Microsoft warns a security vulnerability in the Windows Graphics Rendering Engine could be abused to execute malicious code. Windows 7 and Windows Server 2008 R2 are not affected by the bug.
The company said that it's not aware of attacks leveraging this vulnerability. Affected systems include Vista, Server 2003, and Windows XP, but not Windows 7 or Windows Server 2008 R2.
SANS Internet Storm center handler and security researcher Johannes Ullrich observes that the vulnerability could be exploited through malicious thumbnail images attached to Office documents and sent via e-mail or over a network. He says there's no patch available but there are steps that can be taken to mitigate the risk by preventing the rendering of thumbnail images.