Microsoft warns of security flaw in key software products

Microsoft has warned that hackers could exploit a zero-day vulnerability in the graphics component of several key products to gain control of users’ computers.

The vulnerable component is found in Microsoft Windows Vista, Windows Server 2008, Microsoft Office 2003-2010 and Microsoft Lync.

The flaw lies in the handling of the Tagged Image File Format (TIFF) image files by the graphics processing component in the affected software.

“Microsoft is aware of targeted attacks that attempt to exploit this vulnerability in Microsoft Office products,” the company said in a security advisory.

According to the advisory, attackers could exploit the vulnerability by requesting users to preview or open a specially crafted email or web content.

An attacker who successfully exploited the vulnerability could gain the same user rights as the current user, but the impact would be lower on users who do not operate with full administrative rights.

Microsoft said it would take appropriate action to address the issue, which "may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs".

In a security advisory, Microsoft has made available a Fix It tool as a temporary measure, which the company is urging at-risk users to install.

“The hope is that Microsoft releases a proper fix for the vulnerability – and close the door permanently on future attacks exploiting the flaw – as soon as possible,” said independent security consultant Graham Cluley.

“It is worth emphasising that unlike most fixes from Microsoft, the Fix It tool will not be automatically rolled out to users. If you want to protect your computers from having the flaw exploited, you need to download and run the tool,” he wrote in a blog post.

More on zero-day vulnerabilities and exploits

• Oracle rushes out patches for Java zero days
• Disable Java to protect from latest zero-day
• Microsoft issues quick fix for IE zero-day vulnerability
• Microsoft investigates IE zero-day flaw
• Zero-day exploit for Yahoo Mail goes on sale
• MySQL security analysis: Mitigating MySQL zero-day flaws
• Private market growing for zero-day exploits and vulnerabilities
• Adobe investigates zero-day that bypasses Reader X sandbox