Microsoft Warns of Zero-Day Attacks

wiredmikey writes "Microsoft released an advisory today warning users about a new zero-day under attack in targeted campaigns occurring in the Middle East and South Asia. According to Microsoft, the vulnerability resides in the Microsoft Graphics component and impacts certain versions of Windows, Microsoft Office and Lync. The problem exists in the way specially-crafted TIFF images are handled. To exploit the vulnerability, an attacker would have to convince a user to preview or open a specially-crafted email message, open a malicious file or browse malicious Web content. If exploited successfully, the vulnerability can be used to remotely execute code. The vulnerability affects Office 2003, 2007 and 2010 as well as Windows Server 2008 and Windows Vista. Right now, Microsoft Word documents are the current vector for attack."

Already there

[suso]

Don't they already put that warning on the box?

Re:

[the_skywise]

It's not on the box... it's in the EULA!

(On the box.. sheesh... Not enough room for the warnings on there...)

Re:

[GoodNewsJimDotCom]

It is like Microsoft Windows doesn't even try to be secure. It isn't too incredibly hard for executables to be unable to hammer system files if a modicum of sandboxing was involved. An example would be if applications couldn't touch things outside their installed directory. There would be a specific protocol for communication between different installed aps. This should have been done back in the win98 era. Because applications are not secure, everyone is paranoid about downloading an untrusted .exe.

Re:Already there

[mstefanro]

I have been saying this for ages. It is embarassing that the concept of "antivirus" still exists.
Its main purpose is to enforce a huge blacklist of .exe files that can harm you. Instead
of keeping track of million of apps that are evil, why not just apply some least privilege
principles and sandboxing already so that we can run an application without granting it
access to all our resources?

It comes as no surprise that everything gets moved to the web nowadays. One can safely
open a website without worrying that all his personal data can be accessed (such as Firefox
stored passwords). On the other hand, opening an application requires complete trust in the author,
which is simply too much to ask most of the time. Look how well "apps" have evolved in mobile
platforms. It is quite natural to prefer apps to websites, because it can be easier to have something run on startup
and be easily accessible whenever you want, as opposed to having to go through a browser. They
generally have less overhead and are more powerful. If Windows had a decent package manager
and proper privilege separation we would probably be living in a different world today.

For anyone who claims stuff like "but Windows has UAC", obligatory xkcd: http://xkcd.com/1200/ [xkcd.com]

Re:Already there

[recoiledsnake]

You just described Windows RT.

Re:

[smash]

It's called code-signing, and every time someone suggests it, the /. crowd are up in arms about how you're not free to run what you want on your own computer, conveniently disregarding the idea that you can sign code yourself.

And yes, it's the only real solution.

Re:

[stooo]

Code signing ? This does not remove exploitable holes in that cleanly signed (but shitty) code.

Re:

[smash]

No, but it does stop exploitable code from being used to set up un-signed executables to run on boot, etc. Sure, the code can be exploited in memory, but if you try and modify any executable on disk, the signature will break and the code won't run by default. Makes it much harder for a virus to set itself up permanently on the machine, and much more difficult to spread via infecting executables.

Re:

[mstefanro]

Antiviruses are blacklisting, code signing is whitelisting. Both bad solutions in a world
where we have so many apps that keeping track of all of them is very difficult.
Besides, code signing does not solve the problem of too relaxed permissions. In the
situation presented in the article, MS Office is a signed piece of software.

Re: Already there

[tolkienfan]

The iSeries solved all these issues decades ago. I don't believe it has ever been hacked, even after IBM offered a prize of a million dollars.

Re:

[TheRaven64]

Code signing is far from a panacea. It only works well in a world where there is a clear divide between things that are programs and things that are data. It doesn't help if you sign your interpreter (for Python, VBA, JavaScript, whatever), if there's no requirement that you also sign all of the inputs.

