TIFF Images Linked To Drive-By Download Malware

Microsoft has issued a statement that certain image files can make computers vulnerable to some malicious malware through booby trapped image files. The flaw has been dubbed CVE-2013-3906 by Redmond security experts. Remote code execution that exists in the way systems handle specially crafted TIFF files. TIFF stands for Tagged Information File Format.

Just opening a malicious TIFF file can release a drive-by download or drive-by install version of malware that is installed on your computer without even being prompted by a warning dialog.

This is a zero day security flaw which means that the it was continuous attacks that actually brought this flaw to the attention of Microsoft. This means that attacks aren’t likely or eminent, but in this case actually happening before a patch is available.

The attacks that have been reported to date have come from TIFF files being embedded inside DOCX files (Office 2007 and later). Someone sends you a specially crafted document by email, you open the email to see if it is actually “worth opening”, and boom. You’re infected.

Microsoft has also pointed out that there are other ways that your computer can become infected.

  • Previewing or opening a specially-crafted email.
  • Opening a specially crafted file such as an attachment or download.
  • Browsing to a poisoned web page.

The good news is, while there is no official patch ready for download that will resolve this issue, Microsoft has published a “fix-it” tool that will quickly render your computer immune. It does this by having Windows simply sidestep loading TIFF files which protects you when downloading or viewing documents containing these malicious TIFF files.

You can achieve this same result by hand if you have the knowledge using this:

HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\Gdiplus\DisableTIFFCodec = 1, but if your workflow requires you to be able to open TIFF files, then this will not work for you.

If you find that this fix gets in the way of your day-to-day workflow, then you can easily reverse it by removing it from the registry.

Things to keep in mind are; try not to run your computer as administrator all the time, be mindful of where your email files are coming from and if you don’t recognize it, don’t open it. Make sure that your anti-virus is updated frequently to keep you safe from many of the attacks that are currently circulating.