TIFF images in MS-Office documents used in targeted attacks

Published: 2013-11-05
Last Updated: 2013-11-05 18:28:34 UTC
by Daniel Wesemann (Version: 1)
8 comment(s)


Today, Microsoft published a research note and a security advisory covering a remote code execution vulnerability (CVE-2013-3096) that can be triggered with a malformed TIFF image. According to the write-up, the vulnerability is being actively exploited in a "very limited" number of targeted attacks that involved a Word (MS-Office) document which in turn contains the malformed TIFF image.

There is no patch yet, but the two Microsoft articles contain some information on mitigation options.

 

8 comment(s)

Comments

Does this vulnerability affect any other Office document processing applications, such as LibreOffice or OpenOffice?
The workaround is to disable the TIFF codec. If Libreoffice or Openoffice use the Windows TIFF codec, then they should also be impacted by disabling the codec. If so, they are probably impacted. Fax software may be impacted as well since TIFF is the image format for Fax.
OK, I added the LibreOffice binaries to the EMET configuration (see the research note), which I should have done in the first place.
Considering that most computer users are more likely to fall for the poisonous-webpage route, Microsoft's advisory omits an important question -- is this just an Internet Explorer thing, or do other browsers on the Win32 platform use the problematic component?

I had an idea to test this by seeing if Firefox lost the ability to view TIFF files if the registry flag was toggled. However, neither IE nor Firefox seem to be able to render TIFFs even with the registry in its default state. Huh?
I am wondering how best to test this. I have set the registry key to disable TIFF support and yet every program I try can open and display a TIFF. I am testing this on WIN 7 pro with Office 2010 SP 2.

I have tested this on WIN XP pro and it worked as expected.
[quote=comment#28277]I am wondering how best to test this. I have set the registry key to disable TIFF support and yet every program I try can open and display a TIFF. I am testing this on WIN 7 pro with Office 2010 SP 2.

I have tested this on WIN XP pro and it worked as expected.[/quote]
Office 2010 on Windows 7 is not affected by this vulnerability. It only affects Office 2010 running on Windows XP or server 2003. In Windows XP, gdiplus was an optional add on module. In Windows 7 we now have WDDM which implements GDI differently. So maybe the redering of TIFFs and other graphic formats is handled differently?

PS: Incidentally this workaround has been around for a while now!
http://blogs.technet.com/b/srd/archive/2009/10/12/new-attack-surface-reduction-feature-in-gdi.aspx?Redirected=true
[quote=comment#28274]Considering that most computer users are more likely to fall for the poisonous-webpage route, Microsoft's advisory omits an important question -- is this just an Internet Explorer thing, or do other browsers on the Win32 platform use the problematic component?

I had an idea to test this by seeing if Firefox lost the ability to view TIFF files if the registry flag was toggled. However, neither IE nor Firefox seem to be able to render TIFFs even with the registry in its default state. Huh?[/quote]

I don't believe that browsers have ever been able to render TIFF's directly. The attack vector though, appears to be a Word attachment with appropriately crafted image and user interaction is required to launch the exploit:
http://krebsonsecurity.com/2013/11/microsoft-warns-of-zero-day-attack-on-office/
Hi there
You can try to add a tiff processing program to help you.I think it would be more convenient for you with a fine tool.
There are many third party tool for tiff image.You can just choose the most suitable one for you.Best wishes.
http://www.rasteredge.com/how-to/csharp-imaging/tiff-processing/

Diary Archives