Possibly the most critical Windows vulnerability of the year!
http://secunia.com/advisories/16004/
If you use Windows, stop what you are doing, and install the appropriate patch from that page, or just head over to Windows Update.
This vulnerability is in the Windows code that processes color management information embedded into images and allows a specially crafted image to execute arbitrary code. Any application that displays images is potentially vulnerable to this attack. This includes email clients, web browsers, etc.
According to Microsoft: "An attacker could try to exploit the vulnerability by creating a specially crafted malicious image and persuading a user to view the image by viewing a local file, by previewing an e-mail message containing the malicious image, or by opening an e-mail attachment that contains a malicious image. These actions could then cause the affected system to execute code."
Given that most mail clients display images inline without prompting, "Persuaded" in the above statement means little more than sending the user an unsolicited email.
Microsoft also says that the vulnerability is reportedly already being exploited.
Microsoft also released a Microsoft Word bulletin today. This one allows a malicious Word document to execute arbitrary code. See that one and the relevant patch info here:
http://secunia.com/advisories/15998/
If you use Windows, stop what you are doing, and install the appropriate patch from that page, or just head over to Windows Update.
This vulnerability is in the Windows code that processes color management information embedded into images and allows a specially crafted image to execute arbitrary code. Any application that displays images is potentially vulnerable to this attack. This includes email clients, web browsers, etc.
According to Microsoft: "An attacker could try to exploit the vulnerability by creating a specially crafted malicious image and persuading a user to view the image by viewing a local file, by previewing an e-mail message containing the malicious image, or by opening an e-mail attachment that contains a malicious image. These actions could then cause the affected system to execute code."
Given that most mail clients display images inline without prompting, "Persuaded" in the above statement means little more than sending the user an unsolicited email.
Microsoft also says that the vulnerability is reportedly already being exploited.
Microsoft also released a Microsoft Word bulletin today. This one allows a malicious Word document to execute arbitrary code. See that one and the relevant patch info here:
http://secunia.com/advisories/15998/