Microsoft today warned Windows users about a previously unknown security vulnerability that could allow attackers to install malware simply by getting users to view a malicious image in a Web browser or document.
Microsoft said in a security advisory that the problem stems from a bug in the Windows Graphics Rendering Engine on Vista, Server 2003, and Windows XP. The software giant said that it is working on a patch for the flaw, but that it isn’t aware of any active attacks exploiting the security hole…yet.
Microsoft has made available a “FixIt” tool to blunt the threat of attacks against the flaw until the company can issue a proper patch. To apply this fix, visit this link and click the “Fix it” icon in the box under the “Enable” heading. If for some reason the Fix it tool doesn’t play nice with your system, you can always reverse the change by re-visiting that page and clicking the icon under the “Disable” heading.
Microsoft released a record number of security updates last year, and at the rate that new Windows flaws are being discovered and disclosed, the company is likely to set new records again in 2011. Over the weekend, security researcher Michael Zalewski, a Google employee, released details about a previously unreported flaw in Internet Explorer. Zalewski said he released the information after learning that details of the flaw had accidentally been indexed by Google’s search bots, and subsequently downloaded by someone using a Chinese Internet address.
Patch Tuesday is next week, and it will be interesting to see whether Microsoft addresses another outstanding vulnerability in IE: Two days before Christmas, Microsoft warned that hackers were likely to begin exploiting a flaw present in all versions of IE, using a widely publicized method of attack that evades two of the key security defenses built in Windows 7 and Windows Vista.
Update, Jan. 5, 5:45 p.m. ET: Added a link to the Fix It tool.