Microsoft has released an advisory regarding an issue that affects customers using Microsoft Windows Vista, Windows Server 2008, Microsoft Office 2003 through 2010, and all supported versions of Lync.
The company said that it was aware of targeted attacks “largely in the Middle East and South Asia” against older software and the exploit requires user interaction as the attack is disguised as an email requesting potential targets to open a specially crafted Word attachment.
“If the attachment is opened or previewed, it attempts to exploit the vulnerability using a malformed graphics image embedded in the document,” said Dustin Childs, group manager of response communications at Microsoft Trustworthy Computing. “An attacker who successfully exploited the vulnerability could gain the same user rights as the logged on user.”
He said that an update to address this issue is being worked on, but it encouraged users to deploy a Fix it from the advisory. Childs said: “We are monitoring the threat landscape very closely and will continue to take appropriate action to help protect customers.”
Wolfgang Kandek, CTO of Qualys, said that the vulnerability is in the TIFF graphics format and Microsoft’s Fix-It turns off TIFF rendering in the affected graphics library, which should have no impact if you are not working with TIFF format files on a regular basis.
“The listed software packages are not vulnerable under all conditions, so it is important that you take a look at your installed base and your possible exposure for the next couple of weeks into December,” he said.
“Given the close date of the next Patch Tuesday for November, we don’t believe that we can count on a patch arriving in time; we will probably have to wait until December, which makes your planning for a work-around even more important.”
