Microsoft offers quick fix for Zero-Day vulnerability

Company issues stop-gap patch for vulnerability targeting TIFF image format

Confirming reports of limited attacks in South Asia and the Middle East, Microsoft released a security advisory on Tuesday warning of a new vulnerability targeting the TIFF image format.

[Internet Explorer Zero Day attackers linked to Bit9 hackers]

Microsoft issued an advisory and a stop-gap fix on Tuesday, for a new vulnerability that's targeting users in the Middle East and South Asia. Experts are urging IT administrators to deploy the Fix-It or EMET solutions, as it is unlikely that Microsoft will have a proper patch available for this month's round of updates.

The Zero-Day flaw resides in the TIFF image format, and has been used in what the software giant is calling limited attacks. According to their advisory, the vulnerability can be exploited to enable remote access to the victim's system, including code execution.

Microsoft Office 2003 and 2007 are affected, as well as 2010 on Windows XP and Server 2003. Moreover, Vista SP 2, Server 2008, and Microsoft Lync are vulnerable as well.

"Microsoft has provided a Fix-It that turns off TIFF rendering in the affected graphics library, which should have no impact if you are not working with TIFF format files on a regular basis. The listed software packages are not vulnerable under all conditions, so it is important that you take a look at your installed base and your possible exposure for the next couple of weeks into December," Qualys CTO, Wolfgang Kandek explained in an email to CSO.

According to Microsoft, the attacks against the flaw are being carried out against selectively, and requires user interaction. Thus, Phishing or other socually engineered attacks are likely to be the main phase of a given campaign. However, it is possible to exploit the flaw online, so malcious websites are a potential risk too.

If the Fix-It solution isn't an option, Microsoft reccomends that administrators install EMET and enable ROP mitigations, or others such as mandatory ASLR, EAF, or HeapSpray.

[70 percent of business users vulnerable to latest Internet Explorer Zero-Day]

"Given the close date of the next Patch Tuesday for November, we don't believe that we can count on a patch arriving in time, but will probably have to wait until December, which makes your planning for a work-around even more important," Kandek added.

The full advisory is available here.

Copyright © 2013 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.