Microsoft is warning system administrators of a security vulnerability in some 64-bit Windows systems that could lead to takeover of some users' systems.
The flaw affects 64-bit versions of Microsoft (NASDAQ: MSFT) Windows 7, Windows Server 2008 Release 2 (R2), and Windows Server 2008 R2 for Itanium systems, according to a Microsoft Security Advisory released Tuesday afternoon.
The hole exists in a portion of Windows called the Canonical Display Driver. Microsoft engineers are currently working on a patch for the problem, the advisory said.
"The Canonical Display Driver is used by desktop composition to blend the Windows Graphics Device Interface (GDI) and DirectX drawing," Jerry Bryant, group manager of response communications, said in a post to the Microsoft Security Response Center (MSRC) blog.https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=i
So far, according to Microsoft, there have been no attacks in the wild that exploit the Canonical Display Driver vulnerability. In addition, several mitigating factors make it difficult for malicious hackers to take advantage of the flaw.
For instance, the vulnerability can only be exploited if the so-called "Aero" user interface theme is installed. While that's the default on Windows 7, it is not set as the default for Windows Server 2008 R2, the advisory said. Additionally, Windows Server 2008 R2 does not come with display drivers for Aero.
What makes a successful exploit even more difficult is that the affected operating systems use a technology called Address Space Layout Randomization (ASLR). To exploit the security vulnerability, the attacker's program must begin execution at a specific memory address. However, ASLR specifically randomizes where programs start to execute, making it difficult to guess what the correct starting address really is. Thus exploiting the hole becomes a guessing game.
"In most scenarios, an attacker who successfully exploited this vulnerability could cause the affected system to stop responding and automatically restart," the advisory said.
In some admittedly rare instances, however, the attacker could successfully take over the user's computer.
Despite what Microsoft describes as the unlikely chance that someone will be able to jump through all the necessary hoops to seize control of a user's system, Microsoft is working on a patch -- and officials felt the issue is dangerous enough to warrant issuing a Security Advisory to announce the coming patch.
In the meantime, for those systems that do have the Aero theme installed, the company has posted a workaround that disables Aero.
This is the second unpatched zero-day hole that Microsoft has warned users about in the past three weeks. In late April, it warned about a zero-day that affects Windows SharePoint Services 3.0 and Windows SharePoint Server 2007. Microsoft SharePoint 2010, which began shipping last week, is not affected.
Microsoft has not yet said when it will patch the SharePoint vulnerability, nor has it revealed any schedule for when a patch for the latest hole might become available.