Microsoft to patch critical TIFF hole next week

Microsoft said Friday that next week it will finally issue a patch for a vulnerability within its Microsoft Graphics (GDI+) component, one that is being actively targeted by attackers.

However, it will not patch a kernel vulnerability allowing an attacker to escalate privileges on Windows XP and Windows Server 2003. Instead, the company plans to address it in a future update, Microsoft said Friday. In all, the patches will be released on Dec. 10, at about 10 AM PT, Microsoft said.

The GDI+ vulnerability has been known about for at least a month; in November, Microsoft first began publishing word of the problem, originally in this security bulletin. It affects the following software: 

  • All versions of Lync
  • Windows Vista
  • Windows Server 2008
  • Office 2003 and 2007, regardless of operating system
  • Office 2010, only if installed on Windows XP or Windows Server 2003

“If the attachment is opened or previewed, it attempts to exploit the vulnerability using a malformed graphics (TIFF) image embedded in the document," Microsoft says. "An attacker who successfully exploited the vulnerability could gain the same user rights as the logged on user.”

Microsoft was expected to act quickly to mitigate the problem, especially when groups in the Middle East and elsewhere began exploiting the GDI+ vulnerability to drop the Citadel banking trojan on victims, by emailing them infected files. But it didn't, leaving Windows users wringing their hands for a month. Users who absolutely can't wait should have already deployed this temporary patch for the GDI+ problem that Microsoft released several weeks ago. If you haven't, do it now!

In all, Microsoft will release 11 patches next week, five of which will are identified as Critical; the last six are flagged Important. As it normally does, Microsoft only discloses a few basic details of the patches themselves until they're actually released. 

IT managers will have their hands full, however, as the affected OSes span Windows XP, Windows Vista, Windows 7, Windows 8, and Windows RT. On the server front, IT managers will have to patch Windows Server 2003, Windows Server 2008 and Windows Server 2008 R2, plus Windows Server 2012 and Windows Server 2012 R2. Internet Explorer versions 7 through 11 are affected as well, Microsoft said.

Additional reporting by Brad Chacos.

To comment on this article and other PCWorld content, visit our Facebook page or our Twitter feed.
Shop Tech Products at Amazon
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.