No Patch Forthcoming for TIFF-handling Zero Day Vulnerability

As we noted in Friday’s Advance Notification post and will explore in more detail in tomorrow’s recap of the November Patch Tuesday releases, Microsoft® is putting out eight security fixes this month.  However, SC Magazine reported a few days ago that this slate of patches will not include one to address a zero day vulnerability that is reportedly already being used in attacks in Asia and the Middle East, particularly Pakistan. It’s using the same payload as that of Operation Hangover, which last spring also targeted Pakistan, as well as China and the U.S. Those attacks are coming from a group of hackers believed to be located in India.

This is another remote code execution vulnerability, something we’ve been seeing a lot of lately. This time the problem is in the way TIFF graphic files are handled and it affects several previous but still supported versions of Microsoft Office: 2003, 2007 and 2010. Microsoft Lync 2010 and 2013, as well as some versions of the Windows OS (Vista and Windows Server 2008) are also implicated. Note that Office 2013 is not affected.

The attackers are distributing these attacks in the form of email attachments that consist of Office documents that are specially designed XML objects to manipulate heap memory and discover sections of memory that can be corrupted and used by the malicious code. The attacker, if successful, would gain the same user rights as the currently logged-on user. The vulnerability can also, according to Microsoft, be used in a web-based attack scenario.

On November 5, Microsoft released a Security Advisory (2896666) for IT pros that details how the exploit works. Although no patch is forthcoming tomorrow, there is a “Fix It” workaround available for this vulnerability. Workarounds include disabling the TIFF codec to prevent TIFF files from being displayed. This can be done via the automated Fix It or by editing the registry to manually disable the codec. Of course, if you apply this workaround, you won’t be able to view any TIFF formatted files.

Another resolution is to deploy the Enhanced Mitigation Experience Toolkit (EMET) to help make the flaw more difficult to exploit. EMET 3.0 or 4.0 can be used and they can be configured via Group Policy to protect groups of systems. The toolkit can be downloaded from the Microsoft web site.

Other security vendors have released antivirus definitions and Intrusion Prevention System (IPS) updates to protect against this vulnerability as well.

Like our posts? Subscribe to our RSS feed and be the first to get them!