Microsoft Security: First Windows Vulnerability, First Scam Attempt
Article by George Norman
On 05 Jan 2011
Redmond-based software giant Microsoft has made public details on the first Windows vulnerability for 2011 (see Security Advisory 2490606). According to Microsoft, there’s a vulnerability that plagues the Windows Graphics Rendering Engine that could lead to remote code execution. The vulnerability affects Windows XP, Vista, Server 2003, and Server 2008. It does not affect the latest iteration, Windows 7, though, nor does it affect Windows Server 2008 R2.

The vulnerability could be used by someone with malicious intent to inject and execute arbitrary code; the attacker could take control of a targeted machine if the user is logged on with administrative rights. To exploit the vulnerability that someone with malicious intent would have to send an e-mail with an attached Microsoft Word or PowerPoint file containing a specially crafted thumbnail image and convince the recipient to open it.


The problem is that the Windows Graphics Rendering Engine improperly parses a specially crafted thumbnail image, resulting in a stack overflow. It’s a problem that could allow the attacker to install programs, view, change, or delete data, or create new accounts with full user rights.

Exploit code for this vulnerability is already available – which is bad. Microsoft said that it is not aware of attacks that try to use the reported vulnerability or of customer impact at this time – which his good.

The bottom line is that you must be weary of emails asking you to view an image, click on an image, or download an image – especially unsolicited emails that ask you to check out some image. And speaking of unsolicited emails, there’s a scam making the rounds on the internet asking users to update their operating system. Sophos, company that specializes in providing antivirus, anti-spam, spyware removal software, network and internet security, has detected spam messages that invite users to update their Windows operating system, spam messages that contain an attached file called That attachment is nothing but a worm.

“Cybercriminals are up to their old tricks, spreading malware under the disguise of a critical security patch from Microsoft,” commented Senior Technology Consultant with Sophos, Graham Cluley. “In the current example, they've spammed out an email containing a worm, which even quotes the real name of a senior member of Microsoft's security team - Steve Lipner - to try to fool you into believing it is genuine. Of course, Mr Lipner has nothing to do with the emails and Microsoft never distributes security updates via email attachments.”

Tags: Microsoft, Security, Windows, Spam, Scam
About the author: George Norman
George is a news editor.
You can follow him on Google+, Facebook or Twitter

I Hope you LIKE this blog post! Thank you!
What do YOU have to say about this
blog comments powered by Disqus
Popular News
By George Norman on 17 Aug 2017
With the blockbuster movie season upon us, Sony decided to celebrate the occasion with a sale: the Attack of the Blockbusters Sale that offers discounts of up to 50% (60% if you’re a PlayStation Plus member) on a ton of PS4 video games.
By George Norman on 17 Aug 2017
Samsung’s new T5 portable solid-state drive (PSSD) uses the latest 64-layer V-NAND technology, offers between 250GB and 2TB of storage capacity, has a lightweight and shock-resistant design that’s smaller than the average business card, and delivers industry-leading transfer speeds of up to 540 MB/s.
Related News
Sponsored Links
Hot Software Updates
Top Downloads
Become A Fan!
Link To Us!
Microsoft Security: First Windows Vulnerability, First Scam Attempt
HTML Linking Code