Microsoft has released an out-of-cycle emergency workaround to plug a zero-day security vulnerability it says is being actively exploited by malware in the wild.
Typically, Microsoft limits its software update releases to the second Tuesday of each month - known as Patch Tuesday - both to give it time to thoroughly test the patches itself, and also to give system administrators a firm date on which they should set aside time to test and deploy the fixes. Occasionally, however, the company releases out-of-cycle patches in order to solve particularly nasty security flaws being actively exploited in-the-wild.
It's one such flaw that has forced Microsoft's hand this week. A vulnerability has been discovered in the way the Microsoft Graphics component - an integral part of Windows, Office, and Lync - handles tagged image file format (TIFF) data. By constructing a malicious TIFF, the company admits, an attacker can run arbitrary code - and malware has been spotted that does just that.
Hiding executable content in image files is the holy grail for malware writers: many security packages concentrate on known-executable content when scanning, in order to improve performance; as images are not usually executable, they are often skipped over and ignored - giving the malware a route into the system.
The flaw, Microsoft's security advisory
warns, can be triggered a number of ways: the TIFF and its malicious payload can be opened in an email client as an attachment or embedded image, as a file on a storage device or network location, or even simply rendered in the browser - making the vulnerability extremely useful for triggering drive-by downloads of malicious software.
Although there is no patch yet available, Microsoft has released a Fix It
workaround. This disables the TIFF codec, preventing the Microsoft Graphics component from rendering any images in that format - a blow to usability, but a boon to security. When a formal patch is available, it will be released through Windows Update as an automatic update - at which point users who used the Fix It workaround can reverse the procedure to re-enable TIFF decoding.
While it's a serious security flaw, there is mitigation: Microsoft's latest software, including Windows 8.1, Windows 8, Windows 7, and all versions of Office 2013 are not affected. Confirmed as being vulnerable to the attack, meanwhile, are Windows Vista, Windows Server 2008, Office 2003, 2007, and 2010, and Lync 2010 plus client releases of Lync 2013.
A full analysis of the vulnerability, which Microsoft claims is being used in 'very limited
' attacks, can be found on the company's TechNet