The Channel logo


By | Shaun Nichols 5th November 2013 19:39

Microsoft in a TIFF over Windows, Office bug that runs code hidden in pics

New vulnerability found, workaround issued ahead of patch

Microsoft has alerted users and system administrators following the discovery of targeted attacks on a security bug present in Windows, Office and Lync.

The software giant said the flaw allows attackers to remotely execute code and install malware on a vulnerable system by sending an email or instant message or convincing a user to open a specially crafted webpage.

According to Microsoft, the flaw lies in the handling of TIFF image files by a graphics processing component in Windows Vista, Server 2008, Office 2003 to 2010 and Microsoft Lync. When exploited, the attacker's code hidden in the image file executes on the target system with the same privileges as the current user.

Researchers at McAfee said they tracked assaults on Windows XP systems, and warned that Windows 7 systems are also vulnerable if an affected version of Office is installed. Versions of Office and Lync for Mac OS X are not believed to be at risk.

It's understood the TIFF attack works by tricking the OS into copying malicious code stashed in the file into memory and then hijacking the processor to execute it.

Microsoft has yet to post a patch to fix the bug, although the company has posted a workaround which edits the Windows registry to prevent the rendering of TIFF images, thus blocking off the attack vector on vulnerable systems.

Should a formal update for the flaw arrive, it could hit the download servers next Tuesday when Microsoft issues its monthly Patch Tuesday security update. However there may not be enough time to construct and test a fix for this zero-day vulnerability by next week. ®

comment icon Read 48 comments on this article alert Send corrections


Frank Jennings

What do you do? Use manual typwriters or live in a Scottish croft? Our man advises
A rusty petrol pump at an abandoned gas station. Pic by Silvia B. Jakiello via shutterstock

Trevor Pott

Among other things, Active Directory needs an overhaul
Baby looks taken aback/shocked/affronted. Photo by Shutterstock

Kat Hall

Plans for 2 million FTTP connections in next four years 'not enough'
Microsoft CEO Satya Nadella


Suit-and-tie-wearing man tries to meditate, take deep breaths in faux yoga pose. Photo by Shutterstock
Emotional intelligence, not tech skills, is the way to woo suits
League of gentlemen poster - Tubbs and Edward at the local shop. Copyright BBC
One reselling man tells his tale of woe