Microsoft Zero-Day Spurs Calls for Software Upgrades
By Jennifer LeClaire / CIO Today. Updated November 06, 2013.
Targeted attacks are attempting to exploit a vulnerability in the Microsoft Graphics component -- and it impacts Microsoft Windows, Microsoft Office, and Microsoft Lync. The company issued a security advisory on Tuesday to warn customers.
According to Redmond, the issue is a remote code execution vulnerability that exists in the way affected components handle specially crafted TIFF images. An attacker could exploit this vulnerability by convincing a user to preview or open a specially crafted e-mail message, open a specially crafted file, or browse specially crafted Web content.
What’s more, Microsoft explained, an attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If it’s any consolation, users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. But most of the news is bad.
Out-of-Band Patch Likely?
Although there is some good news. Microsoft is investigating the issue and vowed to take appropriate actions to protect customers, which may include rolling out a security update via its monthly release process or issuing an out-of-cycle security update. In more good news, the company said an attacker would have no way to force users to view the attacker-controlled content.
Qualys reports that the vulnerability is present in Microsoft Office 2003, 2007 and 2010 and some of the older Windows operating systems and the currently observed attack vector is through Microsoft Word documents.
“Microsoft has provided a Fix It that turns off TIFF rendering in the affected graphics library, which should have no impact if you are not working with TIFF format files on a regular basis,” Wolfgang Kandek, Qualys CTO, told us. “Given the close date of the next Patch Tuesday for November, we don't believe that we can count on a patch arriving in time, but will probably have to wait until December, which makes your planning for a work-around even more important.”
Fix It May Not Work for You
Tyler Reguly, technical manager of security research and development at Tripwire, told us the Microsoft Fix It may not be viable for a lot of people. That’s because TIFF is a popular format and a lot of people may not be able to accomplish their daily work if their computers won't render graphics properly.
“Web developers, graphic designers, and those in marketing are just a few examples of people that may be greatly hindered by applying the fix it,” he said. “It puts people in the difficult situation of preventing a new vulnerability or doing their job. Enterprises that work heavily with graphics may have a difficult time justifying the deployment of this fix.”
Reguly’s conclusion: This latest zero-day is just another example of why people need to update to newer software versions more frequently.
“Microsoft needs to become more aggressive with their end-of-life policies,” Reguly said. “Users should not still be running Office 2003, Office 2007, Windows XP, and Windows Server 2003. If you removed that software, this zero-day would not exist. If it's older than five years old, it's probably time to end support.”