A vulnerability has been discovered in Microsoft Direct2D that could allow remote code execution. Direct2D is a 2D and vector graphics application programming interface designed by Microsoft. This vulnerability can be exploited when a user views a specially crafted image file. Successful exploitation could allow an attacker to gain the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
- Microsoft Windows 7
- Microsoft Windows 8
- Microsoft Windows RT
- Microsoft Windows 2008 R2
- Microsoft Server 2012
A remote code execution vulnerability exists in the way that affected Windows components handle specially crafted 2D geometric figures. The vulnerability could allow remote code execution if a user views files containing such specially crafted figures using Internet Explorer. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights.
- Apply appropriate patches provided by Microsoft to vulnerable systems immediately after appropriate testing.
- Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
- Remind users not to open email attachments from unknown users or suspicious emails from trusted sources.
- Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack
https://technet.microsoft.com/en-us/security/bulletin/ms14-007
CVE:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0263