Microsoft offers quick fix for Zero-Day vulnerability

Confirming reports of limited attacks in South Asia and the Middle East, Microsoft released a security advisory on Tuesday warning of a new vulnerability targeting the TIFF image format.

[Internet Explorer Zero Day attackers linked to Bit9 hackers]

Microsoft issued an advisory and a stop-gap fix on Tuesday, for a new vulnerability that's targeting users in the Middle East and South Asia. Experts are urging IT administrators to deploy the Fix-It or EMET solutions, as it is unlikely that Microsoft will have a proper patch available for this month's round of updates.

The Zero-Day flaw resides in the TIFF image format, and has been used in what the software giant is calling limited attacks. According to their advisory, the vulnerability can be exploited to enable remote access to the victim's system, including code execution.

Microsoft Office 2003 and 2007 are affected, as well as 2010 on Windows XP and Server 2003. Moreover, Vista SP 2, Server 2008, and Microsoft Lync are vulnerable as well.

"Microsoft has provided a Fix-It that turns off TIFF rendering in the affected graphics library, which should have no impact if you are not working with TIFF format files on a regular basis. The listed software packages are not vulnerable under all conditions, so it is important that you take a look at your installed base and your possible exposure for the next couple of weeks into December," Qualys CTO, Wolfgang Kandek explained in an email to CSO.

According to Microsoft, the attacks against the flaw are being carried out against selectively, and requires user interaction. Thus, Phishing or other socually engineered attacks are likely to be the main phase of a given campaign. However, it is possible to exploit the flaw online, so malcious websites are a potential risk too.

If the Fix-It solution isn't an option, Microsoft reccomends that administrators install EMET and enable ROP mitigations, or others such as mandatory ASLR, EAF, or HeapSpray.

[70 percent of business users vulnerable to latest Internet Explorer Zero-Day]

"Given the close date of the next Patch Tuesday for November, we don't believe that we can count on a patch arriving in time, but will probably have to wait until December, which makes your planning for a work-around even more important," Kandek added.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags Microsoft

More about CSOMicrosoftQualys

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Steve Ragan

Latest Videos

More videos

Blog Posts