Last week, Microsoft announced a new vulnerability that could affect TIFF images viewed in certain MS products. The flaw (CVE-2013-3906) is currently being exploited as the company works toward a patch.
According to Microsoft, "An attacker could exploit this vulnerability by convincing a user to preview or open a specially crafted email message, open a specially crafted file, or browse specially crafted web content." A successful attack would allow the attacker to gain the same administrative permissions as the current user of the system. What this means is that a user who is signed in to their computer as an administrator could be more negatively affected than a user who has limited user rights on the system.
For web sites that contain infected TIFF images, an attacker might host a web site designed to infect a user's computer. The link to the web site might come in the form of an email or instant message, which convinces a user to click on the link or image and bring the user to the web site; it might also be included in the email as an attachment. From there the user would be faced with the infected content.
Compromised Software
The following software and operating systems are vulnerable to the TIFF bug:
- All versions of Vista
- All versions of Windows Server 2008
- All versions of Microsoft Lync
- Some versions of Microsoft Office: 2003 Service Pack 3, 2010 on Windows XP and Windows Server 2003, and Compatibility Pack Service Pack 3
Microsoft has stated that, "The attacks observed are very limited and carefully carried out against selected computers, largely in the Middle East and South Asia."
Keep Computers Infection Free
Though Microsoft is still working on a permanent solution, many antivirus and security software providers have already provided updates to detect malicious software. Make sure that your antivirus is up to date. Always exercise caution when opening email attachments that have not been requested. An organization can also install Microsoft's free Enhanced Mitigation Experience Toolkit or EMET, which will apply an anti-exploit application to any vulnerable processes or applications.
In its announcement, Microsoft added that a patch would not be ready by this week's Tuesday patch release, but that it will be released with the monthly update or through an out-of-cycle security update. The original announcement from Microsoft can be found here:Security Advisory 2896666.
