Microsoft has released security advisory KB2896666 informing of a vulnerability (CVE-2013-3906) in the TIFF graphics format that is seeing limited attacks in the Middle East and South Asia.
The vulnerability is present in Microsoft Office 2003, 2007 and 2010 and some of the older Windows Operating Systems, and the currently observed attack vector is through Microsoft Word Documents. Microsoft has provided a Fix-It that turns off TIFF rendering in the affected graphics library, which should have no impact if you are not working with TIFF format files on a regular basis.
The listed software packages are not vulnerable under all conditions, so it is important that you take a look at your installed base and your possible exposure for the next couple of weeks into December. Given the close date of the next Patch Tuesday for November, we don’t believe that we can count on a patch arriving in time; we will probably have to wait until December, which makes your planning for a work-around even more important.
Microsoft’s proactive security toolkit EMET (Enhanced Mitigation Experience Toolkit) prevents the attack from executing, as do some of the Office 2010 security measures, such as Protective Mode. Microsoft has provided more information in this blog post on their SRD Blog.
McAfee has published a blog post providing more details about the attack vector through Office and how it manifests on the attacked machine.
Author: Wolfgang Kandek, CTO, Qualys.