There’s a new security flaw in Lync! Microsoft announced it yesterday, with a couple workarounds. Both are easy to implement, so let’s not waste any time.
Where It Is: Code for Graphics Handling
The flaw is located in the TIFF graphics handling code of both Lync clients, as well as Windows Server 2008 and Office 2003, 2007 and 2010.
What It Can Do: Let Remote Code In
TIFF graphics files, if made in a certain way, could allow for a remote code execution by an attacker.
By itself this is not a network-wide threat. But even a small door left open can bring trouble.
According to ITNews.com, attacks are already occurring in Southern Asia and the Middle East. Emails with specially-crafted Word attachments are opening user access to outside attackers, compromising local security & allowing a potential hole into networks.
Let’s all avoid that unpleasant possibility, shall we?
How to Patch the Security Flaw: Two Workarounds
Two workarounds are available to prevent any exploits. These work for all affected systems, but I’m focusing on the Lync 2010 and 2013 clients (this IS a Lync blog!).
The first option is disabling the TIFF codec on computers running Lync 2010 or 2013.
You can use a Fix It Microsoft has provided here (the quickest solution):
Or disable the codec manually. If you want to do that:
- Open the Registry Editor.
- Add a new registry entry under: HKEY_LOCAL_MACHINESOFTWAREMicrosoftGdiplus
- Create a DWORD value for the TIFF code by creating a registry entry under the Gdiplus subkey, named DisableTIFFCodec.
- Set the value of the DisableTIFFCodec registry entry to 1. Close Registry Editor.
(If you want to enable the TIFF codec again later, just change the entry’s value to 0.)
The second workaround option is deploying the Enhanced Mitigation Experience Toolkit (EMET). Download EMET version 4.0 here.
It should auto-configure once installed, so you won’t need to do anything else. Refer to its documentation if you need to manually configure.
Both workarounds are listed under “Suggested Actions” of this bug’s TechNet Advisory. Along with extra instructions, a FAQ and a full list of the software affected.
You can do both if you’d like. It won’t hurt anything.
Microsoft will include a patch in the next security update, no doubt. But in the meantime you can use these to protect any systems you’re concerned about.
I know a lot of people still use the Lync 2010 client and Office 2010. I’d prefer you continuing to use them without worrying about the next email attachment coming in.
Any other day, I’d recommend you updating to Windows Server 2012 and Lync 2013 to avoid security issues. But this flaw affects 2013 too…as well as 3 versions of Office!
So take a moment and apply your choice of workaround. Patch the security hole before someone else finds it.