Microsoft today released a out-of-band security advisory on an issue with how Office clients, Lync included handle TIFF files, this exploit could allow remote code execution and I think this is the second time that TIFF is affected in about a year if I am not mistaken.
For more information please see the official advisory from Microsoft
Microsoft Security Advisory (2896666)
There is a workaround published describing how to mitigate this by disabling the TIFF codec.
Disable the TIFF codec
Note See Microsoft Knowledge Base Article 2896666 to use the automated Microsoft Fix it solution to enable or disable this workaround.
You can prevent TIFF files from being displayed by modifying the registry to control the parsing of the TIFF codec. By changing the registry entries, you can control which images are parsed and rendered and which images are rejected in GDI+. For example, you can select to parse and render Joint Photographic Experts Group (JPEG) images, but block Tagged Image File Format (TIFF) images.
Warning: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
Note After you change a registry entry, you must restart the application that uses the codec.
To disable the TIFF codec:
- To add a registry entry, create the following registry subkey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Gdiplus
- Create a DWORD value for the TIFF code by creating a registry entry (DWORD value) under the registry subkey you created in step 1:DisableTIFFCodec
- To disable the TIFF codec, set value of the DisableTIFFCodec registry entry to 1.
Impact of Workaround. You will not be able to view TIFF files.
How to undo the workaround
To re-enable the TIFF codec, set the value of the DisableTIFFCodec registry entry to 0.
Ok it all started like 2-3 hours ago, and some 400 comments in right now.
If you are not in to reddit i suggest you check this chat out, Reddit is a site iwe been visiting more and more lately.
Come join the fun! and ask the Lync team your questions!
Just got off the phone with the Office 365 support, (a great experience again btw)
Anyway, one of my customers had automatic updates on their ADFS servers and the latest batch kills ADFS. Where none of the users could logon this morning.
The guy I talked to had taken a lot of calls already and knew exactly where to look
So if its broken right now or soon… look at those update!
Before the MCSM I felt like, hey I’m an MVP, I run my own trainings on Lync and well I felt pretty confident that I know most of these Lync thing pretty well.
Oh was I wrong… anyway, I learned A LOT
And next week I run a LyncLab at labcenter with some seats left.
So if you are in Sweden and got nothing better to do
To all the developers out there, keep an eye out on the http://ucwa.lync.com/ page that should go live any second, minute, day or something since CU1, (they really meant Cumulative Update February 2013) just was released!
From NextHop http://blogs.technet.com/b/nexthop/archive/2013/02/27/security-update-vulnerability-in-tcp-ip-could-allow-denial-of-service.aspx
A security bulletin was recently issued by the Windows Server group: Microsoft Security Bulletin MS13-018 – Important.
It has been determined that this particular security issue in the TCP stack could pose a threat to systems running Lync Server 2013.
It is required that deployments with Lync Server 2013 ensure that the operating system is updated with this security patch.
For information on the vulnerability and required actions, please refer to the following articles:
Its about 1.5 hours away from kicking of the Lync Conference and if you could not attend in person you can watch it online at http://lyncconf.com
Presentation of Joshua Williams (Microsoft) during Nonick 2012.
Joshua Williams spends time, passion and energy working on making software development better for the Microsoft Lync Client Team. He is involved in Microsoft’s Productivity Games Department. Over the past 17 years, he has contributed to shipping several versions of Microsoft Windows, Microsoft Lync and now Microsoft Office.