Microsoft warns Windows users of zero-day danger from booby trapped image files

Filed Under: Featured, Malware, Microsoft, Privacy, Vulnerability, Windows

Microsoft is warning about a brand new security hole in Windows that could let criminals get control of your computer through booby-trapped image files.

The flaw, dubbed CVE-2013-3906, is described by Redmond's security experts as a "remote code execution vulnerability that exists in the way affected components handle specially crafted TIFF images."

In short: just opening a maliciously-tweaked TIFF image could lead to what's known as a drive-by download, or drive-by install, where malware is silently installed onto your computer without any warning message or "are you sure" dialog.

Zero-day

The CVE-2013-3906 hole is a zero-day - security jargon that means "the crooks got there first," with the vulnerability coming to Microsoft's attention as the result of successful in-the-wild attacks, not through responsible disclosure.

In other words, attacks are not merely likely or imminent, but actually already happening, before a patch is available.

So far, the attacks we're aware of have relied on embedding booby trapped TIFF images inside DOCX files (documents from Office 2007 and later).

Someone sends you a specially constructed document, for example by email; you open it to see if it's really worth opening; and that's that - you're infected.

But Microsoft has also warned that CVE-2013-3906 might be exploitable through a range of different activities, such as:

  • Previewing or opening a specially-crafted email.
  • Opening a specially crafted file such as an attachment or download.
  • Browsing to a poisoned web page.

Fix it

Fortunately, even though there isn't a full and formal patch ready yet, Microsoft has published a Fix it tool that will quickly render your computer immune to this particular attack.

The Fix it works by telling Windows not to process TIFF files, thus neatly sidestepping the issue of booby-trapped images.

You can achieve the same result by hand (or with a scripting tool, or a group policy object) by setting the following entry in the registry:

HKEY_LOCAL_MACHINE\SOFTWARE\
   Microsoft\Gdiplus\DisableTIFFCodec = 1

Of course, if your workflow requires you to be able to open and view TIFF files, you can't use the DisableTIFFCodec option.

However, if you try the fix and it gets in the way, it can easily be reversed simply by deleting the abovementioned registry entry: no permanent system changes are made when the Fix it is run.

→ The subkey Gdiplus mentioned above does not exist by default, so searching for it probably won't work. Go to the key HKLM\SOFTWARE\​Microsoft, create the subkey Gdiplus and add into it a DWORD value named DisableTIFFCodec. Set this value to 1.

Our advice

We advise the following:

  • Don't run as administrator all the time. That way, if you do get attacked, you limit the extent of your exposure.
  • Be cautious of unsolicited attachments.
  • Make sure your anti-virus is updating frequently and correctly to maximise your protection.
  • Try out the Fix it unless you are certain in advance that it will get in the way.

As fellow writer Lee Munson pointed out, November's monthly Patch Tuesday update is due out next week, so it is possible that a permanent patch will not be available until December.

Be on your guard - and apply the Fix it if you can.

Sophos blocks the various components of this attack as follows:

  • Exp/20133906-A
  • Troj/20133906-A
  • Troj/20133906-B
  • Troj/DocDrp-C

, , ,

You might like

29 Responses to Microsoft warns Windows users of zero-day danger from booby trapped image files

  1. Terry Ess · 351 days ago

    Is the fix a Dword, Qword or Binary value

  2. Danny · 351 days ago

    Apparently this fixit doesn't apply to Windows 8.1 Pro (just tried it)

    • Paul Ducklin · 351 days ago

      Do you have Office 2013? If so, Windows 8.1 plus Office 2013 *seems* to be on the list of 'unaffected software'.

  3. Not for Windows 7 either it seems.

  4. Bill · 351 days ago

    Check the actual advisory for what is and is not affected. http://technet.microsoft.com/security/advisory/28...

  5. I have Windows 7 Ultimate and I searched my entire registry for either gdiplus or DisableTIFFCodec and couldn't find either. It's also not in the path given in the article. Is this a Windows 8 thing only?

    • Paul Ducklin · 351 days ago

      Perhaps I should have made that clearer...

      Go to the key:

      HKEY_LOCAL_MACHINESOFTWAREMicrosoft

      Create (if it does not already exist) a subkey called:

      Gdiplus

      And in it create a DWORD value:

      DisableTIFFCodec = 1

      (I added a short note to that effect in the article - thanks for the suggestion. I'd probably have started off with a search, too, and been crestfallen when it failed :-)

  6. Andre Richards · 351 days ago

    "Don't run as administrator all the time."

    You know that sounds practical in writing but in real life, especially in a work environment, it's just not realistic. I oversee a shop full of Macs and PCs and I can't get away with that on any version of Windows. Too many little glitchy things start to happen. Too much software and too many parts of the system assume you have admin access. It sure would be nice if running as a non-admin were a feasible option.

    • Paul Ducklin · 351 days ago

      I don't understand why you need to be admin while reading a Word document, or doing email, or reading Naked Security.

      You can "run as administrator" when you need to, and not when you do not.

      It isn't as convenient but it can greatly reduce the side-effects of a disaster.

      (Imagine the difference in impact in a CryptoLocker incident between a users logged in as themselves, and a user who is network admin - the latter pretty much has write access *everywhere*, thus toasting everyone's files!)

