Microsoft has confirmed they will be issuing a patch for a TIFF zero-day flaw in its GDI+ graphics component that is known to have been actively exploited in targeted attacks using tainted Word documents sent by to victims via email since early November.
“This is yet another TIFF exploit. The TIFF format seems all but irrelevant to end users but, hardly a month which passes without a CVE stemming from TIFF parsing,” said Craig Young, a vulnerability researcher for Tripwire.
The zero-day flaw is present in many older versions of Microsoft products, such as Windows Vista, Windows Server and Office 2003 through 2010, and security experts believe some of those older versions should be retired.
“Microsoft needs to become more aggressive with their end of life policies. Users should not still be running Office 2003, Office 2007, Windows XP, and Windows Server 2003,” Reguly said. If you removed that software, this zero-day would not exist. If it’s more than 5 years old, it’s probably time to end support.”
Microsoft had released a temporary Fix it workaround that would block the attack by changing the configuration on the computer to prevent the rendering of the vulnerable graphic format, but it does not mitigate the vulnerability itself.
Not on the patch list for this week is a zero-day vulnerability in Windows XP and Windows Server 2003 is being actively exploited in the wild in order to bypass the sandbox in unpatched versions of Adobe Reader 9.5.4, 10.1.6, 11.0.02 and prior on Windows XP SP3.
Microsoft stated that they plan to mitigate the vulnerability either with a Patch Tuesday release or by way of an an out-of-cycle security update, depending on the results of their investigation, and it now appears that the fix will pushed off until next year.
Users are encouraged to upgrade from the archaic Windows XP operating system in favor of Windows 7 or 8, and should ensure they are running the latest versions of Adobe Reader.
Read More Here…