Zero-day targeted attacks via boobytrapped Word documents. Microsoft releases temporary fix

Microsoft has issued a warning to users that malicious hackers have been using a previously unknown zero-day vulnerability to launch targeted attacks against particular computers.

The remote code execution flaw, which has been dubbed CVE-2013-3906, exploits a vulnerability in a Microsoft graphics component.

According to the firm, the attack has been largely spread via boobytrapped Microsoft Word documents, distributed by email, and has largely targeted computers belonging to companies based in the Middle East and South Asia.

By using the social engineering trick of disguising the email as something enticing, victims are being fooled into opening the attached Word document (which has a malformed graphic TIFF image embedded within it) and infecting their PCs.

However, it is possible that the same flaw could also be exploited by malicious hackers embedding a malformed TIFF file inside web content, and trick users into viewing it.

In a security advisory, published today, Microsoft has made available a Fix It tool – a temporary band-aid for the flaw, which it is urging at-risk users to install.

Of course, the hope is that Microsoft releases a proper fix for the vulnerability – and close the door permanently on future attacks exploiting the flaw – as soon as possible.

Microsoft argues that the fact that Office 2010 is only vulnerable on ageing Windows XP and Windows Server 2003 computers is another good argument for users to keep their operating systems up-to-date, and patched. (Regular readers will, no doubt, be aware that Windows XP will no longer receive security updates after April 2014).

It’s worth emphasising that unlike most fixes from Microsoft, the Fix-It tool will not be automatically rolled out to users. If you want to protect your computers from having the flaw exploited, you need to download and run the tool.

And then, like the rest of the internet, you have to hope that Microsoft will roll out a proper and permanent reliable patch for the problem with appropriate haste.

Details of further mitigations and workarounds are detailed in the Microsoft blog post and in an accompanying security advisory.

Further reading: Microsoft zero-day was used in Citadel Trojan campaign, as well as targeted attacks

Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.

Graham Cluley •   @gcluley

Graham Cluley is a veteran of the cybersecurity industry, having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent analyst, he regularly makes media appearances and is an international public speaker on the topic of cybersecurity, hackers, and online privacy. Follow him on Twitter, Mastodon, Bluesky, or drop him an email.