Microsoft had already released a temporary workaround for the TIFF flaw (dubbed CVE-2013-3906), after malicious Word documents (with dangerous TIFF files embedded inside) were sent to targeted companies based in the Middle East and South Asia.
But a proper permanent fix shuts the door firmly on the flaw, and will protect the widest possible group of users.
The Patch Tuesday update, due to be released on December 10, will also see security fixes issued for vulnerabilities in Windows, Internet Explorer, Microsoft Exchange, Office, Lync and Microsoft Developer Tools.
All of the fixes have been given a ranking of “important” or “critical”, meaning that they should be installed on vulnerable computers at the earliest opportunity.
However, Dustin Childs of Microsoft’s Trustworthy Computing group admitted in a blog post that there would not be a fix yet for the critical and in-the-wild zero-day attack that has been putting Windows XP and Windows Server 2003 users at risk since the end of November.
Childs said the company was working hard on developing a fix for that security hole (known as CVE-2013-5065), and urged users whose computers were at risk to take steps to reduce the threat.
This release won’t include an update for the issue described in Security Advisory 2914486. We’re still working to develop a security update and we’ll release it when ready. Until then, we recommend folks review the advisory and apply the suggested workaround on their Windows XP and Windows Server 2003 systems. Customers with more recent versions of Windows are not affected by this issue.
Lets hope at-risk computer users don’t have to wait until 2014 for a fix for that serious problem.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
