bit-tech.net

Microsoft patches critical TIFF zero-day

Microsoft patches critical TIFF zero-day

Microsoft's December Patch Tuesday bundle brings the long-awaited fix for a critical zero-day vulnerability in Windows, Office and Lync, but fails to patch a similar hole in Windows XP.

Microsoft has announced that an outstanding zero-day vulnerability missed off last month's Patch Tuesday update is to be resolved next week, while missing another actively-exploited hole in its soon-to-be-obsolete yet still incredibly popular Windows XP OS.

Confirmed by the company back in November, when it released a Fix-It work-around for the flaw, the vulnerability in the Microsoft Graphics Component which handles tagged image file format (TIFF) loading and saving - a standard component of Windows, Office and Lync - allowed for the execution of arbitrary code under the context of the logged-in user, making for a serious security flaw.

Despite admitting that the zero-day vulnerability was under active attack, a fix was not forthcoming in November's Patch Tuesday update bundle. That's something the company is thankfully resolving this month, promising that a patch for the flaw - rated Critical on the company's own ranking system - will be included in the regular releases made on the second Tuesday of each month.

Sadly, a recently-discovered vulnerability in Microsoft's Windows XP Telephony API, which again allows for arbitrary code execution and is under active exploitation in the wild, is not so lucky. While only affecting the outdated Windows XP operating system, that's still a substantial target for attackers: according to the most recent figures from NetMarketShare, Windows XP accounts for 31.22 per cent of the desktop and laptop operating system market. That's just behind Windows 7 with 46.64 per cent, and significantly ahead of Windows 8 at a devilish 6.66% or Windows 8.1 with just 2.64 per cent.

While Microsoft is likely to patch the Windows XP hole some time early next year, it could be one of the last times such a vulnerability is addressed in the operating system. Official support for the platform expires in April 2014 after which end-users will no longer receive security updates - although larger corporations and government customers will sill be able to receive emergency patches for a short time following that deadline.

December's Patch Tuesday update bundle also brings fixes for three more Critical-rated security vulnerabilities in Windows, one in Internet Explorer, one in the Exchange communications server package, and a further six updates ranked as Important in Windows, Office and the Microsoft Developer Tools which can result in privilege escalation - allowing any one of the Critical vulnerabilities to be used to execute code under administrative privileges, considerably worsening the impact of the flaws - information disclosure and security feature bypassing.

All updates, along with an upgraded version of the Windows Malicious Software Removal Tool, will hit Windows Update on Tuesday the 10th of December.

16 Comments

Discuss in the forums Reply
Star*Dagger 7th December 2013, 22:14 Quote
If you are using XP you deserve to have your computer explode, every day. Twice on Sunday.
Cthippo 8th December 2013, 08:16 Quote
Quote:
Originally Posted by Star*Dagger
If you are using XP you deserve to have your computer explode, every day. Twice on Sunday.

Why, because people feel like they shouldn't have to pay money for features they don't need just because the company that produced the software in the first place has decided to quit fixing the problems that people are STILL discovering all these years later.

If anyone deserves to have their computers explode it's Microsoft for releasing crappy products in the first place and then using their refusal to fix the problems in those products as a way to force people to buy more crappy, bug infested products.
Unicorn 8th December 2013, 12:53 Quote
That's a silly statement to make Star Dagger - I reverted one of my ultraportable laptops back to XP last week with an old backup image on a new SSD and it runs just as well as it has done with Win7 Home Premium for the past 3 years, and 3 of our standalone "presenter" PCs in school run XP Pro from SSDs as well, all of them flawlessly.

Just because Microsoft are no longer making money from sales of XP but are still having to spend money on it with a developer team writing hotfixes and security updates for it doesn't mean they should be able to pull the plug on an operating system which is still popular and in use all around the world today.
erratum1 8th December 2013, 14:01 Quote
Windows xp. :D

You have to evolve windows xp had a good run but a company can't just stagnate.

What was wrong with caves why do we need houses? Light a fire they are very cosey and hitting a girl with a club sounds far easier than all this dating malarkey.
Corky42 8th December 2013, 14:20 Quote
Quote:
Originally Posted by erratum1
Windows xp. :D

You have to evolve windows xp had a good run but a company can't just stagnate.

What was wrong with caves why do we need houses? Light a fire they are very cosey and hitting a girl with a club sounds far easier than all this dating malarkey.