And code signing would do nothing to prevent vulnerabilities of this nature, where a bug in a library permits arbitrary code execution. This can be prevented with fine-grained sandboxing (if every TIFF im

Re: Already there

[tolkienfan]

It certainly *is* feasible. The problem is mostly embedded executable code. Not interpreted code, but machine code. Bad scripts are a minor irritation in comparison. A process is already *supposed* to be a sandbox. It would help tremendously if executable pages weren't mutable. There are alternatives for things like JIT. And yes, these things aren't free. But they're well understood and have been used for decades in security sensitive applications. These days that category should include desktop computing.

Re:

[TheRaven64]

Even if a process were a complete sandbox, this kind of attack would barely be mitigated, because an exploit in a library allows running arbitrary code (you might want to look up return oriented programming, if you think avoiding code generation helps you). At this point, the person who has sent you an email with a .tiff attachment now has complete control of your mail client.

Re: Already there

[tolkienfan]

All these things have existing solutions. These exploits usually get triggered by buffer overruns. Don't put buffers on the stack. Stack smashing etc. require the ability to manipulate the stack. Having a separate call stack and local variable stack solves many of these exploits. Seriously, I'm sure the iSeries was never penetrated. Windows and other popular OSes could be much more robust.

Re:

[smash]

Nah, of course it's not a panacea, but it does provide reliable "whitelisting" If you were to combine it with application sandboxing, then at least any vulnerability in the app is contained within the sandbox, and you know the code hasn't changed since it was signed.

Some of the more advanced malware inspection engines now (e.g., FireEye) do full VM execution of incoming content and post-mortem analysis before giving a pass or fail.

Re:

[smash]

Well that's a flaw then. If i modify anything in a Mac OS X application bundle i need to re-sign it.

Re:

[KingMotley]

Anti-virus is mostly just for fixing "stupid".

People demand that they have full control of their machines, Microsoft be damned.
The same people click "OK" no matter what pops up, even if it says "Clicking OK will destroy your computer".
Hence, anti-virus has become the politically correct way of saying anti-stupid program.

Re:

[mstefanro]

Yes, this is a major issue, but I don't believe it to be one without a solution, should one really bother
to come up with a good implementation.

On a mobile phone, you (as an application) can refuse to run if an user does not grant access to
a resource (such as webcam), because you know for sure that every phone has an webcam.
This blackmailing procedure may not be so successful on a PC, where if the owner refuses to grant
access to his webcam to an app, the OS can make it such that it is impossible for
the app t

Re:

[smash]

Look at the smartphone world? Sandboxing seems to be enforced on iOS pretty well. Yes there have been jailbreaks, but i'm not aware of any for iOS 7 yet.

Re:

[mstefanro]

As you said, it is the all-or-nothing that concerns me. I am not claiming that sandboxing
would magically solve all problems and that successful exploits would never be able to do
any harm. But being able to mount an attack such as "someone using MS Office somewhere might use it
to open sensible data, which we can steal" is not the same as mounting an attack like "we can use MS Office
to collect all stored passwords from all browsers and send them to us. And to spawn a keylogger". The MS Office
should have no bu

Re: Already there

[tolkienfan]

Tldr. But your idea that a tiff could take over a well designed sandbox is ridiculous. There isn't any reason a tiff library should be able to modify executable code. All the sandbox needs to do for this exploit (and most others) is mark all executable pages as read only.

Re: Already there

[tolkienfan]

So your point is not that sandboxes can't work but this one is crappy?

Re:

[ruir]

Why should they, killing the lucrative AV industry?

Re:

[fuzzyf]

The real problem is with the x86 architecture. As long as it's possible to hijack threads and inject code to running processes it doesn't matter what the filesystem allows or not.

Creating a secure system would need a different architecture to begin with. the way stack is handled in x86 is just asking for buffer overflow exploits.

Re:

[RaceProUK]

And what's to stop someone writing code injection for x64/ARM/MIPS/PPC/68k/others? What's to prevent implementing the x86 stack behaviour on x64/ARM/MIPS/PPC/68k/others?

