TIFF Zero Day Missing From November Patch Tuesday Updates

Microsoft said today it will not patch a zero-day vulnerability disclosed this week being used in targeted attacks in the Middle East and Asia.

A patch for the Windows zero-day disclosed this week will not be ready in time for next week’s monthly Patch Tuesday release, Microsoft said today.

The vulnerability in several Windows and Office versions is being exploited in targeted attacks against Windows XP systems running Office 2007. The attacks are limited so far to the Middle East and Asia. Microsoft released a Fix-It tool as a stopgap measure until a patch is released out of band or with the December security updates.

Microsoft, meanwhile, will release eight security bulletins next week, three of them critical, including another Internet Explorer roll-up going all the way back to IE 6. The other two critical bulletins are for flaws in Windows; this is the first set of patches in months that does not affect a Microsoft server component.

As for the zero-day bug, it is in the Graphics Design Interface, or GDI+, found in Office, Windows and Lync. Microsoft clarified some confusion over the conditions in which the vulnerability exists. In Office, for example, 2003 and 2007 are affected regardless of the underlying OS. Office 2010 on Windows XP or Windows Server 2003 is vulnerable; Office 2013 is not.

Vista and Windows Server 2008, meanwhile, contain the vulnerable GDI+ component but are not being attacked, Microsoft said. Other Windows versions are not impacted unless running a version of Office or Lync that is impacted. All supported versions of Lync support the vulnerable component, but also are not under attack.

The attacks are carried out via infected Word documents sent via email attachments.

“If the attachment is opened or previewed, it attempts to exploit the vulnerability using a malformed graphics (TIFF) image embedded in the document.  An attacker who successfully exploited the vulnerability could gain the same user rights as the logged on user,” the Microsoft advisory says.

Attackers can gain the ability to remotely inject code on a compromised machine.

Yesterday, new details emerged from researchers at AlienVault. Once attackers have a presence on the machine, the malware downloads a RAR file that connects to the attacker’s server and downloads additional malware including a keylogger, backdoor and component that steals productivity files such as spreadsheets, Word docs, Power Point and PDF files.

Researchers at Kaspersky Lab said this is not the first exploit for a TIFF vulnerability and also found additional malicious behavior.

“The new 0day uses malformed TIFF data included in Office documents in order to run a shellcode using heap spray and ROP techniques. We have already researched some shellcodes – they perform common actions (for shellcodes): search API functions, download and launch payload,” said Vyacheslav Zakorzhevsky, head of the vulnerability research group at Kaspersky. “We took a glance at a downloaded payload – backdoors and Trojan-spies.”

Researchers at FireEye, meanwhile, said today that another group is using the exploit to drop the Citadel banking malware onto compromised machines, bringing a criminal element into the equation alongside targeted espionage attacks. FireEye said the Arx group behind these attacks have had the exploit longer than the group using it in targeted attacks. FireEye said 619 targets have been compromised, most in India.

Suggested articles