Sophos Cloud Optix
Microsoft is warning about a brand new security hole in Windows that could let criminals get control of your computer through booby-trapped image files.
The flaw, dubbed CVE-2013-3906, is described by Redmond’s security experts as a “remote code execution vulnerability that exists in the way affected components handle specially crafted TIFF images.”
In short: just opening a maliciously-tweaked TIFF image could lead to what’s known as a drive-by download, or drive-by install, where malware is silently installed onto your computer without any warning message or “are you sure” dialog.
Zero-day
The CVE-2013-3906 hole is a zero-day – security jargon that means “the crooks got there first,” with the vulnerability coming to Microsoft’s attention as the result of successful in-the-wild attacks, not through responsible disclosure.
In other words, attacks are not merely likely or imminent, but actually already happening, before a patch is available.
So far, the attacks we’re aware of have relied on embedding booby trapped TIFF images inside DOCX files (documents from Office 2007 and later).
Someone sends you a specially constructed document, for example by email; you open it to see if it’s really worth opening; and that’s that – you’re infected.
But Microsoft has also warned that CVE-2013-3906 might be exploitable through a range of different activities, such as:
- Previewing or opening a specially-crafted email.
- Opening a specially crafted file such as an attachment or download.
- Browsing to a poisoned web page.
Fix it
Fortunately, even though there isn’t a full and formal patch ready yet, Microsoft has published a Fix it tool that will quickly render your computer immune to this particular attack.
The Fix it works by telling Windows not to process TIFF files, thus neatly sidestepping the issue of booby-trapped images.
You can achieve the same result by hand (or with a scripting tool, or a group policy object) by setting the following entry in the registry:
HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\Gdiplus\DisableTIFFCodec = 1
Of course, if your workflow requires you to be able to open and view TIFF files, you can’t use the DisableTIFFCodec option.
However, if you try the fix and it gets in the way, it can easily be reversed simply by deleting the abovementioned registry entry: no permanent system changes are made when the Fix it is run.
→ The subkey Gdiplus mentioned above does not exist by default, so searching for it probably won’t work. Go to the key HKLM\SOFTWARE\Microsoft, create the subkey Gdiplus and add into it a DWORD value named DisableTIFFCodec. Set this value to 1.
Our advice
We advise the following:
- Don’t run as administrator all the time. That way, if you do get attacked, you limit the extent of your exposure.
- Be cautious of unsolicited attachments.
- Make sure your anti-virus is updating frequently and correctly to maximise your protection.
- Try out the Fix it unless you are certain in advance that it will get in the way.
As fellow writer Lee Munson pointed out, November’s monthly Patch Tuesday update is due out next week, so it is possible that a permanent patch will not be available until December.
Be on your guard – and apply the Fix it if you can.
Sophos blocks the various components of this attack as follows:
- Exp/20133906-A
- Troj/20133906-A
- Troj/20133906-B
- Troj/DocDrp-C
Is the fix a Dword, Qword or Binary value
DWORD. (Now stated in the article, thanks.)
Apparently this fixit doesn’t apply to Windows 8.1 Pro (just tried it)
Do you have Office 2013? If so, Windows 8.1 plus Office 2013 *seems* to be on the list of 'unaffected software'.
Yes
Not for Windows 7 either it seems.
Check the actual advisory for what is and is not affected. http://technet.microsoft.com/security/advisory/28…
I have Windows 7 Ultimate and I searched my entire registry for either gdiplus or DisableTIFFCodec and couldn't find either. It's also not in the path given in the article. Is this a Windows 8 thing only?
Perhaps I should have made that clearer…
Go to the key:
HKEY_LOCAL_MACHINESOFTWAREMicrosoft
Create (if it does not already exist) a subkey called:
Gdiplus
And in it create a DWORD value:
DisableTIFFCodec = 1
(I added a short note to that effect in the article – thanks for the suggestion. I'd probably have started off with a search, too, and been crestfallen when it failed 🙂
Is this a 32-bit DWORD or a 64-bit DWORD?
"Don't run as administrator all the time."
You know that sounds practical in writing but in real life, especially in a work environment, it's just not realistic. I oversee a shop full of Macs and PCs and I can't get away with that on any version of Windows. Too many little glitchy things start to happen. Too much software and too many parts of the system assume you have admin access. It sure would be nice if running as a non-admin were a feasible option.
I don't understand why you need to be admin while reading a Word document, or doing email, or reading Naked Security.
You can "run as administrator" when you need to, and not when you do not.
It isn't as convenient but it can greatly reduce the side-effects of a disaster.
(Imagine the difference in impact in a CryptoLocker incident between a users logged in as themselves, and a user who is network admin – the latter pretty much has write access *everywhere*, thus toasting everyone's files!)