Re:

[mcgrew]

It's funny, just yesterday I was having a slashdot conversation with someone who was talking about Microsoft's "superior QA", a day after the slashdot story about W8.1 breaking mice and other stuff.

I clicked on the story expecting to see a Windows problem (I still have W7 on this notebook, too lazy to install kubuntu) and it turns out I'm safe; I don't use IE or MS Office (I'm using Oo to write my books).

Re:

[Barlo_Mung_42]

This is why MS wants to move everyone to Metro and phase out win32.

Re:Already there

[TheP4st]

Why only pick on Windows? http://arstechnica.com/apple/2013/08/rendering-bug-crashes-os-x-and-ios-apps-with-string-of-arabic-characters/ [arstechnica.com]

Because we picked on apple for that one on August 29th [slashdot.org] and to those of us that are capable of thinking clearly it make very little sense to pick on apple when the topic clearly is a windows vulnerability.

Re:

[dimeglio]

Taking over a system is also different from making it crash (bug vs exploit).

Re:

[RaceProUK]

It's hard to be secure when the user is opening the airtight hatchway.

Re:

[RaceProUK]

Yes, MS could have had better security from day 1. But it's also true that most of the blame lays with lazy developers who did the quick-and-dirty, instead of actually understanding the system they were developing for. Which of course MS has to support in later versions of Windows, in order to keep their customer base.

Re:

[KingMotley]

Lots of applications require to run as administrator? Really? Name "lots", please.

Re:

[smash]

shift-right-click, run as other user. don't log into the desktop as an admin account (whatever OS it is, Unix included), doing that is retarded.

Re:

[smash]

depends if you're logged in as an admin user, doesn't it? which has not been ms recommended practice since at least 1996 with NT4 and likely previous.

Re:

[ArsonSmith]

Windows is fine if you don't read emails or browse the web.

Use Linux.

[stooo]

Microsoft Warns of Zero-Day Attacks
Use Linux.

Re:

[TheRaven64]

Right, because libtiff (and libpng and libjpeg) have never had security issues on Linux that allow a maliciously crafted image to execute arbitrary code. (Hint for those that don't get sarcasm: search the CVE database for any of those and filter by arbitrary code execution vulnerability)

Re:

[smash]

Problem is, most email to fax gateways use either TIFF or PDF, and most of them are TIFF. Though PDF isn't any better (in fact, historically it is much worse, security wise) given that most people seem to use adobe reader to open them.

Re:

[jbengt]

Problem is, most email to fax gateways use either TIFF or PDF, and most of them are TIFF. Though PDF isn't any better (in fact, historically it is much worse, security wise) . . .

Considering an image in a .pdf is typically a tiff with all the .pdf "goodness" wrapping around it, it shouldn't be surprising.

Re:

[smash]

Its even worse than that, adobe are sticking all sorts of "Active" content in them now which is no doubt ripe for exploitation.

WOW

[noh8rz10]

so when the summary says "the attacker would have to convince the user..." what they really mean is that it would happen automatically with no user interaction. I could send you an email, and just by clicking on it, it shows in the preview pane and BAM you're owned. This sounds like it would be an XP thing, but since it applies to office 2007 and 2010, presumably it applies to windows 7 as well?

I bet NSA is pissed, because one of their favorite pwnage tools is now public :(

Re:

[ljw1004]

No, the advisory said that it affects Vista and Server2008.

It explicitly says that Win7, Win8, Win8.1, WinRT, Server2008-R2 and Server2012 are unaffected.

Caveat: although I work at Microsoft, I know nothing about this alert other than what I read in TFA.

Re:

[yuhong]

Unless you are using Office or Lync which have their own copy of GDI+. Office 2010 only uses their own copy when running under XP though unlike older versions and 2013 don't support XP at all so they don't have their own copy anymore.

