A previously unknown vulnerability in the Microsoft Windows graphics rendering engine is being exploited by several malicious Web sites to infect visitors' systems, security experts said on Wednesday.
The vulnerability can be triggered remotely and gives the attacker full system privileges, according to technical descriptions of the issue. However, in a security bulletin released late Wednesday, Microsoft maintained that only local user privileges could be gained through the vulnerability. In the last 24 hours, three different Windows Meta Files (WMFs) have been detected trying to use the vulnerability to spread, according to antivirus firm F-Secure.
"Do note that it's really easy to get burned by this exploit if you're analyzing it under Windows," Mikko Hyppönen, chief research officer for F-Secure said in a blog posting. "All you need to do is to access an infected web site with IE (Internet Explorer) or view a folder with infected files with the Windows Explorer."
Increasingly, security and software companies are worried about vulnerabilities that are exploited without any previous warning. Called zero-day exploits, the attacks can compromise systems before software makers issue patches to fix a security issue. Last month, a security researcher attempted to sell a previously unknown vulnerability in Microsoft Excel on eBay. Several companies have marketed defenses against zero-day exploits and Microsoft has created a network of automated Windows systems, known as honeymonkeys, that browse the Web to find malicious code targeted at Internet Explorer.
Google Desktop users have to be particularly careful as the search giant's software indexes any downloaded image file, an action that will cause the exploit to immediately execute, according to security researchers. A Microsoft spokesperson said the company is currently investigating the reports.
UPDATE: This brief has been updated to reflect information published by Microsoft in a Security Bulletin released late on Wednesday. The original brief was published about noon PST on Wednesday, and the updated version at 6:30 PST on Thursday.
Posted by: Robert Lemos