NEWS FROM THE LAB - Wednesday, January 5, 2011

First 2011 Windows Vulnerability Posted by Alia @ 01:34 GMT

Another year, another vulnerability in Windows. Yesterday Microsoft confirmed it was investigating a "recently discovered" vulnerability. Exploit code for this is reported to be already available.

According to the Security Advisory, the vulnerability involves the Windows Graphics Rendering Engine. Affected Windows versions are various flavors of XP, Vista, Server 2003, and Server 2008. Windows 7 is not affected.

Exploiting the vulnerability requires a specially-crafted thumbnail image (say of a folder or program). Successful exploitation can lead to the attacker pretty much taking control of said computer.

One note: whether the booby-trapped thumbnail is on a site or sent in an e-mail, the user still has to actively visit the site or click a link in the e-mail (or open an attachment) to be affected, so standard precautions about safe surfing and computer usage still apply.

For users on affected versions, the advisory has a workaround that will at least "help block known attack vectors", until a patch is released. Or since the new year is a time for fresh starts, this might be a good time to consider upgrading to Windows 7.

No out-of-band update release seems to be forthcoming, so the soonest a patch might be available is January 11. Stay tuned.