Microsoft warns Windows users of zero-day danger from booby trapped image files

Microsoft is warning about a brand new security hole in Windows that could let criminals get control of your computer through booby-trapped image files.

The flaw, dubbed CVE-2013-3906, is described by Redmond’s security experts as a “remote code execution vulnerability that exists in the way affected components handle specially crafted TIFF images.”

In short: just opening a maliciously-tweaked TIFF image could lead to what’s known as a drive-by download, or drive-by install, where malware is silently installed onto your computer without any warning message or “are you sure” dialog.


The CVE-2013-3906 hole is a zero-day – security jargon that means “the crooks got there first,” with the vulnerability coming to Microsoft’s attention as the result of successful in-the-wild attacks, not through responsible disclosure.

In other words, attacks are not merely likely or imminent, but actually already happening, before a patch is available.

So far, the attacks we’re aware of have relied on embedding booby trapped TIFF images inside DOCX files (documents from Office 2007 and later).

Someone sends you a specially constructed document, for example by email; you open it to see if it’s really worth opening; and that’s that – you’re infected.

But Microsoft has also warned that CVE-2013-3906 might be exploitable through a range of different activities, such as:

  • Previewing or opening a specially-crafted email.
  • Opening a specially crafted file such as an attachment or download.
  • Browsing to a poisoned web page.

Fix it

Fortunately, even though there isn’t a full and formal patch ready yet, Microsoft has published a Fix it tool that will quickly render your computer immune to this particular attack.

The Fix it works by telling Windows not to process TIFF files, thus neatly sidestepping the issue of booby-trapped images.

You can achieve the same result by hand (or with a scripting tool, or a group policy object) by setting the following entry in the registry:

   Microsoft\Gdiplus\DisableTIFFCodec = 1

Of course, if your workflow requires you to be able to open and view TIFF files, you can’t use the DisableTIFFCodec option.

However, if you try the fix and it gets in the way, it can easily be reversed simply by deleting the abovementioned registry entry: no permanent system changes are made when the Fix it is run.

→ The subkey Gdiplus mentioned above does not exist by default, so searching for it probably won’t work. Go to the key HKLM\SOFTWARE\​Microsoft, create the subkey Gdiplus and add into it a DWORD value named DisableTIFFCodec. Set this value to 1.

Our advice

We advise the following:

  • Don’t run as administrator all the time. That way, if you do get attacked, you limit the extent of your exposure.
  • Be cautious of unsolicited attachments.
  • Make sure your anti-virus is updating frequently and correctly to maximise your protection.
  • Try out the Fix it unless you are certain in advance that it will get in the way.

As fellow writer Lee Munson pointed out, November’s monthly Patch Tuesday update is due out next week, so it is possible that a permanent patch will not be available until December.

Be on your guard – and apply the Fix it if you can.

Sophos blocks the various components of this attack as follows:

  • Exp/20133906-A
  • Troj/20133906-A
  • Troj/20133906-B
  • Troj/DocDrp-C