Microsoft warns of Office zero-day, active hacker exploits Flaw unlikely to be patched in next week's security updates, says expert temporary fix here https://support.microsoft.com/kb/2896666 Computerworld - Microsoft today said that attackers are exploiting a critical and unpatched vulnerability in Office 2007 using malformed documents to hijack Windows PCs and said Office 2003 and Office 2010 are also vulnerable. The bug can be triggered by a malformed image file viewed on a website or in an email message if one of those versions of Office is installed on the system. "We are aware of targeted attacks, largely in the Middle East and South Asia," Dustin Childs, a communications manager with the Microsoft Security Response Center (MSRC) said in a Tuesday blog entry. It was initially unclear exactly which versions of Windows are at risk, and thus the extent of the problem for Microsoft's customers. While Microsoft listed only Windows Vista and Windows Server 2008 as vulnerable in its initial advisory, the McAfee security researcher who reported the flaw to Microsoft last Thursday said that both Windows XP and Windows 7 could also be exploited through malicious Office files. "While we spotted the attack performed via Office 2007 running on Windows XP, this is actually a fault existing in a TIFF-processing component shipped with Microsoft Office," wrote Haifei Li on McAfee's website. "Therefore, not only is Office 2007 with Windows XP vulnerable to this attack, but also more environments are affected, [including] Office 2007 running on Windows 7." Microsoft tried to clarify the situation on its Security Research & Defense blog, but did not list every affected Windows-Office combination. According to details spelled out by MSRC engineer Elia Florio, anyone running Office 2003 or 2007, no matter what operating system powers the PC, is affected, while only those running Office 2010 on Windows XP or Server 2003 are at risk. Office 2013, Microsoft's newest, does not contain the vulnerability, said Florio. In an email received from a company spokesperson, Microsoft set the record straight, saying that the vulnerable scenarios are: Office 2003 and Office 2007 on all platforms; Office 2010 on XP and Server 2003 only; and all supported versions of Lync. Childs said that Microsoft is working on a patch, but did not mention a timetable for delivering a fix. Andrew Storms, director of DevOps at San Francisco-based CloudPassage, thought it very unlikely that Microsoft would move fast enough to put something in customers' hands next week; Microsoft's Patch Tuesday this month is slated for Nov. 12. "I would not expect it on Patch Tuesday," Storms said in an interview today. "If it was IE [Internet Explorer], maybe. And I don't think they're taking any chances, what with the problems with some updates lately. They'll move very cautiously on this, unless their telemetry shows that attacks have really spread." Storms was referring to several updates since April, including ones for Windows 7, the Exchange email server software and Office, that Microsoft has had to withdraw and rework after post-patching problems plagued users. Some security experts, including Storms, have wondered whether Microsoft has lost grip on its once-notable quality control. Today, Microsoft urged customers to apply a temporary work-around until a patch is available, and posted links to an automated "Fixit" stop-gap on a support document. http://www.computerworld.com/s/arti...erworld/news/feed+(Latest+from+Computerworld)
http://arstechnica.com/security/201...rosoft-zero-day-more-widespread-than-thought/ Exploits of critical Microsoft zero day more widespread than thought At least two hacker gangs exploit TIFF vulnerability to hijack users' computers. The critical Microsoft Windows and Office vulnerability that came to light two days ago is being more widely exploited than previously reported, making it more urgent that end users install a temporary fix right away. Early research into the zero-day exploit detected only highly targeted attacks on individuals or companies that were mostly located in the Middle East and South Asia. More often than not, the word "targeted" is used to describe espionage campaigns aimed a particular company or industry. Now, researchers at two security firms have uncovered evidence that the same critical flaw—found in Windows Vista, Windows Server 2008, Microsoft Office 2003 through 2010, and all supported versions of Microsoft Lync—is also being targeted in wider-ranging hacking campaigns being carried out by multiple gangs, including one made up of financially motivated criminals. The more recently discovered attacks are being carried out by the same India-based group behind Operation Hangover, a malware campaign first detected earlier this year, researchers from security firm FireEye wrote in a recent blog post. The researchers went on to say that the same attacks—which exploit weaknesses in the way Microsoft code processes TIFF images—is being waged by yet another group, alternately dubbed Arx and Ark, to deliver the Citadel trojan. Citadel is a highly malicious piece of malware that's mostly used by criminals to access and liquidate online bank accounts. Similar to the methods Microsoft described on Tuesday, the Arx group attached booby-trapped Word documents to e-mails that carried subjects related to online money transfers. When targeted individuals opened the document on vulnerable computers, the machines were infected with Citadel. "The use of this zero-day exploit (CVE-2013-3906) is more widespread tha(n) previously believed," FireEye researchers wrote. "Two different groups are using this exploit: Hangover and Ark. Hangover has been previously connected with a targeted malware campaign, and the Ark group is operating a Citadel-based botnet for organized crime." Symantec has published its own post citing evidence that the TIFF vulnerability is being exploited by the group behind Operation Hangover. It's the first time the group has been observed using a zero-day attack. Symantec provides answers to frequently asked questions here. It's not uncommon for initial reports of an ongoing zero-day attack to understate its magnitude. Such understatements are largely unavoidable, since researchers are working with incomplete information that only increases in the days following their disclosure. That's why it's always a good idea to take reports like these seriously by following any available mitigation advice, even if users think that the likelihood they are vulnerable is low. Microsoft has issued a temporary fix here that takes only a minute or two to install. Readers with vulnerable machines are strongly advised to run the Fixit if they haven't already.
thanks for the info.im running office 2000 premium with the 2007 compatibility pack so i can handle docx so i wonder how this is gonna affect me.going to install the fix just in case tho.
Patch Tuesday is coming -- here's what Microsoft is NOT fixing This week, November 12th to be precise, is that holiday we have come to call Patch Tuesday. It's the day when Microsoft rolls out fixes for bugs, both small and large, in its software, from Windows to Office and more. This month's releases are of particular interest, not because of what the company is fixing, but what it has chosen to leave unpatched. November's update includes eight patches, three of which have been tagged as 'critical'. Microsoft even promises it "will host a webcast to address customer questions on the security bulletins on November 13, 2013, at 11:00 AM Pacific Time". However, security researchers at Sophos point out a glaring hole in this month's security push. "The recent zero-day, which allows crooks to attack your computer using booby-trapped TIFF images, has created lot of confusion amongst users and administrators trying to work out which of their computers are at direct risk", states Paul Ducklin. The firm has inquired about a fix for this -- "the answer, I am sorry to have to tell you, is, no", Sophos claims. Why has this flaw caused confusion? Well, because Microsoft has claimed the problem does not affect Windows XP, Windows 7 and Windows 8, but is a danger to Office versions ranging from 2003 to 2010. What happens when one of those suites is running on an "unaffected" operating system? Microsoft has attempted to clear this up stating that Windows Server 2008 and Windows Vista are vulnerable regardless of software. Office 2003 and 2007 are a danger regardless of the OS they are running on. Finally, Office 2010 on XP is a problem as well. As a stop-gap, the company has issued a Fix-it to help out users in the short-term. http://betanews.com/2013/11/10/patc...n=Feed+-+bn+-+Betanews+Full+Content+Feed+-+BN