New Windows Exploit Opens Door to Total System Takeover

Microsoft has confirmed that a zero-day vulnerability exists in Windows XP, Vista, as well as Server 2003 and Server 2008. The bug, which first emerged in mid-December 2010, has evolved since the exploit was posted publicly.

The bug was first discussed on December 15 at a security conference in South Korea. Since no one had yet exploited the vulnerability, there was not significant cause for concern. That's changed now that researcher Joshua Drake has released an exploit module via open-source penetration testing project, Metasploit.

Exploit Opens Door to Total System Takeover

Metasploit has stated that the exploit can be used to compromise virtually any Windows PC. Hackers could then install malware which would then ransack and extract critical personal data, including addresses, phone numbers, and credit card information.

Reports also suggest a hacker could use the exploit to create a new Windows user account for themselves on the host PC, cutting off a system's rightful owner. (Source: crn.com)

Windows Flaw Infects Windows Thumbnails

The flaw is related to the way Windows' graphics rendering engine handles thumbnail images. It can be exploited if a targeted user views folders containing specially designed and malicious thumbnails via Windows Explorer.

"Attackers could feed users malicious PowerPoint or Word documents containing a malformed thumbnail, then exploit their PCs if the document was opened or even previewed. Alternately, hackers could hijack machines by convincing users to view a rigged thumbnail on a network shared folder or drive, or in an online WebDAV file-sharing folder," said Microsoft (Source: computerworld.com)

Windows 7, Server 2008 R2 Not Affected

In response to the threat, Microsoft has issued a security advisory noting the affected operating systems. All operating systems including Windows XP, Server 2003 / 2008, and Vista are affected by the exploit. Windows 7 and Windows Server 2008 R2 are not affected.

"This is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system," Microsoft said in the advisory. (Source: computerworld.com)

The Redmond-based firm also noted that it does not currently plan to release an "out-of-band" (or unscheduled) emergency patch for the flaw. While it's true that an exploit method now exists and is publicly available, Microsoft still cites the fact that no one has yet used it for an attack.

The issue marks a troubling start to the new year for Microsoft. "With Microsoft just closing the door on its largest patch year yet, 2011 is not starting out in a positive direction," noted Andrew Storms, of nCircle Security.