A Microsoft Office TIFF vulnerability


In the context of running unpatched versions of Windows (in my defense, in a sandbox!), we've had the news this month that TIFF rendering in certain versions of Microsoft Office allows for remote code execution.

A patch was unfortunately not forthcoming during Microsoft's Patch Tuesday, forcing Windows users to continue using the hotfix that merely disables TIFF rendering until a more permanent solution can be found.

Cause and effect

This is more problematic than I think some people acknowledge. I've heard podcasts and read blogs implying that TIFF is a legacy format that shouldn't have much impact being disabled. Nothing could be further from the truth; TIFF's colour space is still vitally important to creative professionals and is still employed heavily in workflows. Clara would know more about this than me!

While Windows users still don't have a patch, we do know now broadly how the exploit is able to work. Recent versions of Windows employ data execution prevention (DEP) which only marks certain areas of active memory as being executable. If a buffer overflow is used to inject extraneous code into memory, theoretically DEP will disallow its execution. It also uses memory address randomisation, which hampers the ability of attackers to predict where the next block of allocated memory for a process is.

The good news is this TIFF vulnerably was not able to break these security measures. As is often the case with security however, the problem is not with the system itself, but how it's implemented. For apparent reasons of backwards compatibility, Microsoft Office allows for the selective disabling of DEP and memory address space randomisation. Yikes.

In my view

Security bugs in image parsers are particularly scary, at least to me. Compared to exploits that depend on people running malicious email attachments or downloading dodgy applications, merely viewing a malformed image intentionally or embedded in a document is enough to invoke the problematic library and compromise your system.

For me, this issue harkens back to the Windows Metafile vulnerability discovered in 2007, soon after I'd left high school and was getting interested in end-user security. Back then, an undocumented feature in the WMF format that allowed printer control codes to be inserted were used to inject malicious code into Windows machines. As Microsoft was slow to implement a fix for this as well, a third party developer came out with a patch.

Here's hoping Windows users won't require something of this nature again, and Microsoft will release an out of cycle fix as soon as possible.

Author bio and support


Ruben Schade is a technical writer and infrastructure architect in Sydney, Australia who refers to himself in the third person. Hi!

The site is powered by Hugo, FreeBSD, and OpenZFS on OrionVM, everyone’s favourite bespoke cloud infrastructure provider.

If you found this post helpful or entertaining, you can shout me a coffee or send a comment. Thanks ☺️.