Microsoft has issued a warning to users that malicious hackers have been using a previously unknown zero-day vulnerability to launch targeted attacks against particular computers.
The remote code execution flaw, which has been dubbed CVE-2013-3906, exploits a vulnerability in a Microsoft graphics component.
According to the firm, the attack has been largely spread via boobytrapped Microsoft Word documents, distributed by email, and has largely targeted computers belonging to companies based in the Middle East and South Asia.
By using the social engineering trick of disguising the email as something enticing, victims are being fooled into opening the attached Word document (which has a malformed graphic TIFF image embedded within it) and infecting their PCs.
Microsoft Office Version | Vulnerability |
Office 2003 | Affected |
Office 2007 | Affected |
Office 2010 | Affected only on Windows XP/Windows Server 2003 |
Office 2013 | Not affected |
However, it is possible that the same flaw could also be exploited by malicious hackers embedding a malformed TIFF file inside web content, and trick users into viewing it.
In a security advisory, published today, Microsoft has made available a Fix It tool – a temporary band-aid for the flaw, which it is urging at-risk users to install.
Of course, the hope is that Microsoft releases a proper fix for the vulnerability – and close the door permanently on future attacks exploiting the flaw – as soon as possible.
Microsoft argues that the fact that Office 2010 is only vulnerable on ageing Windows XP and Windows Server 2003 computers is another good argument for users to keep their operating systems up-to-date, and patched. (Regular readers will, no doubt, be aware that Windows XP will no longer receive security updates after April 2014).
It’s worth emphasising that unlike most fixes from Microsoft, the Fix-It tool will not be automatically rolled out to users. If you want to protect your computers from having the flaw exploited, you need to download and run the tool.
And then, like the rest of the internet, you have to hope that Microsoft will roll out a proper and permanent reliable patch for the problem with appropriate haste.
Details of further mitigations and workarounds are detailed in the Microsoft blog post and in an accompanying security advisory.
Further reading: Microsoft zero-day was used in Citadel Trojan campaign, as well as targeted attacks