Redmond very recently found out about a moderately threatening zero-day flaw that affects various versions of Windows and Office, and although attacks utilizing this vulnerability have been reported, it is unlikely to be patched sooner than December.
The company detailed the security bulletin for the November 2013 Patch Tuesday updates a little while back, and there is no mention of the exploit that was discovered earlier this week.
Microsoft, however, already offers a Fix It solution for the flaw that is primarily affecting computers that have Windows Vista and Office 2010 installed. The software titan recommends users to act fast and deploy this small fix to protect their computers.
But since Patch Tuesday is much too close for comfort, Microsoft has no choice than to delay the fix until its next update cycle in December. Wolfgang Kandek, the CTO of Qualys chimed in on this:
“Microsoft has provided a Fix It that turns off TIFF rendering in the affected graphics library, which should have no impact if you are not working with TIFF format files on a regular basis.
Given the close date of the next Patch Tuesday for November, we don’t believe that we can count on a patch arriving in time, but will probably have to wait until December, which makes your planning for a work-around even more important.”
In the meantime, several security applications and antivirus products have received new virus definitions updates that block the flaw.
The zero-day flaw allows an attacker to get the same rights as the logged on user. A compromised Office document that is delivered via email and comprising malicious TIFF images is used to infect PCs.