Researcher believes Microsoft zero-day is targeting Pakistan

[Lee J <lee () riskbasedsecurity com>]

http://www.scmagazine.com//researcher-believes-microsoft-zero-day-is-targeting-pakistan/article/319848/

Microsoft issued an advisory on Tuesday warning users of a zero-day
vulnerability related to a graphics component that is being exploited in
targeted attacks using emailed Microsoft Office documents.

The computer software giant issued a Fix It workaround that it said should
curb attacks until the vulnerability can be rectified in a final patch.
Editions of Microsoft Office 2003, 2007 and 2010 contain the security
flaws, as well as versions of Windows Operating System and Microsoft Lync.

“The vulnerability is a remote code execution vulnerability that exists in
the way affected components handle specially crafted TIFF images,”
according to the advisory. “An attacker could exploit this vulnerability by
convincing a user to preview or open a specially crafted email message,
open a specially crafted file, or browse specially crafted web content. An
attacker who successfully exploited the vulnerability could gain the same
user rights as the current user.”

Observed attacks, although limited, have been carried out against selected
computers, notably in the Middle East and South Asia, according to a
Microsoft release.

“The exploit needs some user interaction since it arrives disguised as an
email that entices potential victims to open a specially crafted Word
attachment,” according to the Microsoft release. “This attachment will
attempt to exploit the vulnerability by using a malformed graphics image
embedded in the document itself.”

Jaime Blasco, a research director with security services provider
AlienVault, suggests the exploit is being used to target Inter-Services
Intelligence, the premier intelligence service for Pakistan, as well as the
Pakistani military.

The payload protocol is the same one used in Operation Hangover, a spring
cyber espionage campaign based out of India and carried out against
Pakistan, China and the U.S, Blasco said.

“We can confirm that the downloader is based on the Deksila downloader not
only because it generates similar HTTP traffic, but also the way it
retrieves information from the system and even the raw strings from both
payloads,” according to the Blasco post.

Microsoft regularly patches its supported products in Patch Tuesday updates
– which occur on the second Tuesday of every month – so only time will tell
if the vulnerability will be addressed on Nov. 12.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.