Critical security fixes on their way from Microsoft, but none yet for the CVE-2013-5065 zero-day

Graham Cluley

tiff-patch-170Microsoft is all set to patch a bunch of security vulnerabilities on Tuesday, including one for a zero-day flaw that has allowed hackers to launch targeted attacks involving boobytrapped Word documents, and broader financially-motivated campaigns using boobytrapped TIFF image files.

Microsoft had already released a temporary workaround for the TIFF flaw (dubbed CVE-2013-3906), after malicious Word documents (with dangerous TIFF files embedded inside) were sent to targeted companies based in the Middle East and South Asia.

But a proper permanent fix shuts the door firmly on the flaw, and will protect the widest possible group of users.

The Patch Tuesday update, due to be released on December 10, will also see security fixes issued for vulnerabilities in Windows, Internet Explorer, Microsoft Exchange, Office, Lync and Microsoft Developer Tools.

All of the fixes have been given a ranking of “important” or “critical”, meaning that they should be installed on vulnerable computers at the earliest opportunity.

However, Dustin Childs of Microsoft’s Trustworthy Computing group admitted in a blog post that there would not be a fix yet for the critical and in-the-wild zero-day attack that has been putting Windows XP and Windows Server 2003 users at risk since the end of November.

Childs said the company was working hard on developing a fix for that security hole (known as CVE-2013-5065), and urged users whose computers were at risk to take steps to reduce the threat.

This release won’t include an update for the issue described in Security Advisory 2914486. We’re still working to develop a security update and we’ll release it when ready. Until then, we recommend folks review the advisory and apply the suggested workaround on their Windows XP and Windows Server 2003 systems. Customers with more recent versions of Windows are not affected by this issue.

Lets hope at-risk computer users don’t have to wait until 2014 for a fix for that serious problem.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.