Information Security Professionals Discover New Vulnerability in Microsoft Windows

Jan. 6, 2011 - PRLog -- Recently, Microsoft issued a security advisory alerting users against a new vulnerability in Microsoft Windows. The vulnerability is related to the Windows Graphic Rendering engine. The vulnerability is caused by an improper parsing of a specially crafted thumbnail image by attackers. Information security professionals are working to mitigate the vulnerability. The vulnerability results in stack overflow. Stack overflow represents a scenario wherein excess memory is used in call stack. An attacker may exploit the vulnerability by luring a user to view a specially crafted thumbnail image. The vulnerability affects Windows XP, Windows Vista, Windows Server 2003 and some versions of Windows Server 2008. The vulnerability does not affect Microsoft Windows Server 2008 for x64, Itanium based systems and Windows 7 for 32 bit and x64 based systems.


The attacker may send the malicious thumbnail image embedded in Microsoft word or PowerPoint file through e-mail as an attachment. The e-mails from attackers have cleverly crafted messages and appear to come from a legitimate source. When an unwary user opens the file to view or preview the thumbnail image, the attacker may execute arbitrary code. An attacker may also place the malicious thumbnail image on a network share. The arbitrary code is executed by tricking the users to navigate the file by clicking on a link in instant message or e-mail. The attackers rely on return-oriented-programming.


Once the malicious code is executed, the attackers may gain control of the affected computer system. Through remote access to the computer, an attacker may direct commands, view, modify and delete files. The attacker may also create new user accounts. Successful exploitation of the vulnerability may cause information security breach. Users must avoid clicking on suspicious links, avoid downloading untrusted files and evade e-mails from unknown sources. Users with administrative rights are more susceptible to the vulnerability than users with user accounts. Data breach has financial, business, reputational and legal implications for organizations. Employee awareness, adherence to security advisories, periodic security evaluations through ethical hacking and security audits, and monitoring traffic to databases with privileged information may help organizations in mitigating vulnerabilities and reducing attacks.  


Contact Press
EC-Council
Website:  http://www.eccouncil.org
Email:  iclass@eccouncil.org
Tel:  505-341-3228

# # #

EC-Council is a member-based organization that certifies individuals in cybersecurity and e-commerce skills. It is the owner and developer of 16 security certifications, including Certified Ethical Hacker (CEH), Computer Hacking Forensics Investigator (CHFI) and EC-Council Certified Security Analyst (ECSA)/License Penetration Tester (LPT). Its certificate programs are offered in over 60 countries around the world.

EC-Council has trained over 80,000 individuals and certified more than 30,000 members, through more than 450 training partners globally. These certifications are recognized worldwide and have received endorsements from various government agencies including the U.S. federal government via the Montgomery GI Bill, Department of Defense via DoD 8570.01-M, National Security Agency (NSA) and the Committee on National Security Systems (CNSS). EC-Council also operates EC-Council University and the global series of Hacker Halted security conferences.