Hello – Today we released Security Advisory 2490606, which addresses a publicly disclosed vulnerability affecting Microsoft Windows Graphics Rendering Engine on Vista, Server 2003, and Windows XP. We are not aware of any affected customers, nor of any active attacks targeting customers. The vulnerability does not affect Windows 7 or Windows Server 2008 R2, the newest versions of our operating system.
To target this vulnerability, an attacker must convince a user to visit a specially crafted malicious Web page, or to open a malicious Word or PowerPoint file. Furthermore, users whose accounts are configured to have fewer user rights on the system would be less affected by an attack then those running with administrative rights. The Advisory includes further mitigations and workarounds to protect our customers.
We have initiated our Software Security Incident Response Process (SSIRP) to manage this issue, and we are sharing detailed information through the Microsoft Active Protections Program (MAPP). Our 70 global MAPP partners, including leading providers of anti-virus and anti-malware products, provide protections for an estimated one billion customers worldwide. With our partners, Microsoft is actively working to monitor the threat landscape and take action against malicious sites that attempt to exploit this vulnerability. If your protection provider is in our MAPP program, you can contact them concerning the status of providing protections for this issue as it is likely that updated malware signatures in these products will offer further protection.
Meanwhile, we are working to develop a security update to address this vulnerability. The circumstances around the issue do not currently meet the criteria for an out-of-band release; however, we are monitoring the threat landscape very closely and if the situation changes, we will post updates here on the MSRC blog.
As always, we encourage Internet users to follow the “Protect Your Computer” guidance of enabling a firewall, applying all software updates and installing anti-virus and anti-spyware software. Additional information can be found at Security at Home.
Happy New Year –
Sr. Marketing Communications Manager, Trustworthy Computing