A newly discovered security hole in Office could allow remote code execution
Microsoft has discovered a vulnerability in the graphics component of its Windows, Office, and Lync software that could allow hackers to execute malicious code from a remote location. The software giant said it is aware of targeted attacks that attempt to exploit the vulnerability in Office and has suggested a series of workarounds until it can issue a permanent patch. In the meantime, Microsoft has made available a piece of "Fix it" software to automatically apply the workaround procedures in affected products.
"The vulnerability is a remote code execution vulnerability that exists in the way affected components handle specially crafted TIFF images. An attacker could exploit this vulnerability by convincing a user to preview or open a specially crafted email message, open a specially crafted file, or browse specially crafted web content," Microsoft explains in Security Advisory 2896666. "An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."
The Fix it solution applies to various flavors of Windows Server 2008, Windows Vista, Office, and Lync. Since there have been documented attacks on Office users, anyone using Office should install the Fix it to err on the side of caution.