Zero-Day attacks hit Microsoft Office

[Correction: An earlier headline for this story implied that Microsoft Windows and Lync were also suffering zero day attacks. Some versions of these products have the same vulnerability, but the attacks in the wild have only been observed against Microsoft Office.]

Microsoft today disclosed a vulnerability in the graphics code in certain versions of Windows, Office and Lync. They say they have received reports of targeted attacks in the wild using the vulnerability, specifically against Microsoft Office.

The disclosure includes instructions for various workarounds that users may employ to mitigate against attacks. The workarounds include a "Fix It" link to automate the workarounds.

The affected products are:

• Windows Vista x86, x64
• Windows Server 2008 x86, x64, Itanium, Server Core
• Microsoft Office 2003
• Microsoft Office 2007
• Microsoft Office 2010 x86, x64 
• Microsoft Office Compatibility Pack 
• Microsoft Lync 2010 x86, x64
• Microsoft Lync 2010 Attendee
• Microsoft Lync 2013 x86, x64
• Microsoft Lync Basic 2013 x86, x64

Of these products, only Lync 2013 is a current version. Windows 7 and 8 and Office 2013 and Office 365 are not affected.

Like almost all such vulnerabilities, this one would only allow remote code execution in the context of the affected user, but such attacks can often be combined with a privilege escalation vulnerability exploit to give administrator privileges to the attacker.

The vulnerability, which was reported to Microsoft by Haifei Li of McAfee Labs IPS Team, is due to a bug in the software's handling of specially-crafted TIFF files. The bug results in memory corruption which may be exploited by the attacker to take control of execution.

The workarounds described by Microsoft involve disabling the TIFF codec and using the Enhanced Mitigation Experience Toolkit (EMET) to block execution in the application. EMET can also be deployed through Group Policy.