Microsoft: No Zero-Day TIFF Fix This Patch Tuesday

Dennis Faas's picture

Microsoft will be issuing Patch Tuesday fixes for several "critical" security problems today. Unfortunately, the firm says the list of fixes doesn't include a patch for a recently reported zero-day flaw affecting Windows and the Microsoft Office software suite.

The November 2013 Patch Tuesday lineup includes a total of eight bulletins, three of which are marked "critical" -- Microsoft's highest security rating.

These flaws involve serious security issues affecting some of Microsoft's most popular products, including the Windows operating system and Internet Explorer, the firm's web browser.

This Patch Tuesday will also provide fixes for five "important" security bulletins that affect both Microsoft Office and Windows.

"Critical" Flaws Allow For Remote Code Execution

As usual, the "critical" bulletins involve remote code execution, meaning they could allow a hacker to take control of an exposed system. That's why Qualys security expert Wolfgang Kandek says it's important everyone download and install the fixes as soon as possible.

"All of the critical bulletins and one of the important bulletins result in a remote code execution and should be prioritised higher," Kandek said in a recent blog post.

"The rest of the important bulletins result in the elevation of privileges or a denial of service condition."

TIFF Zero-Day Flaw Remains Unpatched

Unfortunately, Microsoft won't be offering a fix for a new and very potent threat that affects TIFF images. The issue is known as a "zero-day" threat, meaning hackers found and exploited the problem before Microsoft learned of it. (Source:

So far, reports indicate that Windows Vista, Server 2008, and Microsoft Office (including the 2003, 2007, and 2010 versions) are vulnerable to attack. Microsoft's Lync communications software is also reportedly vulnerable.

According to Rapid7 security engineer Ross Barrett, the absence of a Patch Tuesday fix for the issue has resulted in a great deal of "frustration" in the security community. (Source:

If you're a Windows Vista or Office user, you may want to consider using Microsoft's "Fix It" solution while waiting for an official patch. You can access the Fix It by clicking here.

Rate this article: 
No votes yet