Microsoft zero-day vulnerability exploited more widely than expected

Hackers are exploiting a vulnerability in the graphics component of several key Microsoft products more widely than was initially thought

Hackers are exploiting a vulnerability in the graphics component of several key Microsoft products much more widely than was initially thought.

The vulnerability (CVE-2013-3906) is in the Tiff graphics format used in Microsoft Windows Vista, Windows Server 2008, Microsoft Office 2003-2010 and Microsoft Lync.

Microsoft confirmed this exploit had been used in limited attacks against “selected” computers, largely in the Middle East and South Asia.

But the research team at security firm FireEye analysed the zero-day exploit and found links with two cyber operations, indicating it had been used for more than a few targeted attacks.

First, the researchers established a link with Operation Hangover, which adds India and Pakistan to the mix of targets. 

Information obtained from a command-and-control server (CnC) revealed that the Hangover group, believed to operate from India, has compromised 78 computers, 47% of them in Pakistan.

But FireEye researchers also found another group had access to the Microsft exploit and was using it to deliver the Citadel Trojan malware.

This hacker gang – dubbed "the Ark group" by FireEye – may have had access to the exploit before the Hangover group, the researchers found.

Information obtained from CnCs operated by the Ark group revealed that 619 targets (4,024 unique IP addresses) had been compromised. Most of the targets are in India (63%) and Pakistan (19%).

Because of the links with Hangover and Ark, the researchers have concluded that the use of this zero-day exploit is more widespread than previously believed.

Hangover had previously been connected with a targeted malware campaign. The Ark group is operating a Citadel-based botnet for organised crime.

Security firm Websense claims nearly 37% of Microsoft Office business users are susceptible to the exploit.

Alex Watson, director of security research at Websense, said IT administrators are encouraged to install the Microsoft Fixit 51004 to stop the vulnerability while waiting for a formal patch from Microsoft.

Read more on Hackers and cybercrime prevention