Critical security fixes on their way from Microsoft, but none yet for the CVE-2013-5065 zero-day

Graham Cluley
Graham Cluley
@[email protected]

tiff-patch-170Microsoft is all set to patch a bunch of security vulnerabilities on Tuesday, including one for a zero-day flaw that has allowed hackers to launch targeted attacks involving boobytrapped Word documents, and broader financially-motivated campaigns using boobytrapped TIFF image files.

Microsoft had already released a temporary workaround for the TIFF flaw (dubbed CVE-2013-3906), after malicious Word documents (with dangerous TIFF files embedded inside) were sent to targeted companies based in the Middle East and South Asia.

But a proper permanent fix shuts the door firmly on the flaw, and will protect the widest possible group of users.

The Patch Tuesday update, due to be released on December 10, will also see security fixes issued for vulnerabilities in Windows, Internet Explorer, Microsoft Exchange, Office, Lync and Microsoft Developer Tools.

Sign up to our free newsletter.
Security news, advice, and tips.

All of the fixes have been given a ranking of “important” or “critical”, meaning that they should be installed on vulnerable computers at the earliest opportunity.

However, Dustin Childs of Microsoft’s Trustworthy Computing group admitted in a blog post that there would not be a fix yet for the critical and in-the-wild zero-day attack that has been putting Windows XP and Windows Server 2003 users at risk since the end of November.

Childs said the company was working hard on developing a fix for that security hole (known as CVE-2013-5065), and urged users whose computers were at risk to take steps to reduce the threat.

This release won’t include an update for the issue described in Security Advisory 2914486. We’re still working to develop a security update and we’ll release it when ready. Until then, we recommend folks review the advisory and apply the suggested workaround on their Windows XP and Windows Server 2003 systems. Customers with more recent versions of Windows are not affected by this issue.

Lets hope at-risk computer users don’t have to wait until 2014 for a fix for that serious problem.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.