In my experience, whenever a Windows program requires admin to run for seemingly no good reason, it's because whoever coded it put a writable config file in the Program Files directory instead of the more appropriate appdata directory. I'm amazed there are still programs written this way.
I understand the risk but the reality is that in a production environment (where I can assure you users are doing a lot more than just reading email or opening Word documents) it's absolutely not feasible. The place where I work has deadlines left and right and users don't have a single minute to spare for that kind of hassle.
Microsoft has made huge strides over the years with Windows but they need to re-engineer the internals and encourage third party software vendors to remove the need to run as admin. Giving users local admin privileges is the only way I've seen over the years to eradicate most of these problems. And I can assure you, too much software out there assumes the user has admin privileges. Take that away and half the production software we use starts limping along or failing outright.
They key to successfully eliminating local admins is to also us MS AppLocker. See http://technet.microsoft.com/en-us/library/dd7236….
With AppLocker, you can explicitly whitelist troublesome apps. You can also whitelist application publishers to allow users to install things they may need to do on their own like printer drivers. So whitelist HP, Epson, Canon, Xerox, nVidia, maybe Adobe & Oracle to let their auto-updaters function.
AppLocker also lets you blacklist apps & publishers so you can block inappropriate apps like unapproved browsers. And it's rules are granular enough that you could, for instance, allow only version 11.0.2 of Adobe Reader (disallowing all previous versions).
That someone at a SysAd level doesn't see that the dangers of running as Admin vastly outweighs the aggravation of "glitchy things" depresses me.
And if you're in some sort of environment where it's ABSOLUTELY necessary for someone to run as Admin, limit exposure by taking that box off the net and use a second machine for reading email as a non-admin user. Granted, it may be a PITA and may be more expensive, but it pales in comparison to a compromise. Ask DigiNotar. Ask Adobe. Ask [etc].
I set up my kitchen laptop to run as User. I do a fair amount of exotic stuff on it. About the only times I have to switch to Administrator is for Adobe and Magellan updates and some (not all) software installs.
This provides an interesting quality check on software. When open-source like the VLC player installs as User (opens a GUI RunAs prompt) but Adobe dies, you don't have to ask which team has the better quality–it's obvious.
MS Advisory says it only affects Vista and Office 2003-2010. Does that mean you have to be running 2003-2010 ON Vista to be vulnerable? Will you be unaffected if you run Office 2003-2010 on Win 7 and 8?
I suspect it's Vista *OR* Office 2003-10 (or Lync 2013), so if you're running Office 2010 on Win8.1, you're still vulnerable.
Yes, I have the same question, as I run Office 2010 on Windows7. Does anyone know if I should apply this fix?
What are the key difference that make WIN7 unaffected? There are still quite a few .DLL without the ASLR flag, so how does work for WIN7 differ from that for XP/VISTA?
Paul, an important question: Do you know if the MS updates this week fixed the problem inside our ‘puters?
Don’t bother putting this DWORD in your registry if you have any of the below installed…
Non-Affected Software
Windows XP Service Pack 3
Windows XP Professional x64 Edition Service Pack 2
…
[list shortened for space – see MS official lists for full story…]
…
Windows Server 2012 (Server Core installation)
Windows Server 2012 R2 (Server Core installation)
had a dealing with such an image but Sophos antivirus detected it very well. and removed it without a problem
If you have tiff's associated with a different program is this still applicable
Can I just check that this is for Windows 7 again? I have applied the registry setting on a test computer (with a view to push this out by GP) and can still open tiffs. On XP mode the registry setting blocks as expected.
I see that some of you are confused on network environments and the software used in it.
Some industries have a software they HAVE to use on their network and if the scenario calls for setting local users as admins, there is no alternative. And there are many programs written "to be used under admin privileges" and the IT department has to install it and configure it. They don't have time (or in some cases the authority) to say "hey uh we need this program to work in a non admin configuration". Some software I've seen used is from vendors that don't even exist anymore, but the company HAS to use it. I agree that it sucks on the security aspect, but the major factor is IT has to compromise for better or worse.
But you don't have to run as administrator *all* the time just because you want/need to run as administrator *some* of the time.
On Linux/OS X/UNIX, you can use the "sudo" command to promote yourself only when required; on Windows you have "RUNAS" (or the "Run as…" right click option).
Of course, if you open a root/admin command prompt with sudo or RUNAS, then everything you do from there is root/admin, so it's not foolproof.
(NB. You can use sudo and RUNAS to reduce privilege, too, which is handy, too.)
I'd attempt to train users where I work to do that. I'd get half of them to do it, but the other half would make a fuss and my director would just tell me to put everyone as an administrator. I'm always fighting a losing battle, lol