Microsoft Warns on Windows Graphics Rendering Bug


Microsoft warned security professionals and users on Tuesday of a newly-found zero-day vulnerability in the Windows Graphics Rendering Engine in several versions of Windows.

Microsoft's (NASDAQ: MSFT) security team decided that the bug is serious enough for the company to announce it is working on a formal patch to the problem, but not so dangerous that the company feels it's necessary to release the patch "out of cycle" – outside of its regular monthly patch distribution cycle, according to a Microsoft spokesperson.

While the vulnerability has already been publicly disclosed, Microsoft says the company has seen no use of it in the wild so far.

In the meantime, Microsoft has published workarounds meant to help keep users safe.

PC support personnel and users who have already installed Windows 7 and are running Windows Server 2008 Release 2 (R2) can breathe a little easier, since those systems are not susceptible to attack. Earlier versions, however, are at risk.

"Today we released Security Advisory 2490606, which addresses a publicly disclosed vulnerability affecting Microsoft Windows Graphics Rendering Engine on Vista, Server 2003, and Windows XP," Angela Gunn, senior marketing communications manager in Microsoft's Trustworthy Computing organization, said in a post to the Microsoft Security Response Center blog.

According to the advisory, opening a booby-trapped thumbnail image either posted on a malicious website or inside a Word or PowerPoint file sent as an attachment to an e-mail can result in complete takeover of the user's computer. However, the vulnerability cannot be exploited by simply displaying the e-mail.

Microsoft has published workarounds for the affected versions of Windows and Windows Server in the advisory, although the company cautions that they do not fix the underlying bug but will "help block known attack vectors before a security update is available," the advisory said.

Next Tuesday is Microsoft's regularly scheduled "Patch Tuesday" security patch release -- so-called because it's always held on the second Tuesday of each month. Microsoft does not disclose in advance what it's planning to patch on Patch Tuesday although it does give security professionals some advance notice of what it will patch on the Thursday before Patch Tuesday.

Stuart J. Johnston is a contributing writer at, the news service of, the network for technology professionals. Follow him on Twitter @stuartj1000.

Keep up with security news; Follow eSecurityPlanet on Twitter: @eSecurityP.