Re:

[mjm1231]

So, based on the wording of the advisory, if I am using Office 2010 running on Windows 7, I am both affected and non-affected. How exactly does that work?

Re:

[Anonymous Coward]

So, based on the wording of the advisory, if I am using Office 2010 running on Windows 7, I am both affected and non-affected. How exactly does that work?

You are not affected, you are not software. Your OS, Windows 7, is not affected, as explicitly stated. One of your programs, Office 2010, is affected, as explicitly stated.

Re:

[techno-vampire]

I could send you an email, and just by clicking on it, it shows in the preview pane and BAM you're owned.

And how many people do you know that still open emails from unrecognised strangers? Before you can get people to open a malicious email you have to get past their spam filters (or, at least the filters their mail server uses) and make the recipient think it's a valid email. (Yes, I know that there are people who just open everything that comes in, but I think you get my point.) However, from what

Re:

[khasim]

From the summary:

To exploit the vulnerability, an attacker would have to convince a user to preview or open a specially-crafted email message, open a malicious file or browse malicious Web content.

So all that is really necessary is to setup a web server and post something enticing in forums like Slashdot.

https://en.wikipedia.org/wiki/Pwn [wikipedia.org]

Once that is accomplished then the cracker waits for web hits. Once you've been cracked he would search your computer for anything resembling an email address and attempt t

Re:

[noh8rz10]

but with most email programs, even when you select the message it automatically shows in the preview pane. So if I select it in order to delete it, it shows in the preview and BAM. Or if I delete the ajoining message, the focus shifts to that message, and BAM. It's not all about (l)users here.

Re:

[smash]

I would suggest that probably 99.9% of the non-nerd population open emails from unrecognised strangers. Especially when you include those with a spoofed return address or other obfuscation.

Re:

[smash]

Additionally, to delete a message within outlook you must click on it first. Which means if you have the preview window displayed, it will be parsed and displayed in the preview window.

Re:

[noh8rz10]

maybe a good compromise is an email client feature that shows you text-only previews of messages. then you can see what the message says without getting exposure to any of this junk. thoughts?

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[noh8rz10]

there's some merit to your argument, but the fact that Windows has images and fonts that can own your system is beyond absurd.

A compromise solution is that the preview pane shows text-only previews. That keeps the majority of the productivity, and should close these holes we speak of. Thoughts?

Re:

[TheRaven64]

but the fact that Windows has images and fonts that can own your system is beyond absurd.

It is absurd, but let's not pick on Windows. Both OS X and *NIX systems have suffered from similar vulnerabilities in libtiff, libpng (lots!), libjpeg (almost as many) and FreeType (too many to count). The problem was that all of these were written with the assumption that you could trust the input data and that performance was the primary concern. Now, computers are so fast that no one would notice a 50% slowdown in most of these (although they would in an H.264 decoder, which is another popular vector)

Re:

[smash]

They've still had exploitable bugs in the HTML parser, which would need to run through the email to convert it into text if it was not a plaintext email.

I got burned by the font rendering bug last time

[msobkow]

I'm getting awfully tired of exploits from MicroSquishy that I can't do anything to block. If my Win7 box proves vulnerable, I'm going to be seriously pissed, because they no longer ship install disks with machines.

Fortunately I don't *trust* Windows at all after the last time I got burned, so I do *all* my surfing with Linux/Debian. The *only* time I ever hit the internet from the Windows box is to download software updates or installs.

Re:

[theshowmecanuck]

I guess Linux has never and never will [arstechnica.com] have any security exploits possible against it. So yeah, good luck with that [google.ca]. And to anyone else who thinks using Linux online is the end all and be all for security. No system is safe.

Re:

[msobkow]

Had this been a Linux bug, the patches would have been out tonight.

Re:

[theshowmecanuck]

Guess you didn't read the first link.

