Microsoft warns of zero-day attack, graphics vulnerability exploited through Word

Microsoft issued a Fix-it for the newest zero-day attacks using malicious TIFF images; 'vulnerable scenarios are Office 2003 and Office 2007 on all platforms; Office 2010 on XP and Server 2003 only; and all supported versions of Lync.'

Do you still have images enabled in Outlook? If so, then right now is a great time to disable pictures since there's a new Microsoft zero-day vulnerability.

The newest exploit combines multiple techniques to bypass DEP [data execution prevention] and ASLR [address space layout randomization] protections. The graphics vulnerability exploited through Word, according to Microsoft, deals with the way TIFF image files are handled; when exploited, it allows code hidden in an image to run. The security advisory warns the attack affects Office 2003, 2007, 2010, Windows Server 2008, Microsoft Lync as well as Windows Vista. If you're still using Windows Vista, then I don't know what to say other than so sorry and it sucks to be you. Luckily, Microsoft issued a temporary work-around "Fix-It" tool.

Although Dustin Childs, group manager of response communications for Microsoft Trustworthy Computing, reported, "We are aware of targeted attacks, largely in the Middle East and South Asia," Security Advisory 2896666 makes it sound more dire. It (CVE-2013-3906) states:

Microsoft is investigating private reports of a vulnerability in the Microsoft Graphics component that affects Microsoft Windows, Microsoft Office, and Microsoft Lync. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability in Microsoft Office products.

The vulnerability is a remote code execution vulnerability that exists in the way affected components handle specially crafted TIFF images. An attacker could exploit this vulnerability by convincing a user to preview or open a specially crafted email message, open a specially crafted file, or browse specially crafted web content. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Yet as Childs noted, the flaw cannot be exploited on its own. "The exploit requires user interaction as the attack is disguised as an email requesting potential targets to open a specially crafted Word attachment. If the attachment is opened or previewed, it attempts to exploit the vulnerability using a malformed graphics image embedded in the document. An attacker who successfully exploited the vulnerability could gain the same user rights as the logged on user."

There have been varying reports of what Microsoft products are vulnerable this time, such as the advisory and a McAfee security researcher saying last Thursday "that both Windows XP and Windows 7 could also be exploited through malicious Office files." Since older platforms are vulnerable, Microsoft took the opportunity to remind users to stop clinging to XP. "This is another example that demonstrates the benefits of running recent versions of software in terms of security improvements (consider also that Windows XP support will end in April 2014).

Today, a Microsoft spokesperson clarified, "The vulnerable scenarios are: Office 2003 and Office 2007 on all platforms; Office 2010 on XP and Server 2003 only; and all supported versions of Lync."

McAfee Labs says it detected and confirmed the zero-day attack, and then warned Microsoft Security Response Center. After showing a zero-day exploit sample, McAfee noted:

that this heap-spraying in Office via ActiveX objects is a new exploitation trick which we didn't see before, previously attackers usually chose Flash Player to spray memory in Office. We would believe the new trick was developed under the background that Adobe introduced a click-to-play feature in Flash Player months ago, which basically killed the old one. This is another proof that attacking technique always tries to evolve when old ones don't work anymore.

Microsoft issued a "Fix-It" tool and suggested mitigations starting with installing EMET (Enhanced Mitigation Experience Toolkit).

Wolfgang Kandek, CTO of Qualys, advised applying the Fix-It sooner rather than later:

Microsoft has provided a Fix-It that turns off TIFF rendering in the affected graphics library, which should have no impact if you are not working with TIFF format files on a regular basis. The listed software packages are not vulnerable under all conditions, so it is important that you take a look at your installed base and your possible exposure for the next couple of weeks into December. Given the close date of the next Patch Tuesday for November, we don't believe that we can count on a patch arriving in time; we will probably have to wait until December, which makes your planning for a work-around even more important.

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic

Copyright © 2013 IDG Communications, Inc.

How to choose a SIEM solution: 11 key features and considerations