A vulnerability in the Canonical Display Driver (cdd.dll) in 64-bit versions of Windows 7 and Windows Server 2008 R2, and Windows Server 2008 R2 for Itanium-based Systems, could allow remote code execution.
“The Windows Canonical Display Driver does not properly parse information copied from user mode to kernel mode,” states Microsoft in a security advisory published yesterday. “In most scenarios, an attacker who successfully exploited this vulnerability could cause the affected system to stop responding and automatically restart. It is also theoretically possible, but unlikely due to memory randomization, that an attacker who successfully exploited this vulnerability could run arbitrary code. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
To take advantage of the vulnerability, the attackers would have to trick the user into viewing a “specially crafted image file with an affected application”, likely hosted on a malicious Web site. To do that, it is likely that they would employ social engineering tactics such as sending an email or an IM message containing the malicious link and purporting to be from a user’s friend and to link back to a curious/funny image, video or test.
Microsoft has offered a workaround solution to help block known attack vectors before an patch for the flaw is issued and applied: disabling the Windows Aero Theme (Start > Control Panel > Appearance and Personalization > Change the Theme > select one of the available Basic and High Contrast Themes). It is yet unknown when a patch will be issued.