      • a_v · 351 days ago

        In my experience, whenever a Windows program requires admin to run for seemingly no good reason, it's because whoever coded it put a writable config file in the Program Files directory instead of the more appropriate appdata directory. I'm amazed there are still programs written this way.

      • Andre Richards · 350 days ago

        I understand the risk but the reality is that in a production environment (where I can assure you users are doing a lot more than just reading email or opening Word documents) it's absolutely not feasible. The place where I work has deadlines left and right and users don't have a single minute to spare for that kind of hassle.

        Microsoft has made huge strides over the years with Windows but they need to re-engineer the internals and encourage third party software vendors to remove the need to run as admin. Giving users local admin privileges is the only way I've seen over the years to eradicate most of these problems. And I can assure you, too much software out there assumes the user has admin privileges. Take that away and half the production software we use starts limping along or failing outright.

    • JohnJ · 351 days ago

      They key to successfully eliminating local admins is to also us MS AppLocker. See http://technet.microsoft.com/en-us/library/dd7236....

      With AppLocker, you can explicitly whitelist troublesome apps. You can also whitelist application publishers to allow users to install things they may need to do on their own like printer drivers. So whitelist HP, Epson, Canon, Xerox, nVidia, maybe Adobe & Oracle to let their auto-updaters function.

      AppLocker also lets you blacklist apps & publishers so you can block inappropriate apps like unapproved browsers. And it's rules are granular enough that you could, for instance, allow only version 11.0.2 of Adobe Reader (disallowing all previous versions).

    • zengator · 351 days ago

      That someone at a SysAd level doesn't see that the dangers of running as Admin vastly outweighs the aggravation of "glitchy things" depresses me.

      And if you're in some sort of environment where it's ABSOLUTELY necessary for someone to run as Admin, limit exposure by taking that box off the net and use a second machine for reading email as a non-admin user. Granted, it may be a PITA and may be more expensive, but it pales in comparison to a compromise. Ask DigiNotar. Ask Adobe. Ask [etc].

    • Larry Marks · 351 days ago

      I set up my kitchen laptop to run as User. I do a fair amount of exotic stuff on it. About the only times I have to switch to Administrator is for Adobe and Magellan updates and some (not all) software installs.

      This provides an interesting quality check on software. When open-source like the VLC player installs as User (opens a GUI RunAs prompt) but Adobe dies, you don't have to ask which team has the better quality--it's obvious.

  7. Moo · 351 days ago

    MS Advisory says it only affects Vista and Office 2003-2010. Does that mean you have to be running 2003-2010 ON Vista to be vulnerable? Will you be unaffected if you run Office 2003-2010 on Win 7 and 8?

    • RichardD · 351 days ago

      I suspect it's Vista *OR* Office 2003-10 (or Lync 2013), so if you're running Office 2010 on Win8.1, you're still vulnerable.

    • SteveM · 350 days ago

      Yes, I have the same question, as I run Office 2010 on Windows7. Does anyone know if I should apply this fix?

  8. md_pepa · 351 days ago

    What are the key difference that make WIN7 unaffected? There are still quite a few .DLL without the ASLR flag, so how does work for WIN7 differ from that for XP/VISTA?

  9. Magyver · 351 days ago

    Paul, an important question: Do you know if the MS updates this week fixed the problem inside our 'puters?

  10. Don't bother putting this DWORD in your registry if you have any of the below installed...

    Non-Affected Software

    Windows XP Service Pack 3
    Windows XP Professional x64 Edition Service Pack 2
    ...
    [list shortened for space - see MS official lists for full story...]
    ...
    Windows Server 2012 (Server Core installation)
    Windows Server 2012 R2 (Server Core installation)

  11. Andrew · 351 days ago

    had a dealing with such an image but Sophos antivirus detected it very well. and removed it without a problem

  12. Josh · 350 days ago

    If you have tiff's associated with a different program is this still applicable

  13. Dave · 350 days ago

    Can I just check that this is for Windows 7 again? I have applied the registry setting on a test computer (with a view to push this out by GP) and can still open tiffs. On XP mode the registry setting blocks as expected.

  14. roy jones jr · 348 days ago

    I see that some of you are confused on network environments and the software used in it.
    Some industries have a software they HAVE to use on their network and if the scenario calls for setting local users as admins, there is no alternative. And there are many programs written "to be used under admin privileges" and the IT department has to install it and configure it. They don't have time (or in some cases the authority) to say "hey uh we need this program to work in a non admin configuration". Some software I've seen used is from vendors that don't even exist anymore, but the company HAS to use it. I agree that it sucks on the security aspect, but the major factor is IT has to compromise for better or worse.

    • Paul Ducklin · 348 days ago

      But you don't have to run as administrator *all* the time just because you want/need to run as administrator *some* of the time.

      On Linux/OS X/UNIX, you can use the "sudo" command to promote yourself only when required; on Windows you have "RUNAS" (or the "Run as..." right click option).

      Of course, if you open a root/admin command prompt with sudo or RUNAS, then everything you do from there is root/admin, so it's not foolproof.

      (NB. You can use sudo and RUNAS to reduce privilege, too, which is handy, too.)

      • roy jones jr · 347 days ago

        I'd attempt to train users where I work to do that. I'd get half of them to do it, but the other half would make a fuss and my director would just tell me to put everyone as an administrator. I'm always fighting a losing battle, lol

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog