Incident Response, Malware, TDR, Vulnerability Management

Researcher believes Microsoft zero-day is targeting Pakistan

Microsoft issued an advisory on Tuesday warning users of a zero-day vulnerability related to a graphics component that is being exploited in targeted attacks using emailed Microsoft Office documents.

The computer software giant issued a Fix It workaround that it said should curb attacks until the vulnerability can be rectified in a final patch. Editions of Microsoft Office 2003, 2007 and 2010 contain the security flaws, as well as versions of Windows Operating System and Microsoft Lync.

“The vulnerability is a remote code execution vulnerability that exists in the way affected components handle specially crafted TIFF images,” according to the advisory. “An attacker could exploit this vulnerability by convincing a user to preview or open a specially crafted email message, open a specially crafted file, or browse specially crafted web content. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.”

Observed attacks, although limited, have been carried out against selected computers, notably in the Middle East and South Asia, according to a Microsoft release.

“The exploit needs some user interaction since it arrives disguised as an email that entices potential victims to open a specially crafted Word attachment,” according to the Microsoft release. “This attachment will attempt to exploit the vulnerability by using a malformed graphics image embedded in the document itself.”

Jaime Blasco, a research director with security services provider AlienVault, suggests the exploit is being used to target Inter-Services Intelligence, the premier intelligence service for Pakistan, as well as the Pakistani military.

The payload protocol is the same one used in Operation Hangover, a spring cyber espionage campaign based out of India and carried out against Pakistan, China and the U.S, Blasco said.

“We can confirm that the downloader is based on the Deksila downloader not only because it generates similar HTTP traffic, but also the way it retrieves information from the system and even the raw strings from both payloads,” according to the Blasco post.

Microsoft regularly patches its supported products in Patch Tuesday updates – which occur on the second Tuesday of every month – so only time will tell if the vulnerability will be addressed on Nov. 12.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.