Microsoft warned today of a Windows vulnerability that could allow an attacker to take control of a computer if the user is logged on with administrative rights.
To be successful, an attacker would have to send an e-mail with an attached Microsoft Word or PowerPoint file containing a specially crafted thumbnail image and convince the recipient to open it, Microsoft said in its advisory, which also contains information on workarounds.
An attacker also could place the malicious image file on a network share and potential victims would have to browse to the location in Windows Explorer.
The flaw, which is in the Windows Graphics Rendering Engine, could allow an attacker to run arbitrary code in the security context of the logged-on user, meaning that accounts that are configured to have fewer user rights would be affected less.
The vulnerability affects Windows XP Service Pack 3, XP Professional x64 Edition Service Pack 2, Server 2003 Service Pack 2, Server 2003 x64 Edition Service Pack 2, Server 2003 with SP2 for Itanium-based systems, Vista Service Pack 1 and Service Pack 2, Vista x64 Edition Service Pack 1 and Service Pack 2, Server 2008 for 32-bit, 64-bit, and Itanium-based systems and Service Pack 2 for each.
Microsoft said it is not aware of attacks exploiting the vulnerability or of any impact on customers at this time. The company is working on a fix but did not indicate when it would be available.