Microsoft has issued a new security advisory against an exploit that hackers are using to target a zero-day vulnerability in Microsoft Office. A temporary ‘Fix It’ tool has been released by the company; a permanent fix is yet to be rolled out.
A pre-existing vulnerability in some versions of Microsoft office has raised fresh concerns in the IT world. This vulnerability is unknown, and is being used by hackers to launch targeted attacks against selected computers. Microsoft has stated that, it has received reports of such attacks in Middle East and South Asia.
What is the Security Vulnerability?
The security vulnerability is a flaw in the way Microsoft Graphics components handle graphical images. A hacker can exploit this flaw to remotely take over the victim’s computer and gain the user’s current rights.
Affected Versions of Microsoft Office
Office 2010 [affected only on Windows XP and Windows Server 2003]
Non-affected Versions of Microsoft Office
Nature of Attack
The attack does not occur automatically; it requires user interaction. In one scenario, the victim may receive an enticing email attachment containing the email. Opening the attachment will launch the infection. Similarly, the exploit may arrive in the guise of an email message or it may be hiding in a web page.
What is the Solution?
Microsoft has not yet released any permanent fix to deal with this security flaw. However, it has rolled out a temporary solution called Fix it tool. It is strongly recommended that users whose computers lie in the risk zone, install this tool at the earliest.
Note: This security vulnerability also affects certain components of Microsoft Windows and Microsoft Lync. You can read the official security advisory released by Microsoft on this matter.
What do we suggest?
As the attack requires user interaction, there are a lot of things you can do to stay safe:
We will keep you posted if any new developments on this matter come up. And until Microsoft rolls out a permanent patch, consider using the Fix It tool, and the precautions as outlined in this post.