Microsoft released a Security Advisory 2490606, which addresses a publicly disclosed vulnerability affecting Microsoft Windows Graphics Rendering Engine on Vista, Server 2003, and XP. “We’re not aware of any affected customers, nor of any active attacks targeting customers. The vulnerability doesn’t affect Windows 7 or Windows Server 2008 R2,” stated Microsoft.
“To target this vul, an attacker must convince a user to visit a specially crafted malicious Web page, or to open a malicious Word or PowerPoint file. Furthermore, users whose accounts are configured to have fewer user rights on the system would be less affected by an attack then those running with administrative rights. The Advisory includes further mitigations and workarounds to protect our customers.”
Meanwhile, we’re working to develop a security update to address this vul. The circumstances around the issue don’t currently meet the criteria for an out-of-band release; however, we’re monitoring the threat landscape very closely and if the situation changes, we’ll post updates,” added Microsoft.