVE-2010-3970 - although Microsoft has detailed a workaround as part of its official security advisory. Sadly, the temporary fix - which involves modifying the access control list on the vulnerable DLL to be more restrictive - causes media files that would ordinarily be handled by the affected graphics rendering engine to fail to display correctly.

More information, and details on how to modify the access control list as a temporary protection against attack, is available on Microsoft Security Advisory 2490606, entitled "Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution."