
Microsoft Warns of Zero-Day Under Attack - techinsidr
http://www.securityweek.com/microsoft-warns-zero-day-under-attack
======
kogir
TIFF is a great example of how a terrible specification can lead to endless
security vulnerabilities in parsers.

[http://secunia.com/advisories/search/?adv_search=1&s=1&searc...](http://secunia.com/advisories/search/?adv_search=1&s=1&search=TIFF&vuln_title=1&vuln_bodytext=1&critical%5B%5D=0&impact%5B%5D=1&where%5B%5D=1)

~~~
voltagex_
Is this the same class of exploits that affected image drawing on Windows a
while back? (GDI?)

~~~
EvanAnderson
I think you're talking about the MS06-001 vulnerability
([http://technet.microsoft.com/en-
us/security/bulletin/ms06-00...](http://technet.microsoft.com/en-
us/security/bulletin/ms06-001)) with Windows Metafile (WMF) files.

This is a bug in the parser for TIFF files that allows for arbitrary code
execution. MS06-001 was based on removing a "feature" of the WMF format
(SETABORTPROC) that allowed for arbitrary code execution for legitimate,
albeit antiquated, reasons.

------
javajosh
The original source is quite informative:

[http://technet.microsoft.com/en-
us/security/advisory/2896666](http://technet.microsoft.com/en-
us/security/advisory/2896666)

It's a GDI component reading TIFF files exploit, it is being used in the wild
right now, and the vuln won't be patched until Dec.

~~~
mbrownnyc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Gdiplus REG_DWORD: DisableTIFFCodec 1
And... another reason to deploy EMET.

------
GioM
The article is a little unclear - do I have to open a word doc, or is a TIFF
embedded in a web page itself enough to cause infection? This may not be the
place, but I could really use an opinion right now... I'm running firefox with
noscript on Win7/64 and have Word 2007 installed on the system. I hit a
suspect page last night, noscript blocked a number of objects, and at no point
did I open a word doc, but... it was a link masquerading as am imgur link,
that bounced me off at least two redirects (one of which was a .ir domain)
before landing me on a spammy-looking blog.

So, I guess the question is, how paranoid should I be? MSE, malwarebytes, and
GMER all show nothing (as one would expect if it was a zero-day), but going
full scorched earth and doing a system wipe on both my drives would be a huge
inconvenience right now. I feel like wiping the whole damn thing on principle,
but you can't wipe everything every single time you get spooked.

PS: I did some testing, and it doesn't appear that firefox can display a tif
file - it prompts for an external program (photoshop, in my case) and there's
no application defined for the content type tiff in the firefox preferences.

Opinions appreciated. Thanks in advance.

~~~
tanzam75
> _I 'm running firefox with noscript on Win7/64 and have Word 2007 installed
> on the system. ... at no point did I open a word doc ... So, I guess the
> question is, how paranoid should I be?_

Security advisory 2896666 covers only Windows Vista and Server 2008. Since you
were browsing on Windows 7, you are not affected.

It further states that you can be attacked if you _open_ an email or file. You
say that you did not open any Word documents. That's a start. But did you open
any files at all in Microsoft Office? Outlook emails, Excel spreadsheets,
Powerpoint presentations, etc.? If not, then you are not affected.

At least, you're not affected by the _current version_ of the attack.

------
ringmaster
Is it just me, or should this title be "Zero-Day Attack"? What's the "Under"
all about?

~~~
Groxx
Phrasing is a little weird, but I read it as that this is a zero-day that is
_actively_ being exploited, but a patch is not coming for a while.

Supporting evidence for this interpretation:
[http://blogs.technet.com/b/msrc/archive/2013/11/05/microsoft...](http://blogs.technet.com/b/msrc/archive/2013/11/05/microsoft-
releases-security-advisory-2896666-v2.aspx) which includes "We are aware of
targeted attacks, largely in the Middle East and South Asia."

------
ladzoppelin
Only Vista and 2008 are affected by this exploit.

~~~
yuhong
Unless you are using Office or Lync which have their own copy of GDI+. Office
2010 only uses their own copy when running under XP though unlike older
versions and 2013 don't support XP at all so they don't have their own copy
anymore.

~~~
tanzam75
> _Office 2010 only uses their own copy when running under XP though unlike
> older versions and 2013 don 't support XP at all so they don't have their
> own copy anymore._

That explains why Office 2013 isn't vulnerable. That, plus the fact that it
uses DirectWrite instead of GDI.

But then, why is Office 2010 vulnerable? It was released after Windows 7,
which isn't vulnerable. Did it ship outdated libraries?

------
cma
Why not image decoding done in a sandbox?

~~~
Groxx
Speed, I'd imagine. But that should probably be revisited with the amount of
exploits it seems to cause :/

