TIFF images in MS-Office documents used in targeted attacks

Published: 2013-11-05
Last Updated: 2013-11-05 18:28:34 UTC
by Daniel Wesemann (Version: 1)
8 comment(s)


Today, Microsoft published a research note and a security advisory covering a remote code execution vulnerability (CVE-2013-3096) that can be triggered with a malformed TIFF image. According to the write-up, the vulnerability is being actively exploited in a "very limited" number of targeted attacks that involved a Word (MS-Office) document which in turn contains the malformed TIFF image.

There is no patch yet, but the two Microsoft articles contain some information on mitigation options.

 

Keywords: image Microsoft office vulnerability
8 comment(s)

Comments

Does this vulnerability affect any other Office document processing applications, such as LibreOffice or OpenOffice?

Anonymous

Nov 5th 2013
1 decade ago

The workaround is to disable the TIFF codec. If Libreoffice or Openoffice use the Windows TIFF codec, then they should also be impacted by disabling the codec. If so, they are probably impacted. Fax software may be impacted as well since TIFF is the image format for Fax.

Anonymous

Nov 6th 2013
1 decade ago

OK, I added the LibreOffice binaries to the EMET configuration (see the research note), which I should have done in the first place.

Anonymous

Nov 6th 2013
1 decade ago

Considering that most computer users are more likely to fall for the poisonous-webpage route, Microsoft's advisory omits an important question -- is this just an Internet Explorer thing, or do other browsers on the Win32 platform use the problematic component?

I had an idea to test this by seeing if Firefox lost the ability to view TIFF files if the registry flag was toggled. However, neither IE nor Firefox seem to be able to render TIFFs even with the registry in its default state. Huh?

Anonymous

Nov 6th 2013
1 decade ago

I am wondering how best to test this. I have set the registry key to disable TIFF support and yet every program I try can open and display a TIFF. I am testing this on WIN 7 pro with Office 2010 SP 2.

I have tested this on WIN XP pro and it worked as expected.

Anonymous

Nov 6th 2013
1 decade ago

[quote=comment#28277]I am wondering how best to test this. I have set the registry key to disable TIFF support and yet every program I try can open and display a TIFF. I am testing this on WIN 7 pro with Office 2010 SP 2.

I have tested this on WIN XP pro and it worked as expected.[/quote]
Office 2010 on Windows 7 is not affected by this vulnerability. It only affects Office 2010 running on Windows XP or server 2003. In Windows XP, gdiplus was an optional add on module. In Windows 7 we now have WDDM which implements GDI differently. So maybe the redering of TIFFs and other graphic formats is handled differently?

PS: Incidentally this workaround has been around for a while now!
http://blogs.technet.com/b/srd/archive/2009/10/12/new-attack-surface-reduction-feature-in-gdi.aspx?Redirected=true

Anonymous

Nov 11th 2013
1 decade ago

[quote=comment#28274]Considering that most computer users are more likely to fall for the poisonous-webpage route, Microsoft's advisory omits an important question -- is this just an Internet Explorer thing, or do other browsers on the Win32 platform use the problematic component?

I had an idea to test this by seeing if Firefox lost the ability to view TIFF files if the registry flag was toggled. However, neither IE nor Firefox seem to be able to render TIFFs even with the registry in its default state. Huh?[/quote]

I don't believe that browsers have ever been able to render TIFF's directly. The attack vector though, appears to be a Word attachment with appropriately crafted image and user interaction is required to launch the exploit:
http://krebsonsecurity.com/2013/11/microsoft-warns-of-zero-day-attack-on-office/

Anonymous

Nov 11th 2013
1 decade ago

Hi there
You can try to add a tiff processing program to help you.I think it would be more convenient for you with a fine tool.
There are many third party tool for tiff image.You can just choose the most suitable one for you.Best wishes.
http://www.rasteredge.com/how-to/csharp-imaging/tiff-processing/

Anonymous

Dec 27th 2013
9 years ago

Login here to join the discussion.


Top of page
Diary Archives