Microsoft Patch Tuesday - three critical updates coming, but no TIFF zero-day fix yet

Filed Under: Featured, Internet Explorer, Malware, Microsoft, Vulnerability

November's Patch Tuesday is coming up this week, and Microsoft's usual "announcement that doesn't say an awful lot" is out to help us prepare.

There are eight bulletins, three of them are critical, and you will need to reboot.

Pretty much what you expected, in fact.

Of course, this month's big question is, "Will the recently-announced Windows zero-day get fixed?"

That's not just a big question, but an important one, so Microsoft has addressed it explicitly.

The answer, I am sorry to have to tell you, is, "No."

However, the unusually loose-lipped advisory blog posting (by Microsoft Patch Tuesday standards) that goes along with this month's Security Bulletin Advance Notification is very useful.

So, if you will forgive us taking a small side-trip into what isn't handled in Patch Tuesday, we'll take a quick look at it.

What's not fixed

The recent zero-day, which allows crooks to attack your computer using booby-trapped TIFF images, has created lot of confusion amongst users and administrators trying to work out which of their computers are at direct risk.

Microsoft's original notification didn't help, listing Windows XP, 7 and 8, for example, as "non-affected platforms," but Office 2003 to 2010 as "affected."

Judging by some of our readers' comments, we weren't alone in wondering which took precedence - the unaffected operating system version or the affected software.

Because the zero-day is not getting patched this month, Microsoft has done its best to clear up the confusion, so we can now tell you that:

  • If you have Windows Vista or Server 2008, you are vulnerable to the TIFF zero-day no matter what additional software you have.
  • If you have Office 2003 or 2007, you are vulnerable no matter what Windows version you have.
  • If you have Microsoft Lync of any flavour, you are vulnerable no matter what Windows version you have.
  • If you have Office 2010 you are vulnerable, but only if you are running on Windows XP or Server 2003.

Just to remind you: the TIFF zero-day can be avoided with Microsoft's Fix it, or by manually setting this registry entry:

   Microsoft\Gdiplus\DisableTIFFCodec = 1

Of course, as fellow Naked Security expert Chester Wisniewski pointed out in our recent podcast, this will probably stop you opening TIFF files that you do want to access, such as those produced by network-based fax and scanning software.

If, however, it's years since you received a fax, and you have long made do with image support only for JPEG and PNG files - as have I - then the Fix it should do you no harm, and plenty of good.

What is fixed

As mentioned above, we can't yet tell you exactly what'll be fixed yet on Patch Tuesday - a marked contrast to the prompt and complete OpenSSH bug-fix bulletin we wrote about yesterday.

Of course, there are a lot more interacting components in Microsoft's Patch Tuesdays - or moving parts, as skeuomorphically-minded software engineers like to call them, even though they don't actually move at all (the parts, not the engineers).

What we can tell you is that Patch Tuesday will bring you:

  • A critical fix relevant to all versions of Internet Explorer (IE) on all platforms, on all CPUs, at all bit sizes. That means IE 6 to 11 on XP to 8.1, 32 or 64 bit, on Intel and ARM. In short, if you have Windows clients in your business, you will be updating.
  • A necessary restart, so you will be rebooting.
  • Important fixes for all versions of Office, from 2003 to 2013, and for Outlook 2007 to 2013.

As usual, keep your eye on the SophosLabs Vulnerability page to read our own assessment of the risk posed by each bulletin.

If you can't, won't, or simply don't like to update as soon as you can, our Vulnerability page is a handy aid to prioritising your patching activities.

Incidentally, we frequently recommend Server Core installs whenever you are commissioning a server that doesn't need full-blown Windows, because Server Core has less code in it to attack.

Of course, "less code to attack" doesn't mean "no code to attack," so we need to to remind you that Server Core installs will need updating and rebooting this month.

Update. We originally concluded by saying that Server Core was not affected this month. As a commenter pointed out below, that's not true. The article has been corrected. [2013-11-11T09:30Z]

Note. Sophos blocks the various components of the TIFF zero-day, and attacks known to be associated with it, as follows:

  • Exp/20133906-A
  • Troj/20133906-A
  • Troj/20133906-B
  • Troj/DocDrp-C

You might like

13 Responses to Microsoft Patch Tuesday - three critical updates coming, but no TIFF zero-day fix yet

  1. Lloyd · 699 days ago

    Tuesday is the 12th :)

  2. jwmort · 699 days ago

    When is Microsoft going to address CryptoLocker and other virus / malware infections which auto run in %AppData% or %LocalAppData%?

    • Paul Ducklin · 698 days ago

      Good question...although that can be considered a weakness, I think it's fair to say it isn't strictly a vulnerability. (I dont disagree that it would be neat to stop files dropped there from running, but [a] the crooks would just drop them somewhere else and [b] AFAIK at least some legit software relies on being able to have "AppData" that includes executables.)

      So a blanket ban would cause a bit of a kerfuffle, and wouldn't do an awful lot to prevent drive-by downloads triggered by an exploit.

      • Larry Marks · 697 days ago

        Duck wrote "AFAIK at least some legit software relies on being able to have "AppData" that includes executables.) "

        Uhhh, it's called AppData, not AppCode.

        • Paul Ducklin · 697 days ago

          Don't shoot the messenger :-)

        • Ben M. · 696 days ago

          Tell that to Google: the malware known as Google Chrome installs and runs from AppData.

  3. windowsAdmin · 698 days ago

    Looking at
    Bulletin 2 and 8 also apply to Windows Server 2012 core and require a reboot, unless I am incorrectly reading the table.

    • Paul Ducklin · 698 days ago

      It is I who incorrectly read the table, even though that's hard to do because there's a special section for Server Core.

      I have emended the article. Sorry about that, and thanks for the correction!

  4. Anonymous · 698 days ago

    Does Sophos provide any coverage for the TIFF issue at present?

  5. Michelle · 697 days ago

    I have Microsoft Office for my Mac. It says I can't run this fix it when I try. Your comments say Office 2003 or 2007 without regard to platform. Do I need to do something. I'm not computer literate enough to type in the code given. ????? :-/ Help!!

    • Paul Ducklin · 697 days ago

      The TIFF zero-day is a bug in a Windows DLL (a DLL is a special kind of program that can only be used by other programs). So that image-based attack applies only to Windows platforms, not to OS X.

      I'll change the wording to make it clear I mean "Windows version", not merely "operating system version."

      (IIRC, when there is a patch that affects Macs, Microsoft explicitly use the product name "Office for Mac," not just 'Office." So I think that unless the word "Mac" appears in the affected product name, they mean Office for Windows only.)

  6. Scott · 697 days ago

    According to the original posting by Microsoft on November 5th, using EMET with Office should mitigate most of the attempts to attack a machine.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog