Microsoft has released a temporary emergency fix addressing a security flaw in its graphics component that affects Windows, Office and Lync and if exploited can lead to remote code execution.
Microsoft revealed that vulnerability exists because of the way its graphics component handled specially crafted TIFF images. Requiring user interaction, the flaw could lead to a remote code execution if an attacker convinces a user to open a specially crafted file; or open / preview a specially crafted email; or browse specially crafted web content.
“An attacker who successfully exploited the vulnerability could gain the same user rights as the current user”, notes Microsoft in its security advisory. Redmond has revealed that it is currently working and investigating he issue with its Microsoft Active Protections Program (MAPP) partners.
The Windows 8 maker revealed that once the investigation is completed, it will decide on the appropriate action which may include rolling out of a patch through its monthly release process or an out-of-cycle security update.
Some of the mitigation factors highlighted by Microsoft include configuration of user accounts with least possible rights and awareness about general security best practices in a work environment.
Dustin C. Childs, in a blog post, confirmed that the current versions of Office and Windows are not affected by the issue. The ‘Fix it’ solution has been made available here.
