Microsoft is working on a patch to fix a hole in a 64-bit Windows 7 graphics display component that could be exploited to crash the system or potentially take control of the computer by running code remotely.
The company is investigating a new publicly reported vulnerability in the Windows Canonical Display Driver (cdd.dll) that affects 64-bit versions of Windows 7 and Windows Server 2008 R2, and Itanium-based Windows Server 2008 R2. The driver enables applications to use graphics and formatted text on the video display and printer.
Microsoft is working on a security update to address the vulnerability and will release it, once testing is complete, a Microsoft representative said.
In the meantime, users can prevent anyone from exploiting the hole by disabling Windows Aero, which is a desktop experience available for the Home Premium, Professional, Ultimate, or Enterprise editions of Windows 7. The flaw affects only systems running Windows Aero, which is disabled by default on Windows Server 2008 R2. Information on the work-around is available in the security advisory issued on Tuesday.
"Although it is possible that the vulnerability could allow code execution, successful code execution is unlikely, due to memory randomization. In most scenarios, it is much more likely that an attacker who successfully exploited this vulnerability could cause the affected system to stop responding and automatically restart," the advisory said. "We are not aware of attacks that try to use the reported vulnerability or of customer impact at this time."
Some third-party image-viewing applications may be affected by this issue, if they use the application-programming interfaces for the Windows graphics device interface (GDI) to render images, the company said.
An attacker could exploit the hole by sending a victim a malicious image file with an affected application or lure the victim to visit a Web site hosting a malicious image file via an e-mail or instant message.
Security firm Secunia rates the vulnerability as "less critical," one level above the lowest rating of "not critical."