14 DAY TRIAL // Microsoft has released a new advisory this morning to inform users about a security flaw it found in several products that would allow an attacker to get the same rights as the logged-on user.
The company says that the flaw exists in Windows Vista, Windows Server 2008, Microsoft Office 2003 through 2010 and Microsoft Lync, and relies on a specially crafted Word attachment delivered by email.
“The exploit requires user interaction as the attack is disguised as an email requesting potential targets to open a specially crafted Word attachment. If the attachment is opened or previewed, it attempts to exploit the vulnerability using a malformed graphics image embedded in the document. An attacker who successfully exploited the vulnerability could gain the same user rights as the logged on user,” Microsoft said in a statement.
At the same time, Redmond has also confirmed that several targeted attacks have been recorded in the Middle East and South Asia, with the current versions of Windows and Office not affected by the issue.
At this point, Microsoft is still working on a patch, but the company rolled out a Fix it solution that disables the TIFF codec and prevents exploitation of the bug.