Latest Microsoft Phishing Attack: What you need to know

Yesterday, Dustin C Childs of Microsoft warned of a vulnerability in its operating system which could enable hackers to gain user rights to affected computers. Those affected are PCs which run Microsoft Windows Vista, Windows Server 2008, Microsoft Office 2003-2010, and all supported versions of Microsoft Lync. Current versions of Microsoft Windows and Office are unaffected.

In Microsoft Security Advisory (2896666), Microsoft alerted users to “a remote code execution vulnerability that exists in the way affected components handle specially crafted TIFF images. An attacker could exploit this vulnerability by convincing a user to preview or open a specially crafted email message, open a specially crafted file, or browse specially crafted web content.” In other words, it’s a social engineering or phishing attack, dependent on human error.

Temporary fix

Although Microsoft has issued the advice to apply the Fix It solution “Disable the TIFF Codec” and deploy the “Enhanced Mitigation Experience Toolkit (EMET)” as a temporary fix until it develops and issues a security update to address the issue specifically, a much easier solution to the problem would be to ensure that no one opens the attachment in the first place.

While most precautious computer users know not to open email attachments or links from unknown sources, people can, and do, make mistakes. With a single mouse click, a single member of your staff could, without thinking, open your entire system to abuse. There are, of course, a lot of conditionals in that sentence. “If” someone opens an attachment, a hacker “could” attack. You’re probably safe from attack, aren’t you? You trust your staff not to click on any attachments they get from unknown senders, right? I mean, they never get emails from people they don’t know…

Permanent fix

How can you militate against human error like that? IT Governance’s Information Security & ISO27001 Staff Awareness e-learning course will help your employees understand your organisation’s information and compliance risks, in line with ISO27001, and reduce your organisation’s exposure to security failures . The ISO27001 standard is unique in that it offers a holistic approach to information security, addressing security issues which affect the computer user as much as the computer itself. Our course is aimed at all employees, and covers the needs of anyone who is involved in processing information, uses information technology, or who uses the Internet.


In a simple 40-minute test, the Information Security & ISO27001 Staff Awareness e-learning course will cover information security at work for your employees, including secure perimeters, tailgating, clear desk and screen policies, passwords, portable media, information classification, intellectual property, security incidents, business continuity, and policies and procedures relating to important documentation. It offers a series of scenarios to explain the issues clearly, and then asks 20 multiple choice questions. An online Certificate of Achievement is provided for each staff member who successfully completes the test.

Staff awareness is essential when you face online risks. Make sure your employees don’t accidentally put your organisation in jeopardy. Order the Information Security & ISO27001 Staff Awareness e-learning course today.

Visit our website or call us on 0845 070 1750 for a tailored quote if you are interested in 10 or more users.