Some would say every OS Microsoft have release since XP is a step backwards, stagnation is fine if what comes after is devolution. At least a cave wont take 25 years of your life away, and some people like a natural fire versus some gas fed monstrosity. Newer doesn't always equal better.
Umbra 8th December 2013, 16:03 Quote
XP still has it's uses, only way I could get Splinter Cell Chaos Theory to run was on XP tried all the suggested workarounds for win7 but no joy so installed XP on a spare PC and played it, it's something to do with the protection used on Chaos Theory no way would it run on win7
Madness_3d 8th December 2013, 20:31 Quote
As much as I feel people should of course get off XP and onto more modern operating systems, I think it is criminal to abandon an operating system with > 30% of the desktop & laptop marketshare. I have elderly grandparents who have older machines that run XP and it is fine for their needs. They haven't a great deal of spare money or ability to learn new things and I'm expected to tell them they have to relearn a new OS/ buy a new pc because microsoft want to shift people onto their newer products.

Surely someone there should point out that perhaps the reason those people haven't upgraded is because they've seen nothing in the new OS that justifies the upgrade? Surely the fairer way to do it is to support the OS' with the highest percentages of market share... In which case Win8 should be put to bed...
Star*Dagger 8th December 2013, 23:09 Quote
Defenders of XP, only on Brit-Tech (sic).

KILL IT WITH PLASMA FIRE!!
jb0 9th December 2013, 15:11 Quote
Quote:
Originally Posted by Corky42

Some would say every OS Microsoft have release since XP is a step backwards, stagnation is fine if what comes after is devolution.

Some would say XP was a step back from Windows 2000.
Which happens to be the last Windows I like unconditionally. Everything after it is "Well, I like this, but wish they hadn't done that."

And some would say it's all downhill since we left MS-DOS, but some people are crazy. :P
Gareth Halfacree 9th December 2013, 15:16 Quote
Quote:
Originally Posted by jb0
And some would say it's all downhill since we left MS-DOS, but some people are crazy. :P
Bah. Microsoft BASIC or GTFO.
Star*Dagger 10th December 2013, 01:31 Quote
Quote:
Originally Posted by Gareth Halfacree
Bah. Microsoft BASIC or GTFO.

Well said, I have always found the Neo-Luddite gene particularly hilarious in people who use computer regularly.

Change is the only Constant people!!

Yours in Ever changing Cyber Plasma,
Star*Dagger
Cthippo 10th December 2013, 02:23 Quote
Quote:
Originally Posted by jb0
Some would say XP was a step back from Windows 2000.
Which happens to be the last Windows I like unconditionally. Everything after it is "Well, I like this, but wish they hadn't done that."

I would say XP / Win 2K, collectively anyway, were the high water mark of the series. They represented a significant improvement over Win 3.x / ME, and everything that has come since then has been small appearance upgrades that added little or nothing to functionality.

Certainly the improvements that have come since then could have been added to XP without changing the GUI.

There are lots of very old programs that I and other still use because they work and we're used to them. The only reason people "need" to upgrade from XP is that it was full of problems when it was made and now Microsoft are going to quit fixing those problems as they are discovered. The problems are not new, they have been in the software since the day it was released. IF windows wasn't so insecure and buggy there would be no reason to ever upgrade.
Gareth Halfacree 10th December 2013, 09:18 Quote
Quote:
Originally Posted by Star*Dagger
Well said, I have always found the Neo-Luddite gene particularly hilarious in people who use computer regularly.
Wait... You thought I was being sarcastic? :)
steveo_mcg 10th December 2013, 20:10 Quote
Bah, only reason I updated from 2k was for sli, still wish I'd never updated from xp to win8...
Star*Dagger 11th December 2013, 10:17 Quote
Quote:
Originally Posted by steveo_mcg
Bah, only reason I updated from 2k was for sli, still wish I'd never updated from xp to win8...

Wait, in one sentence you contradict yourself, SLI is for gamers, and DX11 is not available on XP, never will be.

So WTF?
steveo_mcg 12th December 2013, 14:17 Quote
Quote:
Originally Posted by Star*Dagger
Wait, in one sentence you contradict yourself, SLI is for gamers, and DX11 is not available on XP, never will be.

So WTF?

You didn't ask when, time is also ways the important issue. I upgraded from 2k in 2k6 when my single 6600 became inadequate and I a got another cheap one. I now run Win8 (by accident) and haven’t played a single DX11 game, most are still DX9 so what exactly is your point??
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums