Attacks on zero-day vulnerability in Windows, Office and Lync

Microsoft has warned of a zero-day vulnerability, currently the hackers for attacks on Windows, Office and Lync use. According to the bug is a security message in the Microsoft Graphics Component. Manipulated using TIFF files it is therefore possible to inject and execute malicious code. An attacker would have to be victims only have to get a specially crafted web site or e-mail sent word file to open.

The affected products are Windows Vista and Server 2008, Office 2003, 2007 and 2010, the Office Compatibility Pack and Lync 2010, 2010 Attendee, 2013 and Basic 2013. So far, targeted attacks have been observed mainly in the Middle East and South Asia, Microsoft spokesman Dustin Childs writes in a blog entry.

Microsoft warns of attacks on zero-day vulnerability in Windows, Office and Lync

As a workaround, the software giant offers a so-called fix-it tool that is to protect against the effects of an attack. It disables the TIFF codec, which means that TIFF files can not be displayed. Alternatively, the Enhanced Mitigation Experience Toolkit (EMET) can be installed to minimize the consequences of an attack.

The vulnerability was discovered by McAfee employees Haifei Li. It is unclear whether Microsoft as part of its November Patch Days, which takes place next Tuesday, a fix is already providing. “Microsoft monitors the threat situation and will take action to protect its customers,” it said in the blog of the Microsoft Security Response Center.

Recently in September, Microsoft had warned of a zero-day vulnerability in one of its products. However, hackers have attacked since August about the vulnerability in Internet Explorer companies in Japan. Early October, Microsoft stuffed the hole with a cumulative update for its browser.