Microsoft patches critical TIFF zero-day

December 6, 2013 | 10:35

Tags: #insecurity #lync #office #patch-tuesday #security #tiff #updates #vulnerability #windows #windows-xp #zero-day

Companies: #microsoft

Microsoft has announced that an outstanding zero-day vulnerability missed off last month's Patch Tuesday update is to be resolved next week, while missing another actively-exploited hole in its soon-to-be-obsolete yet still incredibly popular Windows XP OS.

Confirmed by the company back in November, when it released a Fix-It work-around for the flaw, the vulnerability in the Microsoft Graphics Component which handles tagged image file format (TIFF) loading and saving - a standard component of Windows, Office and Lync - allowed for the execution of arbitrary code under the context of the logged-in user, making for a serious security flaw.

Despite admitting that the zero-day vulnerability was under active attack, a fix was not forthcoming in November's Patch Tuesday update bundle. That's something the company is thankfully resolving this month, promising that a patch for the flaw - rated Critical on the company's own ranking system - will be included in the regular releases made on the second Tuesday of each month.

Sadly, a recently-discovered vulnerability in Microsoft's Windows XP Telephony API, which again allows for arbitrary code execution and is under active exploitation in the wild, is not so lucky. While only affecting the outdated Windows XP operating system, that's still a substantial target for attackers: according to the most recent figures from NetMarketShare, Windows XP accounts for 31.22 per cent of the desktop and laptop operating system market. That's just behind Windows 7 with 46.64 per cent, and significantly ahead of Windows 8 at a devilish 6.66% or Windows 8.1 with just 2.64 per cent.

While Microsoft is likely to patch the Windows XP hole some time early next year, it could be one of the last times such a vulnerability is addressed in the operating system. Official support for the platform expires in April 2014 after which end-users will no longer receive security updates - although larger corporations and government customers will sill be able to receive emergency patches for a short time following that deadline.

December's Patch Tuesday update bundle also brings fixes for three more Critical-rated security vulnerabilities in Windows, one in Internet Explorer, one in the Exchange communications server package, and a further six updates ranked as Important in Windows, Office and the Microsoft Developer Tools which can result in privilege escalation - allowing any one of the Critical vulnerabilities to be used to execute code under administrative privileges, considerably worsening the impact of the flaws - information disclosure and security feature bypassing.

All updates, along with an upgraded version of the Windows Malicious Software Removal Tool, will hit Windows Update on Tuesday the 10th of December.
Discuss this in the forums
YouTube logo
MSI MPG Velox 100R Chassis Review

October 14 2021 | 15:04