Announcement: Microsoft Security Advisory 2490606: Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution

This just published on TechNet’s Microsoft Security Advisories and notred on the MSRC Blog: details on Microsoft Security Advisory 2490606, Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution…

Microsoft is investigating new public reports of a vulnerability in the Windows Graphics Rendering Engine. An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the logged-on user. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

We are not aware of attacks that try to use the reported vulnerability or of customer impact at this time.

We are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers.

Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.

Affected Software:

  • Windows XP Service Pack 3 and Windows XP Professional x64 Edition Service Pack 2 
  • Windows Server 2003 Service Pack 2, x64 SP2 and SP2 for Itanium-based systems
  • Windows Vista Service Pack 1 and SP2, as well as Windows Vista x64 Edition SP1 and SP2
  • Windows Server 2008 RTM

Non-Affected Software: Windows 7 for 32-bit and x64-based Systems, Windows Server 2008 R2 for x64-based and Itanium-based systems.

As noted, teams are are working to develop a security update to address this vulnerability. The circumstances around the issue do not currently meet the criteria for an out-of-band release; however, we are monitoring the threat landscape very closely and if the situation changes, we will post updates here on the MSRC blog.

As always, we encourage Internet users to follow the “Protect Your Computer” guidance of enabling a firewall, applying all software updates and installing anti-virus and anti-spyware software. Additional information can be found at Security at Home.

For more details on the Security Advisory you can subscribe to our comprehensive alerts here to receive email when there’s new information.


Tags: Security, what I read, Microsoft, Windows 7.

MSRC references: Security Advisory, Workarounds, Defense-in-depth, Exploitability

Delicious Bookmark this on Delicious Bookmark and Share

Also available via