Microsoft warns users of Windows 7 Aero vulnerability

Summary:A vulnerability in the Windows 7 graphics driver could be leveraged by hackers to affect system stability and security.

A vulnerability in the Windows 7 graphics driver could be leveraged by hackers to affect system stability and security.

The vulnerability is present in the Windows 7 (and Windows Server 2008 R2) Canonical Display Driver (cdd.dll) for 64-bit systems.

The Canonical Display Driver is used by desktop composition to blend the Windows Graphics Device Interface (GDI) and DirectX drawing. The vulnerability affects Windows 7 x64, Windows Server 2008 R2 x64, and Windows Server 2008 R2 for Itanium systems. If exploited, it would likely cause the affected system to stop responding and restart. Code execution, while possible in theory, would be very difficult due to memory randomization both in kernel memory and via Address Space Layout Randomization (ASLR). Additionally, this vulnerability only affects Windows systems if they have the Aero theme installed; Aero is not switched on by default in Windows Server 2008 R2, nor does 2008 R2 include Aero-capable graphics drivers by default.

Microsoft is rating this vulnerability as a 3 (on a scale of 1 to 3, where 1 means that consistent exploit code is likely and 3 indicates that functioning exploit code is unlikely) and believes that defense in depth mechanisms in the OS means that a patch will be released before hackers find a way to exploit the flaw.

Vulnerabilities are a dynamic thing and the rating could change between now and a patch being released. After all, security experts have previously shown how Window's ASLR can be bypassed so defense in depth might only offer temporary protection. If you're worried about this vulnerability, Microsoft recommends that you disable Aero until a fix is released.

To disable Aero, Click Start > Control Panel, then click on Appearance and Personalization. Under Presentation click Change the Theme and select one of the Basic and High Contrast Themes on offer.

Topics: Windows, Microsoft, Operating Systems, Security, Software

About

Adrian Kingsley-Hughes is an internationally published technology author who has devoted over a decade to helping users get the most from technology -- whether that be by learning to program, building a PC from a pile of parts, or helping them get the most from their new MP3 player or digital camera.Adrian has authored/co-authored technic... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.