Microsoft has alerted users and system administrators following the discovery of targeted attacks on a security bug present in Windows, Office and Lync.
The software giant said the flaw allows attackers to remotely execute code and install malware on a vulnerable system by sending an email or instant message or convincing a user to open a specially crafted webpage.
More ReadingThink unpatched Win XP hole's not a big deal? Hope you trust your local usersDEATH-PROOF your old XP netbook: 5 OSes to bring it back to lifeIE 0-day plugged up but TIFF terror continues in November Patch TuesdayBuggy software in need of patching? Hey, we got that right here – AdobeFeeling twitchy about nasty IE 0-day? Microsoft promises relief today
According to Microsoft, the flaw lies in the handling of TIFF image files by a graphics processing component in Windows Vista, Server 2008, Office 2003 to 2010 and Microsoft Lync. When exploited, the attacker's code hidden in the image file executes on the target system with the same privileges as the current user.
Researchers at McAfee said they tracked assaults on Windows XP systems, and warned that Windows 7 systems are also vulnerable if an affected version of Office is installed. Versions of Office and Lync for Mac OS X are not believed to be at risk.
It's understood the TIFF attack works by tricking the OS into copying malicious code stashed in the file into memory and then hijacking the processor to execute it.
Microsoft has yet to post a patch to fix the bug, although the company has posted a workaround which edits the Windows registry to prevent the rendering of TIFF images, thus blocking off the attack vector on vulnerable systems.
Should a formal update for the flaw arrive, it could hit the download servers next Tuesday when Microsoft issues its monthly Patch Tuesday security update. However there may not be enough time to construct and test a fix for this zero-day vulnerability by next week. ®