Microsoft has warned users of its Vista operating system and Office application suite that hackers could exploit a newly-found vulnerability and gain control of the victim's computer.


The software giant released a note on its TechCenter security pages announcing the zero-day exploit, which can be exploited by getting victims to open the attachment of a malicious email or web link; the company said it is "aware of targeted attacks" and is investigating.

Microsoft says the issue affects Windows Vista, Windows Server 2008, Office 2003 to 2010 for Windows, and Microsoft Lync. The exploit encourages victims to open the attachment of an enticing email; the attached Word document, containing a malformed TIFF image, will infact their PC when opened.

TIFF stands for Tagged Image File Formt and is a file format used for storing images which is popular among graphic artists, the publishing industry,and photographers.

The company said: "An attacker who successfully exploited the vulnerability could gain the same user rights as the current user."

On its TechCenter website, Microsoft said once its investigation into the vulnerability is complete it will "take the appropriate action" to protect customers. This means either an update to the company's monthly release of updates and software patches, or an out-of-cycle security update if deemed necessary.

Microsoft explains that any attacker using the exploit would have to convince their victim to take action - either by clicking a link to a malicious website, or by opening a malicious Word attachment received via email from the attacker.

As a temporary workaround, Microsoft provides instructions on how users can disable their computer's TIFF codec, which will stop all TIFF files - including the malicious one appearing in attached Word documents - from being displayed.

Difficult situation

But this workaround isn't ideal. In a statement sent to IBTimes UK, Tyler Reguly, a technical manager of security research and development at Tripwire, said the workaround "may not be viable for a lot of people":

"TIFF is a popular format and a lot of people may not be able to accomplish their daily work if their computer won't render graphics properly. Web designers, graphic designers, and those in marketing are just a few examples of people that may be greatly hindered by applying the fix."

Reguly says the temporary solution "puts people in the difficult situation of preventing a new vulnerability or doing their job. Enterprises that work heavily with graphics may have a difficult time justifying the deployment of this fix."

In a blog post on Microsoft's Security Response Center, communications manager Dustin Childs said the company is "monitoring the threat landscape very closely and will continue to take appropriate action to help protect customers."