Microsoft has issued a new security advisory, with a temporary Fix it, giving details on a zero-day exploit against older versions of Windows that is currently being exploited in the wild.
At the end of last month McAfee’s Advanced Exploit Detection System found a suspicious sample, and the company’s subsequent investigation confirmed the sample as a new zero-day attack targeting Microsoft Office. Since the sample was in the wild, actively being used, McAfee immediately shared the information with Microsoft. Within a week, Microsoft has released a security advisory and emergency Fix it.
Fix its are temporary solutions that can be used to protect against specific threats before a formal patch is released. That patch could be delivered in December’s Patch Tuesday updates, or via “an out-of-cycle security update, depending on customer needs,” says Microsoft. Users who may consider themselves vulnerable, however, should install the Fix it as soon as possible.
The vulnerability exists in the way Tiff images are handled by the operating system. “An attacker could exploit this vulnerability by convincing a user to preview or open a specially crafted email message, open a specially crafted file, or browse specially crafted web content.” One mitigating factor is that it requires user interaction to actually click the malformed graphic – however, attackers are very successful at tricking victims to do just that.
SOURCE: infosecurity-magazine.com
Most Commented Posts
2020 Cybersecurity Landscape: 100+ Experts’ Predictions
Cyber Security Predictions 2021: Experts’ Responses
Experts’ Responses: Cyber Security Predictions 2023
Data Privacy Protection Day (Thursday 28th) – Experts Comments
Experts Insight On US Pipeline Shut After Cyberattack
Most Active Commenters
Recent Comments
“Cybersecurity Awareness Month’s new evergreen theme "Secure Our World” is…
“Avoid storing data on personal devices: A crucial but often overlooked…
“I recommend a new nuance to passwords that isn’t often…
“In my role overseeing cloud environments and incident response, I'm…
“Cybersecurity Awareness Month serves as a reminder to confront the…