NOVEMBER 15, 2013
Your regular source of security updates from TrendLabsSM
In This Issue

Security Spotlight
How to Avoid the Latest Microsoft Office Bug

Security for Home Users
How Attacks Adapt

Security for Business
Older Versions of Software Targeted by Zero-Day Exploit

Security Spotlight

How to Avoid the Latest Microsoft Office Bug

Any software will always have bugs but you can minimize the risks of becoming an exploit victim.”

Early this month, Microsoft announced that an unpatched zero-day vulnerability was being used in targeted attacks in certain countries. The vulnerability exists in certain versions of Microsoft Office 2003, 2007, and 2010, and in Windows XP and Windows Server 2003.

Zero-Day Mayday

The vulnerability, as Microsoft reported, seems to stem from how older versions of Office and Windows graphic components process .TIFF files. .TIFF files are usually high-definition image files, popular among graphic artists and photographers.

Cybercriminals have been exploiting the vulnerability identified as CVE-2013-3906 by embedding a malicious .TIFF file in a .DOC file that is then used as an attachment to spam. Opening the malicious attachment leads to vulnerability exploitation, which allows a cybercriminal to gain the same account privileges on the computer as the logged-in user. This compromises the affected computer’s security, especially if the currently logged-in user has administrator privileges.


While the attack was only spotted in certain parts of South Asia and the Middle East, it’s only a matter of time before other countries are affected. As such, we strongly urge individuals and organizations alike to learn and understand the basics of social engineering—what it is, how to recognize it, and how to avoid it. Being informed can greatly reduce the risk of falling prey to such an attack.

The fact that the bug only affects outdated versions of Microsoft Office and Windows proves how important updating software and OSs is. Microsoft has already released a temporary fix for it and a more permanent patch is already in the works. But constantly waiting for software vendors to come up with patches for outdated software can needlessly expose vulnerable computers to exploits in the long run. You need to realize the security benefits of keeping software and OSs not only properly patched but also updated to the latest versions.

Any software will always have bugs but you can minimize the risks of becoming an exploit victim by heeding simple advice like:

  • Update software to the most recent versions. Regularly updating your software ensures that they are free from vulnerabilities that exist but may not have been found yet in past versions.
  • Learn about social engineering. The only way to avoid becoming a social engineering victim is to know more about it.
  • Use security software. Security software that monitors your incoming mail for spam and malicious attachments can foil such an attack.

Copyright ©2013 Trend Micro Incorporated. All rights reserved. Trend Micro and the Trend Micro t-ball logo are trademarks or registered trademarks of Trend Micro Incorporated. All other company and/or product names may be trademarks or registered trademarks of their respective owners. The information contained in this document is subject to change without prior notice.