On Tuesday, Microsoft confirmed the existence of a vulnerability present in several versions of the Windows operating system. If exploited, the glitch could leave users’ computers open to being fully controlled by an outside attacker.
The exploit, first reported on December 15 at a security conference in South Korea, takes advantage of the way Windows’ graphics rendering engine processes certain thumbnail images. The booby-trapped images could be placed in an Office document, a website, or an e-mail.
“An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the logged-on user,” Microsoft said in a statement. “An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
If that sounds positively frightening, you may be comforted to hear that so far reports of the vulnerability seem to be strictly theoretical – there are no known reports of an attack taking place in the wild.
The two most recent versions of Windows — Windows 7 and Windows Server 2008 R2 — are reportedly not susceptible to the bug. Microsoft suggests that concerned users of other Windows versions mitigate risks of an attack by running as limited users, not as users will full administrative controls.
Microsoft says that it is currently investigating the bug and may address the problem in a future security update.