Next week Microsoft will release eight security bulletins as part of November’s Patch Tuesday, but the latest zero-day is not one of them.
The Windows/Office hole, which could allow a targeted attack via booby trapped images, will not be plugged as part of Microsoft’s forthcoming monthly security update. Group Manager of Response Communications, Dustin Child, explained:
“While this release won’t include an update for the issue first described in Security Advisory 2896666, we’d like to tell you a bit more about it. We’re working to develop a security update and we’ll release it when ready. In the meantime, the advisory includes a Fix it which prevents the attacks from succeeding and we recommend customers apply it to help protect their systems.”
Hopefully the omission of a fix this time around is not because Microsoft intend to wait until December but, rather, that it intends to issue a solution out of band.
Writing for the Microsoft blog, Childs went on to clarify which specific products are vulnerable to the zero-day, saying that –
- Office 2003 and Office 2007 are vulnerable no matter which operating system is employed
- Office 2010 is only vulnerable if installed on Windows XP or Windows Server 2003
- Office 2013 is immune to the attack
- Windows Vista and Server 2008 are shipped in a potentially vulnerable state but are not known to be targeted at this time
- All supported versions of the company’s Lync client are vulnerable
Despite all the possibilities alluded to above, Microsoft are only aware of targeted attacks against Office 2007 on machines running Windows XP.
The range of associated attacks does, however, seem to be worse than first thought. Websense revealed that many enterprise users are vulnerable to this exploit, saying that:
“up to 37% of enterprise computers are running both Microsoft Windows and Office”
Also, the FireEye research team have drawn a connection between the exploit, described by Microsoft as being “very limited and carefully carried out against selected computers, largely in the Middle East and South Asia,” and Operation Hangover.
FireEye’s analysis indicates that the Hangover group, thought to operate out of India, have used the vulnerability to compromise 78 computers, almost half of which are in Pakistan.
The company’s researchers also believe that another group has taken advantage of the zero-day which involves the processing of TIFF graphics format files. This group, which they have named Arx, may have compromised 4024 unique IP addresses, mostly in India but also in Pakistan.
All things considered, lets hope Microsoft issue a patch sooner rather than later. In the meantime, please do ensure that your own Windows-based systems running Office are secure.
Download Microsoft’s Fix It here.