Microsoft releases workaround fix for Office, Lync and Windows Server exploit

Microsoft Trustworthy Computing (TwC) has released a workaround fix for a vulnerability in older versions of its Office, Lync and Windows Server services.
TwC group manager of response communications, Dustin Childs announced the workaround fix in a blog post. "We are aware of targeted attacks, largely in the Middle East and South Asia," he noted.
"While we are actively working to develop a security update to address this issue, we encourage our customers concerned with the risk associated with this vulnerability, to [...] apply the Microsoft Fix it solution, disable the TIFF Codec that prevents exploitation of the issue [and] deploy the Enhanced Mitigation Experience Toolkit (EMET)."
Childs confirmed the attacks target the flaw using a nefarious phishing message. The Microsoft manager moved to downplay the attacks' significance, promising customers using the latest version of Windows and Office are safe.
"The current versions of Microsoft Windows and Office are not affected by this issue. The exploit requires user interaction as the attack is disguised as an email requesting potential targets to open a specially crafted Word attachment," he explained.
"If the attachment is opened or previewed, it attempts to exploit the vulnerability using a malformed graphics image embedded in the document. An attacker who successfully exploited the vulnerability could gain the same user rights as the logged on user."
It is currently unclear when the full patch for the flaw will be released and Microsoft declined V3's request for further details. The lack of information means the update will presumably arrive as a part of Microsoft's monthly Patch Tuesday later this month.
Vice president and general manager at Barracuda Networks, Wieland Alge, cited the new targeted attack campaign as further evidence businesses of all sizes need to be more proactive about upgrading their systems.
"The ongoing action item for organisations of all sizes, however, is to enforce deeper defence and establish more resilient architectures. The technology and products are there and this time, the small and medium businesses cannot wait longer than the large ones to implement them," he said.
Businesses' sluggish approach to upgrading their systems has been an ongoing problem facing the security community. Security professionals have highlighted businesses' ongoing use of the near decade old Windows XP as being particularly troubling.
Microsoft will officially end support for its Windows XP operating system on 8 April 2014. This means XP will not receive any further security updates, potentially leaving businesses using it open to a myriad of new cyber threats