Microsoft Zero Day TIFF Image Bug Affords Remote Execution, No Patch Tuesday Fix

Heads-up, if you're running older versions of the Windows operating system, Microsoft Office or Microsoft Lync communication platform software. Microsoft released a security advisory noting that the TIFF (Tagged Image File Format) image handler in some of these older Microsoft software suites is subject to a vulnerability whereby "specially crafted TIFF images" could convince the user to open email messages, files or web content that could be used to exploit the host machine.

Microsoft Office

Microsoft details the remote code execution vulnerability in security advisory 2896666 (evil, eh?) noting: "An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."

Fortunately, it sounds like this one would take a least a little convincing for the average user to fall victim to the exploit. Although, under the guise of an MS Office application where folks are just trying to get work done, inadvertent clicks and authorizations can be more common.

Even worse, though Microsoft is aware of the vulnerability, there is no patch expected to come this Tuesday for the new zero day exploit. For now, just keep your eye out for odd app behavior and watch for updates on the advisory page.