Microsoft said Friday that next week it will finally issue a patch for a vulnerability within its Microsoft Graphics (GDI+) component, one that is being actively targeted by attackers.
However, it will not patch a kernel vulnerability allowing an attacker to escalate privileges on Windows XP and Windows Server 2003. Instead, the company plans to address it in a future update, Microsoft said Friday. In all, the patches will be released on Dec. 10, at about 10 AM PT, Microsoft said.
The GDI+ vulnerability has been known about for at least a month; in November, Microsoft first began publishing word of the problem, originally in this security bulletin. It affects the following software:
- All versions of Lync
- Windows Vista
- Windows Server 2008
- Office 2003 and 2007, regardless of operating system
- Office 2010, only if installed on Windows XP or Windows Server 2003
"If the attachment is opened or previewed, it attempts to exploit the vulnerability using a malformed graphics (TIFF) image embedded in the document," Microsoft says. "An attacker who successfully exploited the vulnerability could gain the same user rights as the logged on user."
To read this article in full or to leave a comment, please click here
ConversionConversion EmoticonEmoticon