Re:

[theshowmecanuck]

It's in response to someone once again making like Linux is invulnerable. It isn't. I'm not a Microsoft nor Linux nor Mac fanboy. I have used all three (and OS/2) at work and at home. I don't make any assumptions that any of them are bullet proof like many others here seem to. I think anyone who does is a fool. Especially moderator fanboys who mod me down for pointing out that Linux has its moments too. And I still use all three OSs. My laptop runs Kubuntu by the way... which broke touchpad functionality on

Re:

[drinkypoo]

The differences are that 1) Linux actually tries to be secure and 2) Linux isn't running unnecessary services you don't need and 3) The patch comes out much more rapidly for Linux, as stated, this is a proven fact. Don't pretend that Windows has parity with Linux, because it doesn't.

Re:

[theshowmecanuck]

Yeah yeah, I hear you. Just don't say it is invulnerable and that is why you only use it for online stuff. Yes, it is more secure by design, just not invulnerable and people shouldn't treat it as such. But really, I have maybe had two viruses for sure on my Windows PCs since 1990, and one was at work (I didn't get hit by that one at home, but a lot of people did on their office computer). The one at home was in 1996. So unless you are someone who doesn't know better than to open things you don't expect to r

Re:

[msobkow]

I'm not saying Linux is invulnerable to exploits. But it *is* more secure by design.

Were there a font rendering bug that could be picked up by my browser, the worst it could do is damage my user data and cause the browser or maybe even the desktop to crash (presuming the attack knew which desktop API to target.)

Font and image rendering does not occur in kernel space under Linux.

My bigger point, though, is that Linux vulnerabilities get patched and shipped a *lot* faster than they do for Windows or O

Re:

[theshowmecanuck]

I'm with you on all that. I just get pissed by people intimating stupid things like 'you will never get a virus or be compromised if you use Linux'. That's just plain dumb. All systems are vulnerable. Some maybe more than others. It is harmful to others to make such claims because someone is bound to believe it and not pay attention to suspicious sites, emails, etc. like they should. All because a bunch of asshats make erroneous claims. That is what sets me off.

Re:

[TangoMargarine]

Considering that every time a Linux attack appears on Slashdot, it turns out that the user has to purposely install something with elevated privileges beforehand, I'm not too worried.

Re:

[tibman]

That's because as far as normal users go there are virtually no Linux users to target
So it's the user and not the operating system then? Because Linux has a lot of installs.
https://en.wikipedia.org/wiki/Usage_share_of_operating_systems#Summary [wikipedia.org]

Re:

[couchslug]

" If my Win7 box proves vulnerable, I'm going to be seriously pissed, because they no longer ship install disks with machines. "

Google "Digital River Windows 7 ISOs".

Re:

[msobkow]

Mod parent "Informative".

Thanks. Downloading now. I've been half-panicked for almost a year that I don't have install media.

Re:

[Menkhaf]

If you liked that, you'll like to know that you can remove the ei.cfg file from the iso to convert it into a universal iso. There are multiple tools for it, but I've just used rm in the past (granted, the media I used was a USB stick). Here's one such tool: http://code.kliu.org/misc/winisoutils/ [kliu.org]

Note that your license still has to match the type you select during installation. I have no idea why Microsoft insists on having so many different isos when they could just have one universal iso...

So...

[msobkow]

They know what causes the bug. They know where the bug is located. But they can't provide a fix for the bug?

Kudos. That's the laziest response to a vulnerability I've ever heard of.

Re:

[Bite The Pillow]

I'm much more concerned that to disable a codec, you have to create a new registry key for GDIPlus, then add "DisableTIFFCodec" specifically to disable Windows-wide the built-in TIFF rendering.

There's not a whitelist so that you can search for what's enabled - there's a hidden key that is queried every time a Microsoft application *starts* so that if it is already running making the change has no effect.

That it is called "DisableTIFFCodec" - I'm not even sure what the words are to properly object to that.

In related news

[gmuslera]

NSA agents have been busy last month sending Word documents to the critical staff of major foreing companies.

