Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Warns of Zero-Day Attacks

Posted by Soulskill on from the welcome-to-tuesday dept.

wiredmikey writes "Microsoft released an advisory today warning users about a new zero-day under attack in targeted campaigns occurring in the Middle East and South Asia. According to Microsoft, the vulnerability resides in the Microsoft Graphics component and impacts certain versions of Windows, Microsoft Office and Lync. The problem exists in the way specially-crafted TIFF images are handled. To exploit the vulnerability, an attacker would have to convince a user to preview or open a specially-crafted email message, open a malicious file or browse malicious Web content. If exploited successfully, the vulnerability can be used to remotely execute code. The vulnerability affects Office 2003, 2007 and 2010 as well as Windows Server 2008 and Windows Vista. Right now, Microsoft Word documents are the current vector for attack."

5 of 165 comments (clear)

  1. Re:New Attack? 0 Day? by tbuddy · · Score: 5, Informative

    Microsoft, Apple, and even our dear Linux all have had issues with previewing malcrafted images. If seeing this on a patch notes shocks you I'll assume you haven't read many patch notes. TIFF is surprising as that hasn't been a huge attack vector, but I've seen in the hundreds of notes I've read as an IT peon where formats have been an issue. More often it is PDF, EMF, WMF, but TIFF isn't out of the question
    It is a file format that is pretty low on the level of requiring correct formatting and is more or less abandoned by its owner, Adobe. I bet their is a grip of EPS exploits out there for Microsoft's viewer, but very few people would open those. Everyone know EPS is "an Adobe" and forward them on to the graphics department.

  2. Re:I got burned by the font rendering bug last tim by theshowmecanuck · · Score: 2, Informative

    I guess Linux has never and never will have any security exploits possible against it. So yeah, good luck with that. And to anyone else who thinks using Linux online is the end all and be all for security. No system is safe.

    --
    -- I ignore anonymous replies to my comments and postings.
  3. Re:Already there by recoiledsnake · · Score: 5, Informative

    You just described Windows RT.

    --
    This space for rent.
  4. Re:Already there by TheP4st · · Score: 3, Informative

    Why only pick on Windows? http://arstechnica.com/apple/2013/08/rendering-bug-crashes-os-x-and-ios-apps-with-string-of-arabic-characters/

    Because we picked on apple for that one on August 29th and to those of us that are capable of thinking clearly it make very little sense to pick on apple when the topic clearly is a windows vulnerability.

    --
    "I have downloaded hundreds and hundreds of records, why would I care if somebody downloads ours?" Robin Pecknold
  5. Re:WOW by Anonymous Coward · · Score: 2, Informative

    So, based on the wording of the advisory, if I am using Office 2010 running on Windows 7, I am both affected and non-affected. How exactly does that work?

    You are not affected, you are not software. Your OS, Windows 7, is not affected, as explicitly stated. One of your programs, Office 2010, is affected, as explicitly stated.