If you use aged versions of Windows or Microsoft Office, be on the lookout; Redmond issued a security warning today.
In their latest Security Advisory report, Microsoft states that they are investigating reports of vulnerabilities in multiple versions of Windows Vista, Windows Server 2008 and Microsoft Office. They’re also aware of “targeted attacks” that try to take advantage of a security hole in Office.
Here’s how Microsoft describes the vulnerability:
“[It’s] a remote code execution vulnerability that exists in the way affected components handle specially crafted TIFF images. An attacker could exploit this vulnerability by convincing a user to preview or open a specially crafted email message, open a specially crafted file, or browse specially crafted web content. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”
The report indicates that a hacker who attacks a PC using this vulnerability could gain the same rights to the machine that the user has, even administrative rights. However, the hacker would also be bound do whatever restrictions the user is limited to in the event that they do not have administrative rights access. Hackers could also attack a machine with this vulnerability if a user clicked an affected link in an email or instant message, or opened a tainted email attachment.
Microsoft says that they are working with partners in this investigation and could choose to address the issue by releasing an update. The update may fall in line with Microsoft’s monthly update schedule, though the report states that the patch could be released “out-of-cycle.” Which route Microsoft goes depends on “customer needs.”
Click here to see the report, and a complete list of the affected Microsoft software.
- Researchers defend the Ryzenfall disclosure, explain why exploits are dangerous
- Hackers target Windows clipboard to steal cryptocurrency wallet addresses
- Intel opens bug hunt to all security researchers, offers possible $250K payout
- Nvidia’s latest software update helps protect your system from ‘Spectre’
- Microsoft misses another Edge-related 90-day security disclosure deadline