subject: Information Security Professionals Discover New Vulnerability In Microsoft Windows [print this page] Recently, Microsoft issued a security advisory alerting users against a new vulnerability in Microsoft Windows. The vulnerability is related to the Windows Graphic Rendering engine. The vulnerability is caused by an improper parsing of a specially crafted thumbnail image by attackers. Information security professionals are working to mitigate the vulnerability. The vulnerability results in stack overflow. Stack overflow represents a scenario wherein excess memory is used in call stack. An attacker may exploit the vulnerability by luring a user to view a specially crafted thumbnail image. The vulnerability affects Windows XP, Windows Vista, Windows Server 2003 and some versions of Windows Server 2008. The vulnerability does not affect Microsoft Windows Server 2008 for x64, Itanium based systems and Windows 7 for 32 bit and x64 based systems.
The attacker may send the malicious thumbnail image embedded in Microsoft word or PowerPoint file through e-mail as an attachment. The e-mails from attackers have cleverly crafted messages and appear to come from a legitimate source. When an unwary user opens the file to view or preview the thumbnail image, the attacker may execute arbitrary code. An attacker may also place the malicious thumbnail image on a network share. The arbitrary code is executed by tricking the users to navigate the file by clicking on a link in instant message or e-mail. The attackers rely on return-oriented-programming.
Once the malicious code is executed, the attackers may gain control of the affected computer system. Through remote access to the computer, an attacker may direct commands, view, modify and delete files. The attacker may also create new user accounts. Successful exploitation of the vulnerability may cause information security breach. Users must avoid clicking on suspicious links, avoid downloading untrusted files and evade e-mails from unknown sources. Users with administrative rights are more susceptible to the vulnerability than users with user accounts. Data breach has financial, business, reputational and legal implications for organizations. Employee awareness, adherence to security advisories, periodic security evaluations through ethical hacking and security audits, and monitoring traffic to databases with privileged information may help organizations in mitigating vulnerabilities and reducing attacks.
