Microsoft issued an advisory to Windows users about a security vulnerability in a common Windows component that could be used by remote attackers to run malicious code on machines running the Windows XP, Vista and Windows Server 2003 operating systems.
The company said on Tuesday that it is investigating public reports of a stack overflow vulnerability in the Windows Graphics Rendering Engine. The problem stems from a flaw in the way the Graphics Rendering Engine processes thumbnail images in the affected versions of Windows. Microsoft said it is not aware of any affected customers or active attacks targeting the vulnerability.
Attackers could use specially crafted thumbnail images – attached in an e-mail message, hosted on a Web page or embedded in a Microsoft Office document – to exploit the vulnerability. When successfully exploited, the vulnerability allows an attacker to take complete control of a user’s machine, if that user had administrative access to the system, Microsoft said.
As a workaround, Microsoft said users can modify the Windows access control list (ACL) for the shimgvw.dll file, though the company warned that doing so would cause any media files that use that component to be displayed incorrectly.
Microsoft said it is researching the hole and working on a patch. However, the company said the vulnerability won’t warrant an out of cycle patch.
Also this week, Microsoft advised customers to apply MS10-087, a security update published in November. The company cited attacks exploiting that hole in Microsoft Office applications, which affects features that render RTF (rich text format) documents.