Deciphering Microsoft Security Advisory 2896666 on Word zero-day exploit

The straight story on Microsoft's uninformative, poorly worded security advisory about attacks delivered via a bug in the TIFF codec shipping with Office

If you've tried to wade through Security Advisory 2896666, you're probably ready to tear your hair out. I can't recall ever seeing a security advisory so poorly worded, convoluted, and uninformative. Let me try to cut through the multiple layers of bafflegab (I'm being polite here) and tell you if there's reason to be concerned and, if so, what to do to mitigate the problem.

Apparently someone's discovered a zero-day hole in the TIFF codec that ships with Office. According to McAfee -- which discovered the exploit in the wild -- the sample infected Word document it's analyzing uses (remarkably) the newer DOCX format. It works by sticking ActiveX objects inside the DOCX file, then using the ActiveX controls to spray heap memory.

This particular TIFF codec exhibits the "bad" exploitable behavior only when run on specific versions of Windows. That's led to a lot of confusion.

A typical attack involves opening a Word document with an infected embedded TIFF graphic. In rare circumstances, you can also get infected by previewing an email message in Outlook with that bad TIFF graphic, but only if you use Word to preview Outlook messages -- a practice cut off by default in Office 2003. Microsoft's garbled Security Advisory article also alludes to the possibility of getting infected via a drive-by Web attack, but I've seen no confirmation of that vector. Given the nature of the attack, through the Office TIFF codec, it's hard to understand how it could happen. The only confirmed attack vector I've seen operates by opening a Word document with an infected embedded TIFF file.

We've been around the barn several times, trying to figure out exactly which combinations of Word and Windows are vulnerable. Computerworld's Gregg Keizer, quoting Microsoft sources, provided an important piece of the puzzle yesterday . Here's the easy way to look at it:

Deciphering Microsoft Security Advisory 2896666 on Word zero-day exploit

If your combination of Word and Windows falls into one of the vulnerable categories, Microsoft has a Fixit for you. Be aware of the fact that the Fixit doesn't actually solve the problem; it just disables TIFF processing for all of Windows. You may or may not be able to live with that limitation.

Keep in mind that this is a so-called advanced persistent threat attack, which means it's most likely targeted very narrowly, at specific organizations. Microsoft says, "The attacks observed are very limited and carefully carried out against selected computers, largely in the Middle East and South Asia."

It's a safe bet that unless you're running a highly sensitive computer in the Middle East or South Asia, you aren't likely to encounter the problem -- yet.

This story, "Deciphering Microsoft Security Advisory 2896666 on Word zero-day exploit," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.

Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies