And boy, is this one scary! Redmond has just released a new security advisory this morning detailing a security flaw that the company found in a number of its products, including Windows Vista.
This vulnerability allows an attacker to get the same rights and privileges as the logged in user.
According to Microsoft, Windows Vista, Windows Server 2008, Microsoft Office 2003 through 2010 and Microsoft Lync are all affected by this flaw — though newer versions of these software are in the clear. The flaw actually relies on a special Word attachment that is delivered via email.
Microsoft talked about the details in a statement:
“The exploit requires user interaction as the attack is disguised as an email requesting potential targets to open a specially crafted Word attachment. If the attachment is opened or previewed, it attempts to exploit the vulnerability using a malformed graphics image embedded in the document. An attacker who successfully exploited the vulnerability could gain the same user rights as the logged on user.”
And that’s not the worst of it, folks.
Microsoft, along with a number of security experts have also confirmed that several targeted attacks have been recorded that make use of this very exploit in the Middle East and South Asia.
Current versions of Windows and Office not affected by the issue, but then again, there is a substantial user base that has Windows Vista, Windows Server 2008 and Office 2010 installed. In any case this one is big, and if you are using any of these software, it is worth keeping an eye out for a patch.
The company has promised one, saying it is still working on a patch
But at the same time, taking the gravity of the situation into consideration, the technology giant has also rolled out a Fix it solution that disables the TIFF codec, thereby prevents exploitation of this flaw. You can take a look at it here.