The Windows Graphics Rendering Engine in Windows Vista, Windows Server 2003 and Windows XP has a security vulnerability and the company is developing an update to address the problem, Microsoft said Tuesday.
Microsoft issued a security advisory that said an attacker could use the vulnerability for remote code execution and install programs; view, change or delete data; or create new accounts with full user rights.
Microsoft said it is not aware of any attacks relating to the vulnerability. The advisory provides mitigations and workarounds for the problem.
In addition to developing a "comprehensive security update" to address the problem, Microsoft said it's "monitoring the threat landscape and working with partners through the Microsoft Active Protections Program to take action against malicious sites that may attempt to exploit this vulnerability."
Microsoft said the vulnerability does not affect Windows 7 and Windows Server 2008 R2, the most recent releases of the Windows operating system.
Microsoft will make the updates available on the MSRC blog (http://blogs.technet.com/b/msrc/) and through the @MSFTSecResponse Twitter handle. The update may be included in the monthly release process or through an out-of-cycle security update, depending on customer needs, according to the advisory.
