Thursday 7 November 2013

Microsoft Lync Zero Day Attack




On 5th November the Microsoft zero-day vulnerability was reported by McAfee Labs senior security researcher Haifei Li. The bug affects a range of products including Lync clients. Microsoft have been informed of on-going targeted attacks mostly in the Middle East and South Asia that have exploited this flaw.
The vulnerability is due to a bug in the handling of TIFF files and results in memory corruption which can be exploited to gain elevated access to the targeted system.

Lync products affected include:
Microsoft $100,000 Bug Reward

Lync 2010 x86, x64
Lync 2010 Attendee
Lync 2013 x86, x64
Lync Basic 2013 x86, x64
Office 365 is not affected by the exploit.

Microsoft have released a temporary patch to block rendering of the TIFF format using the registry mod below: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Gdiplus\DisableTIFFCodec = 1

Microsoft advise installing EMET (the Enhanced Mitigation Experience Toolkit) that is able to mitigate this exploit in advance when any of the following mitigations are enabled for Office binaries:
Multiple ROP mitigations (StackPointer, Caller, SimExec, MemProt) available in EMET 4.0
Other mitigations (MandatoryASLR, EAF, HeapSpray ) included in EMET 3.0 and 4.0

EMET can be deployed via group policy or SCCM for blanket coverage of all vulnerable clients.