Microsoft is warning about ongoing zero-day attacks that use a graphics handling vulnerability to target Microsoft Office users running Windows Vista and Windows Server 2008.
The attacks, which exploit an unpatched flaw in the way Windows handles TIFF graphics files, has been detected in malicious Microsoft Word documents. A successful infection can give an attacker complete control over a system, Microsoft said. The software giant issued an automated patch that disables the rendering of TIFF files while engineers develop a permanent fix.
"The exploit requires user interaction as the attack is disguised as an email requesting potential targets to open a specially crafted Word attachment," Dustin Childs, group manager for Response Communications at Microsoft, wrote in a post on the Microsoft Security Response Center blog. "If the attachment is opened or previewed, it attempts to exploit the vulnerability using a malformed graphics image embedded in the document."
[Related: Top 5 Zero-Day Threats Of 2013]
The threat impacts users of Microsoft Office 2003 through 2010, as well as all supported versions of Microsoft Lync, the company's videoconferencing and instant messaging software, according to the Microsoft Security Advisory issued Tuesday. The attack could also be hosted on a malicious website and enabled to be carried out in drive-by attacks, Microsoft said.
The threat posed to most businesses will very likely be minimal because Windows Vista is not widely adopted, said Rick Jordan, director of sales and strategy at Toronto-based solution provider Tenet Computer Group. The solution provider still has some customers on Windows XP, but those that are migrating are moving to Windows 7, according to Jordan.
"Nearly all the rollups we've been involved in are migrations to Windows 7 from XP," he said. "Security and usability are top of mind in their decision."
Attacks have been limited to the Middle East and South Asia, but the threat could spread, said Wolfgang Kandek, chief technology officer of vulnerability management vendor Qualys. Kandek said the listed software packages are not vulnerable under all conditions and urged businesses to undertake an assessment to gauge the exposure of the company install base. A permanent fix is not likely until December, he said.
"Given the close date of the next Patch Tuesday for November, we don't believe that we can count on a patch arriving in time, but will probably have to wait until December, which makes your planning for a work-around even more important," Kandek said in an email message.
In addition, Microsoft's Enhanced Mitigation Experience Toolkit, which can be implemented on Windows Vista systems, prevents the attack from executing, Kandek said. Microsoft also suggests that IT teams implement protected view and block ActiveX controls in Office documents.
"Even if the vulnerability relies in a graphic library, attackers deeply rely on other components to bypass DEP/ASLR and execute code, so users can still makes exploitation more difficult and unreliable by using Protected View to open attachments (default for Office 2010) or simply by blocking the execution of ActiveX controls embedded in Office documents," wrote Elia Florio, a Microsoft Security Response Center engineer, on the company's Research and Defense blog.
The previous zero-day threat being actively targeted was against Internet Explorer, which Microsoft patched in October. It was tied to the group responsible for carrying out the Bit9 data breach earlier this year. In addition to users in Japan and Korea, the zero-day exploit was used against a defense contractor in the United States, but security firms said the attacks were broad in nature and not likely associated with cyberespionage activity.
PUBLISHED NOV. 5, 2013