Also, water is wet and the sky is blue

[Gothmolly]

Microsoft and zero-day attacks go together like .... 2 things that go together really well.

Re:

[smash]

strcpy() and buffer overflows?

Re:

[oodaloop]

But this only affects certain versions of Windows and Office. I'm safe on Windows ME and Office 98!

The best is still to come

[asmkm22]

With the shape of security in the IT industry right now, I expect the patch to address this will end up bricking 20% of the servers that apply it.

No problem, then

[Trailer Trash]

"To exploit the vulnerability, an attacker would have to convince a user to preview or open a specially-crafted email message, open a malicious file or browse malicious Web content."

Thankfully it's proven difficult over the years to get a Windows user to do any of those things....

Re:

[smash]

Preview turned on. Click message to delete it. Outlook parses it and displays in the preview window.

Re:

[Trailer Trash]

I guess you heard a loud whoosh and didn't know what it was.

Just today..

[SuperCharlie]

Just today I was telling someone you would have to pay me to go back to Windows.

Mint 15 and damn happy.

Translated summary

[Gravis Zero]

"Microsoft released an advisory today warning users about a new zero-day flaw that we'll fix when we damn well feel like it. The digital holy war is targeting the Middle East and South Asia. According to Microsoft, the vulnerability resides in the Microsoft Graphics component and impacts certain versions of Windows, Microsoft Office and Some Failed Skype Imitation. The problem exists in our poorly written TIFF reader. To exploit the vulnerability, an attacker will email you and when you open it, you are fucked. It will download and install malware and there is nothing you can do about it. The vulnerability affects those new versions of Office that we insisted you needed to upgrade to and Shoddy Server 2008 and Windows 7 - 1. Right now, opening a Microsoft Word document could ruin your week or your month."

Enhanced Mitigation Experience Toolkit

[nuckfuts]

Using EMET [microsoft.com] provides additional layers of protection against this kind of thing.

Re:

[drinkypoo]

Using EMET provides additional layers of protection against this kind of thing.

So does not running Windows. If Microsoft has additional layers of security for Windows, perhaps they should make them part of Windows.

Re:

[nuckfuts]

Using EMET provides additional layers of protection against this kind of thing.

So does not running Windows.

Ah, the predictable refrain of a MAC/Linux fan...

If Microsoft has additional layers of security for Windows, perhaps they should make them part of Windows.

I think in the case of EMET, it is not part of Windows by default because it uses techniques that may not be compatible with every Windows application. It also requires a bit more technical knowledge to deploy than, say, antivirus software.

Re:

[drinkypoo]

Ah, the predictable refrain of a MAC/Linux fan...

Any system which is working properly is predictable.

I think in the case of EMET, it is not part of Windows by default because it uses techniques that may not be compatible with every Windows application. It also requires a bit more technical knowledge to deploy than, say, antivirus software.

Windows is already not compatible with every Windows application. If it requires more technical knowledge to deploy than antivirus software, then Microsoft isn't working hard enough on it. Is this another product they bought from someone and ruined, like say wolfpack?

Re:

[nuckfuts]

Look, I'm just pointing out a lesser-known resource that's available for people who might be interested. I'm not interested in partaking in yet another tedious bout of Windows bashing on Slashdot. Others have already mentioned that Windows is not the only operating system to be exploited by maliciously crafted data files.

.

Re:

[drinkypoo]

Others have already mentioned that Windows is not the only operating system to be exploited by maliciously crafted data files.

Right. Many of us object to any closed-source operating system for this among other reasons.

Re:New Attack? 0 Day?

[Timothy Hartman]

Microsoft, Apple, and even our dear Linux all have had issues with previewing malcrafted images. If seeing this on a patch notes shocks you I'll assume you haven't read many patch notes. TIFF is surprising as that hasn't been a huge attack vector, but I've seen in the hundreds of notes I've read as an IT peon where formats have been an issue. More often it is PDF, EMF, WMF, but TIFF isn't out of the question
It is a file format that is pretty low on the level of requiring correct formatting and is more or less abandoned by its owner, Adobe. I bet their is a grip of EPS exploits out there for Microsoft's viewer, but very few people would open those. Everyone know EPS is "an Adobe" and forward them on to the graphics department.

