Earlier this week Microsoft released security advisory for a zero-day vulnerability found in GDI component in Microsoft Windows and Office. The flaw allows remote execution of arbitrary code on the target system via a specially crafted TIFF image.
Following the notification the company introduced a Fix it tool, which is a temporary solution that can be used against specific threats until the release an official patch. This one is scheduled for December’s “Patch Tuesday”. However, there is a possibility that Redmond will release “an out-of-cycle security update, depending on customer needs.” The company says the users who are afraid of being vulnerable should install the Fix it as soon as possible.
NakedSecurity notes that vulnerable software includes operating system Microsoft Windows Vista and Microsoft Windows 2008, Office applications Microsoft Office 2003, 2007 and 2010, as well as the Lync messaging client 2010 and 2013 .
Cybercriminals exploit the flaw to carry out targeted attacks, and the main victims are located in Central and East Asia.
“It is worth to note that this heap-spraying in Office via ActiveX objects is a new exploitation trick which we didn’t see before, previously attackers usually chose Flash Player to spray memory in Office. We would believe the new trick was developed under the background that Adobe introduced a click-to-play feature in Flash Player months ago, which basically killed the old one. This is another proof that attacking technique always tries to evolve when old ones don’t work anymore,” stated McAfee experts.
