Hackers are exploiting a vulnerability in the graphics component of several key Microsoft products much more widely than was initially thought.
The vulnerability (CVE-2013-3906) is in the Tiff graphics format used in Microsoft Windows Vista, Windows Server 2008, Microsoft Office 2003-2010 and Microsoft Lync.
Microsoft confirmed this exploit had been used in limited attacks against “selected” computers, largely in the Middle East and South Asia.
First, the researchers established a link with Operation Hangover, which adds India and Pakistan to the mix of targets.
Information obtained from a command-and-control server (CnC) revealed that the Hangover group, believed to operate from India, has compromised 78 computers, 47% of them in Pakistan.
Read more about zero-day vulnerabilities and exploits
- Oracle rushes out patches for Java zero days
- Disable Java to protect from latest zero-day
- Microsoft issues quick fix for IE zero-day vulnerability
- Microsoft investigates IE zero-day flaw
- Zero-day exploit for Yahoo Mail goes on sale
- MySQL security analysis: Mitigating MySQL zero-day flaws
- Private market growing for zero-day exploits and vulnerabilities
- Adobe investigates zero-day that bypasses Reader X sandbox
But FireEye researchers also found another group had access to the Microsft exploit and was using it to deliver the Citadel Trojan malware.
This hacker gang – dubbed "the Ark group" by FireEye – may have had access to the exploit before the Hangover group, the researchers found.
Information obtained from CnCs operated by the Ark group revealed that 619 targets (4,024 unique IP addresses) had been compromised. Most of the targets are in India (63%) and Pakistan (19%).
Because of the links with Hangover and Ark, the researchers have concluded that the use of this zero-day exploit is more widespread than previously believed.
Hangover had previously been connected with a targeted malware campaign. The Ark group is operating a Citadel-based botnet for organised crime.
Security firm Websense claims nearly 37% of Microsoft Office business users are susceptible to the exploit.
Alex Watson, director of security research at Websense, said IT administrators are encouraged to install the Microsoft Fixit 51004 to stop the vulnerability while waiting for a formal patch from Microsoft.