New Microsoft 0-day vulnerability under attack
Posted on 06 November 2013.
Microsoft has released security advisory KB2896666 informing of a vulnerability (CVE-2013-3906) in the TIFF graphics format that is seeing limited attacks in the Middle East and South Asia.

The vulnerability is present in Microsoft Office 2003, 2007 and 2010 and some of the older Windows Operating Systems, and the currently observed attack vector is through Microsoft Word Documents. Microsoft has provided a Fix-It that turns off TIFF rendering in the affected graphics library, which should have no impact if you are not working with TIFF format files on a regular basis.

The listed software packages are not vulnerable under all conditions, so it is important that you take a look at your installed base and your possible exposure for the next couple of weeks into December. Given the close date of the next Patch Tuesday for November, we don't believe that we can count on a patch arriving in time; we will probably have to wait until December, which makes your planning for a work-around even more important.

Microsoft's proactive security toolkit EMET (Enhanced Mitigation Experience Toolkit) prevents the attack from executing, as do some of the Office 2010 security measures, such as Protective Mode. Microsoft has provided more information in this blog post on their SRD Blog.

McAfee has published a blog post providing more details about the attack vector through Office and how it manifests on the attacked machine.


Author: Wolfgang Kandek, CTO, Qualys.





Spotlight

Windows 0-day exploited in ongoing attacks, temporary workarounds offered

Posted on 22 October 2014.  |  Microsoft is warning users about a new Windows zero-day vulnerability that is being actively exploited in the wild and is primarily a risk to users on servers and workstations that open documents with embedded OLE objects.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Thu, Oct 23rd
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //