Microsoft warns of Office zero-day, active hacker exploits
Flaw unlikely to be patched in next week's security updates, says expert
Computerworld - Microsoft today said that attackers are exploiting a critical and unpatched vulnerability in Office 2007 using malformed documents to hijack Windows PCs and said Office 2003 and Office 2010 are also vulnerable.
The bug can be triggered by a malformed image file viewed on a website or in an email message if one of those versions of Office is installed on the system.
"We are aware of targeted attacks, largely in the Middle East and South Asia," Dustin Childs, a communications manager with the Microsoft Security Response Center (MSRC) said in a Tuesday blog entry.
It was initially unclear exactly which versions of Windows are at risk, and thus the extent of the problem for Microsoft's customers.
While Microsoft listed only Windows Vista and Windows Server 2008 as vulnerable in its initial advisory, the McAfee security researcher who reported the flaw to Microsoft last Thursday said that both Windows XP and Windows 7 could also be exploited through malicious Office files.
"While we spotted the attack performed via Office 2007 running on Windows XP, this is actually a fault existing in a TIFF-processing component shipped with Microsoft Office," wrote Haifei Li on McAfee's website. "Therefore, not only is Office 2007 with Windows XP vulnerable to this attack, but also more environments are affected, [including] Office 2007 running on Windows 7."
Microsoft tried to clarify the situation on its Security Research & Defense blog, but did not list every affected Windows-Office combination. According to details spelled out by MSRC engineer Elia Florio, anyone running Office 2003 or 2007, no matter what operating system powers the PC, is affected, while only those running Office 2010 on Windows XP or Server 2003 are at risk.
Office 2013, Microsoft's newest, does not contain the vulnerability, said Florio.
In an email received from a company spokesperson, Microsoft set the record straight, saying that the vulnerable scenarios are: Office 2003 and Office 2007 on all platforms; Office 2010 on XP and Server 2003 only; and all supported versions of Lync.
Childs said that Microsoft is working on a patch, but did not mention a timetable for delivering a fix.
Andrew Storms, director of DevOps at San Francisco-based CloudPassage, thought it very unlikely that Microsoft would move fast enough to put something in customers' hands next week; Microsoft's Patch Tuesday this month is slated for Nov. 12.
"I would not expect it on Patch Tuesday," Storms said in an interview today. "If it was IE [Internet Explorer], maybe. And I don't think they're taking any chances, what with the problems with some updates lately. They'll move very cautiously on this, unless their telemetry shows that attacks have really spread."
Storms was referring to several updates since April, including ones for Windows 7, the Exchange email server software and Office, that Microsoft has had to withdraw and rework after post-patching problems plagued users. Some security experts, including Storms, have wondered whether Microsoft has lost grip on its once-notable quality control.
Today, Microsoft urged customers to apply a temporary work-around until a patch is available, and posted links to an automated "Fixit" stop-gap on a support document.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is firstname.lastname@example.org.
- Researcher claims two hacker gangs exploiting unpatched IE bug
- Update: Third of Internet Explorer users at risk from attacks
- Microsoft plans another short patch slate for next week, but finds a few XP bugs to crush
- Target attack shows danger of remotely accessible HVAC systems
- Target hackers try new ways to use stolen card data
- Update: Microsoft to patch just-revealed Windows zero-day tomorrow
- NSA spying prompts open TrueCrypt encryption software audit to go viral
- Microsoft warns of Office zero-day, active hacker exploits
- Hackers move to create next Blackhole after 'Paunch' arrest
- Adobe hack shows subscription software vendors lucrative targets
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- 2013 Cyber Risk Report The "Cyber risk report 2013 Executive summary" presents the major findings of HP Security Research's comprehensive dive into today's cyber vulnerability and threat...
- Why You Need a Next-Generation Firewall This white paper explores the reasons for implementing next-generation (NG) firewalls and lays out a path to success for overburdened IT organizations.
- Infographic: Converged Infrastructure Benefits This Infographic quantifies the savings organizations are realizing from increased deployment speed, higher availability, and lower annual costs.
- CIOs Deliver Productivity Breakthroughs with Intelligent Digital Signage Retailers have long recognized the influence that digital signage provides over a shopper's point-of-purchase decision making process.
- Top 4 Digital Signage Fails Join RMG Networks for a look at four of the most common reasons digital signage fails in corporate businesses. Learn about strategies to...
- Building Tomorrow's Infrastructure Listen to this podcast to discover how Crider Foods worked with PC Connection to update their IT infrastructure, while maintaining compliance and control. All Malware and Vulnerabilities White Papers | Webcasts