Earlier this week, a common vulnerability exploit (CVE) was discovered in Microsoft office. However, many users were confused about which version of the Office software was vulnerable and also on what version of Windows. The zero day exploit was first discovered in Office 2007 was later also found in Office 2003 and 2010. Office 2013 was confirmed as safe.
In their official blog posted on 5th, Dustin Childs from Response Communications said, “(issue) affects customers using Microsoft Windows Vista and Windows Server 2008, Microsoft Office 2003 through 2010, and all supported versions of Microsoft Lync. We are aware of targeted attacks, largely in the Middle East and South Asia. The current versions of Microsoft Windows and Office are not affected by this issue.”
The zero day exploit is triggered by a malformed graphics image embedded in a document which is sent in an email requesting the users to open the attachment. If the attachment is opened, the attacker could possibly have the same rights on the machine as its users. As a workaround, Microsoft recommends using the Fix it solution to Disable the TIFF codec and use their EMET (Enhanced Mitigation Experience Toolkit)
In order to bring more clarity about who exactly could be affected, Microsoft posted a blog yesterday with more information. You can check the information below to find out if your machine can be a potential target:
- Office 2003 and 2007 users can be affected irrespective of the Windows OS installed, however, there haven’t been any reported issues with 2003 so far.
- Office 2010 can be affected if installed in Windows XP or Windows Server 2003, and not affected if being used on Windows Vista or later version.
- As confirmed earlier, 2013 remains unaffected.
- All supported versions of Lync clients are also affected but is not under active attack.
They stress on the fact that although the above versions of the softwares are affected they have so far only seen attacks against Office 2007 installed on Windows XP. Microsoft intends to provide security updates for Internet Explorer, Windows and Office. As for the presently detected zero day vulnerabilities, Microsoft says they are still working on the issue and will patch the updates through, as soon as they can. The exploit was first spotted by McAfee Labs who immediately contacted Microsoft Security Response Center.
Photo Credit – Robert Nelson/Flickr