Security Advisor
Microsoft Warns of Zero-Day Graphics Flaw
According to Microsoft, attacks against victims in the Middle East and Asia are exploiting a zero-day flaw found in the Microsoft Graphics Component.
The warning, issued in Security Advisory 2896666, said the vulnerability affects Windows Vista and Windows Server 2008 systems running Microsoft Office 2003, 2007, 2010 and Microsoft Lync.
"The vulnerability is a remote code execution vulnerability that exists in the way affected components handle specially crafted TIFF images," read the advisory. "An attacker could exploit this vulnerability by convincing a user to preview or open a specially crafted email message, open a specially crafted file, or browse specially crafted Web content. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user."
Delving into more detail on the issue, security firm McAfee, which discovered and disclosed the flaw to Microsoft on Oct. 31, said that users clicking on a malicious Web site or e-mail link containing the attack will have an executable stored to C:\Documents and Settings\<username>\Local Settings\Temp\winword.exe. However, this is not the executable that does the damage. A second hidden executable is then installed to C:\Documents and Settings\<username>\Updates.exe and is used by attackers as the backdoor.
"The fake document (dropped to C:\Documents and Settings\<username>\Shanti.doc) is popped to the victim right after the success of the exploitation, this is a common post-exploitation trick which tries to prevent victims from being aware of this attack," said McAfee in a blog post.
Until an official fix is released, Microsoft recommends potentially vulnerable users disable the TIFF codec. While this will prevent the flaw from being exploited, TIFF files won't be viewable.
Another option is to deploy Microsoft's Enhanced Mitigation Experience Toolkit, which, according to the company, will block the attacks from exploiting the flaw in the Office binaries.
Finally, for those who want a third option, using Protected View when viewing e-mail documents and blocking ActiveX controls in Office documents should also block any chance of attack.
"Even if the vulnerability relies in a graphic library, attackers deeply rely on other components to bypass DEP/ASLR and execute code, so users can still makes exploitation more difficult and unreliable by using Protected View to open attachments (default for Office 2010) or simply by blocking the execution of ActiveX controls embedded in Office documents," wrote Elia Florio, MSRC Engineering, in a blog entry.
Microsoft sad that customers running the latest versions of Office are not affected, and attacks using the flaw have not been seen outside the two mentioned regions. The company also hasn't commented on whether a permanent fix will be coming in the form of an out-of-band patch or with its November patch release next week.