November 6, 2013
Microsoft Windows Vista Vulnerable To Zero-Day Attacks
Peter Suciu for redOrbit.com - Your Universe Online
Microsoft Windows Vista was far from a hit with users when it debuted worldwide in 2007, but now the operating system might have another reason to be seriously disliked. The OS could open users to attacks by hackers.On Tuesday Microsoft warned its customers of a so-called zero-day vulnerability that apparently targets the older versions of Microsoft Windows as well as Microsoft Office. So far, attacks have been reported in the Middle East and South Asia.
This particular attack doesn’t affect the later versions of Windows including Windows 7 and Windows 8. The hack does work against Windows Vista, Windows Server 2008 as well as Microsoft Office 2003 through 2010.
“Microsoft is investigating private reports of a vulnerability in the Microsoft Graphics component that affects Microsoft Windows, Microsoft Office, and Microsoft Lync. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability in Microsoft Office products,” the company posted via an official Microsoft Security Advisory.
“The vulnerability is a remote code execution vulnerability that exists in the way affected components handle specially crafted TIFF images. An attacker could exploit this vulnerability by convincing a user to preview or open a specially crafted email message, open a specially crafted file, or browse specially crafted web content. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights,” it said.
Microsoft has announced a potential fix could include a security update through its monthly release program, or separately as an out-of-cycle patch. The company has also suggested users disable the TIFF codec
“As a best practice, we always encourage customers to follow the ‘Protect Your Computer’ guidance of enabling a firewall, applying all software updates and installing anti-virus and anti-spyware software,” Dustin C. Childs, manager for incident response communications within the Trustworthy Computer Group at Microsoft, said in a blog post. “We also encourage customers to exercise caution when visiting websites and avoid clicking suspicious links or opening email messages from unfamiliar senders.”
Microsoft has and does continue to look for potential vulnerabilities within its operating system.
Last month, the Redmond, WA-based software giant paid a British hacker $100,000 for discovering a bug and reporting it. James Forshaw was awarded the largest bounty to date, and this is on top of the $9,400 he had earned for identifying security bugs in a preview release of Microsoft’s Internet Explorer 11.
Microsoft had set up a bug bounty program back in June to encourage hackers to report their findings.
Mozilla, Google and Facebook have similar bounty programs already in place, and while Microsoft had long resisted the approach, it apparently made the shift to learn about potential vulnerabilities earlier and to increase the security for its customers.
This latest security flaw has been one that has gone undiscovered for some time. Windows Vista was released worldwide in early 2007 and replaced by Windows 7 in 2009. Windows 8, which was released last October had already been outperforming Vista by last November.