Lack of Microsoft security exploit patch likely to send users into a TIFF

Microsoft HQ 2

Last week, we reported on a security warning issued by Microsoft which concerned users of multiple versions of Windows Vista, Office 2008, and Windows Server 2008. This week, we learned that Microsoft won’t be addressing the issue in its latest round of patches, which they’re set to release tomorrow.

Microsoft explains that the “remote code execution vulnerability” is due to the way its software handles TIFF images, a format popular among photographers and the publishing industry. 

“An attacker could exploit this vulnerability by convincing a user to preview or open a specially crafted email message, open a specially crafted file, or browse specially crafted Web content,” writes Microsoft. “An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”

The lack of a patch for the TIFF exploit means that users of the Windows Vista, Office 2008, and Windows Server 2008 won’t see any relief from this problem for some time. However, it’s entirely possible that Microsoft could break with their tradition of releasing patches one a month, and release a patch for this specific issue sooner. On the same blog post where they announced the discovery of the TIFF issue, Microsoft said that they could provide an “out-of-cycle security update, depending on customer needs.”

Click here to see Microsoft’s security report, as well as a complete list of affected Microsoft software.

Image credit: SBnation