Microsoft released an advisory today warning users about a new zero-day under attack in targeted campaigns occurring in the Middle East and South Asia.
According to Microsoft, the vulnerability resides in the Microsoft Graphics component and impacts certain versions of Windows, Microsoft Office and Lync. The problem exists in the way specially-crafted TIFF images are handled. To exploit the vulnerability, an attacker would have to convince a user to preview or open a specially-crafted email message, open a malicious file or browse malicious Web content.
If exploited successfully, the vulnerability can be used to remotely execute code.
“The exploit requires user interaction as the attack is disguised as an email requesting potential targets to open a specially crafted Word attachment,” blogged Dustin Childs, group manager of response communications for Microsoft Trustworthy Computing. “If the attachment is opened or previewed, it attempts to exploit the vulnerability using a malformed graphics image embedded in the document. An attacker who successfully exploited the vulnerability could gain the same user rights as the logged on user.”
The vulnerability affects Office 2003, 2007 and 2010 as well as Windows Server 2008 and Windows Vista. Right now, Microsoft Word documents are the current vector for attack.
“Microsoft has provided a Fix-It that turns off TIFF rendering in the affected graphics library, which should have no impact if you are not working with TIFF format files on a regular basis,” blogged Wolfgang Kandek, CTO of Qualys. “The listed software packages are not vulnerable under all conditions, so it is important that you take a look at your installed base and your possible exposure for the next couple of weeks into December.”
Organizations can also disable on their own by changing the registry entries to control what images are parsed and rendered and what images are rejected in GDI+, the graphics device interface.
“Given the close date of the next Patch Tuesday for November, we don’t believe that we can count on a patch arriving in time, but will probably have to wait until December, which makes your planning for a work-around even more important,” Kandek blogged.
Related Podcast: Jerry Bryant on the Microsoft MAPP Expansion
Related Reading: Microsoft to Share Vulnerability Data with Incident Responders
Related Reading: DHS to Share Zero-Day Intelligence
Related Podcast: Vupen CEO Chaouki Bekrar Addresses Zero Day Marketplace Controversy