The remote code execution flaw, which has been dubbed CVE-2013-3906, exploits a vulnerability in a Microsoft graphics component.
According to the firm, the attack has been largely spread via boobytrapped Microsoft Word documents, distributed by email, and has largely targeted computers belonging to companies based in the Middle East and South Asia.
By using the social engineering trick of disguising the email as something enticing, victims are being fooled into opening the attached Word document (which has a malformed graphic TIFF image embedded within it) and infecting their PCs.
|Microsoft Office Version||Vulnerability|
|Office 2010||Affected only on Windows XP/Windows Server 2003|
|Office 2013||Not affected|
However, it is possible that the same flaw could also be exploited by malicious hackers embedding a malformed TIFF file inside web content, and trick users into viewing it.
Of course, the hope is that Microsoft releases a proper fix for the vulnerability – and close the door permanently on future attacks exploiting the flaw – as soon as possible.
Microsoft argues that the fact that Office 2010 is only vulnerable on ageing Windows XP and Windows Server 2003 computers is another good argument for users to keep their operating systems up-to-date, and patched. (Regular readers will, no doubt, be aware that Windows XP will no longer receive security updates after April 2014).
It’s worth emphasising that unlike most fixes from Microsoft, the Fix-It tool will not be automatically rolled out to users. If you want to protect your computers from having the flaw exploited, you need to download and run the tool.
And then, like the rest of the internet, you have to hope that Microsoft will roll out a proper and permanent reliable patch for the problem with appropriate haste.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.