Re:New Attack? 0 Day?

[Anonymous Coward]

TIFF is a scary format in general because it's been extended in so many bizarre ways to support document mangagement systems. For ex, there's actually a standard for embedding PDFs inside of a TIFF (rather than visa-versa).

Re:

[dltaylor]

It's "Yet Another Back Door", which they might get around to disclosing if enough non-MS and non-Gov't exploits are published. It's no different from the DX9 kernel modules looking for MP3s with executable streams.

The crackers don't have to compromise MS products, they just have to find the existing back doors and use them.

Re:

[cavreader]

Exactly how many engineered back doors have actually been found and exploited?

Re:

[Gothmolly]

Because they do not separate code and data.

Re:New Attack? 0 Day?

[Michalson]

Easy. You have something (like a header) that leads the image decoder to allocate a certain amount of memory on the stack (a buffer) for an expected piece of data. Then you have the decompressed data be larger then it was advertised or calculated, overflowing the buffer and so overwriting other items on the stack, like the return address. By changing the return address you can point it back at the buffer, which when the CPU tries to read those bytes as code instead of data it turns out they do bad things.

Vulnerabilities in media decoders are a prime vector for infection since they are usually processed automatically. The only reason you are seeing it in software from 'a decade ago' is that hackers face so much competition from white hat researchers when it comes to browsers, fighting for vulnerabilities from a usually shrinking pool. With fewer opportunities some are turning to media decoders found in applications like Office. It's a less effective vector since it requires several actions from the user, but the upside is that these applications are often not as aggressively patched as browsers have become which means a single vulnerability might work for months.

For a comparison it's been almost a year since the last arbitrary code vulnerability was reported in FireFox's GIF decoder, and 2 years since the JPEG decoder was last turned into an attack vector (to the best of my knowledge). IE, Chrome and Safari have experienced similar droughts, with all the major browsers only having 1 or 2 image based vulnerabilities reported annually for the last few years, and usually by researchers who allow it to be patched quickly rather then as a zero day being exploited. Of course other types of media exist. CSS/HTML5 has rapidly become a media format in of itself and a little over a month ago FireFox was vulnerable to arbitrary code execution due to the way it decoded animations in CSS stylesheets (this was reported by Google and patched with the release of FF 24). TL;DR Researchers are hogging all the good browser vulnerabilities, so hackers are playing in the dusty old rooms nobody has visited in years.

So why everyone still uses C-style buffers?

[master_p]

I would have expected, in this day and age, where computers are supposed to be much more powerful than needed for the majoirty of users, that C-style management of buffers would have been a thing of the past, especially in major software like Office and browsers.

But, judging from your post, it seems that is not the case. People still use raw buffers without bounds checking.

The principle "peformance first, safety second" has not done good. The majority of problems like this come from the programming language

Re:

[smash]

Yeah its time to switch to something like Ada.

Re:

[smash]

Flaw in the image processing code.

Re:

[TheP4st]

It's not the first time it happens on Windows [microsoft.com] but similar issues have also affected Linux [eweek.com] and most likely OSX too.

Re:

[LifesABeach]

If I recall, correctly, certain byte value squences can cause immediate processing of machine code level commands. I'm reminded of SQL Injections. These command codes are CPU dependent. I don't think you'll find this in any HTML5 Specification how-to's; yet?

Re:

[noh8rz10]

+1 you must work in my IT department.

Re:

[smash]

Not really, given that I guarantee probably 70-80 percent of enterprises have at least one scanner or fax-to-email gateway that uses TIFF. And even if they switch that to PDF.... well, let's just say that if you compare the security history of PDF and TIFF, it's like a race in the special olympics, but TIFF would probably actually win.