© Depositphotos.com/ Stuart Miles
DO NOT OPEN FILES ENDING .TIFF from email or websites.
As of today a vulnerability involving .TIFF files as attachments has been identified.
This means that neither Microsoft nor the antivirus companies have been able to develop tools to address this vulnerability.
Because this is a new vulnerability, the only way to protect yourself is to exercise extreme caution when opening .TIFF files, no matter how they reach you—whether via email or websites. Anti-virus and firewall protection applications may not stop this threat. Do not open any files with a filename ending in .tiff as it could be extremely damaging to your system.
The warning is valid. In November 2013, Microsoft announced the discovery of a critical zero-day vulnerability that could leave users of some versions of Microsoft Windows, Microsoft Office, and Microsoft Lync open to attack.
A November 9 SecurityWatch article notes:
The bug (CVE-2013-3906) allows attackers to remotely execute code on the target machine by tricking users into opening files with specially crafted TIFF images, Microsoft said. When the user opens the attack file, the attacker gains the same rights and privileges as that user. This means that if the user has an administrator account, then the attacker can get full control of the machine. If the user does not have administrator privileges, then the attacker can cause only limited damage.The SecurityWatch article further explains:
The vulnerability exists in all versions of Lync communicator service, Windows Vista, Windows Server 2008, and some versions of Microsoft Office. All installations of Office 2003 and 2007 are at risk, regardless of which operating system the suite is installed on. Office 2010 is affected, only if it is installed on Windows XP or Windows Server 2008, Microsoft said. It appears that Office 2007 is the only one currently under active attack, according to the advisory.At the time of writing, Microsoft had not yet released a permanent patch for the vulnerability. In the mean time, however, a "FixIt" workaround solution is available on the Microsoft support website.
Last updated: November 21, 2013
Microsoft in a TIFF over Windows, Office bug that runs code hidden in pics
Microsoft Zero-Day TIFF Bug Affects Older Office Software
Microsoft Security Advisory (2896666)
Microsoft Security Advisory: Vulnerability in Microsoft graphics component could allow remote code execution