Microsoft is investigating a new remote code execution vulnerability in Windows Vista, Windows Server 2008, Office 2003, Office 2007, Office 2010, and all supported versions of Microsoft Lync that is currently being exploited. The company has issued a security advisory because it has confirmed reports that the flaw is being exploited as part of targeted attacks “largely in the Middle East and South Asia.”
The good news is that current versions of Windows (including Windows 7 and Windows 8) as well as Office (Microsoft Office 2013 and Office 365) are not affected by this issue. Furthermore, the exploit requires user interaction: the attack is disguised as an email requesting potential targets to open a specially crafted Word attachment (although, Microsoft does say that attackers can create websites that take advantage of the security hole as well).
If the malicious attachment is opened or previewed, it attempts to exploit the vulnerability using a malformed TIFF image embedded in the document. An attacker who successfully manages to exploit the vulnerability could gain the same user rights as the logged on user, making remote code execution possible.
Here are the details Microsoft is sharing about the flaw:
The vulnerability is a remote code execution vulnerability that exists in the way affected components handle specially crafted TIFF images. An attacker could exploit this vulnerability by convincing a user to preview or open a specially crafted email message, open a specially crafted file, or browse specially crafted web content. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
While we wait for a patch, which Microsoft has not provided a date for (December’s Patch Tuesday is likely, but it could come sooner as well), the company is offering the following workarounds and mitigations:
- Apply the Microsoft Fix it solution, “Disable the TIFF Codec” that prevents exploitation of the issue.
- Deploy the Enhanced Mitigation Experience Toolkit (EMET) and prevent exploitation by providing mitigations to protect against the issue.
Microsoft also reminded its customers to enable a firewall, apply all software updates, as well as install anti-virus and anti-spyware software. Last but not least, exercise caution when visiting websites and avoid clicking suspicious links or opening email messages from unfamiliar senders.
Top Image Credit: Nate Brelsford