Microsoft on Tuesday, issued a Security Advisory describing a new unpatched Windows vulnerability.
The vulnerability is caused when the Windows Graphics Rendering Engine improperly parses a specially crafted thumbnail image, resulting in a stack overflow.
An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the logged-on user. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
The vulnerability is a publicly disclosed flaw affecting the Windows Graphics Rendering Engine on Vista, Server 2003 and Windows XP.
Microsoft says both Windows 7 32-bit and 64-bit as well as Server 2008 R2 are unaffected.
Secunia a security firm currently rates the vulnerability as “extremely critical”. Microsoft says it’s not aware of attacks that use the report vulnerability at this time.
According to a Microsoft blog post;
Meanwhile, we are working to develop a security update to address this vulnerability. The circumstances around the issue do not currently meet the criteria for an out-of-band release; however, we are monitoring the threat landscape very closely and if the situation changes, we will post updates here on the MSRC blog.
Details about the flaw can be found here.