Ask Us logo

Quick Links

Windows: new 0-day in Microsoft Office TIFF Graphics Component (CVE-2013-3906)

SUMMARY: Windows: new 0-day in Microsoft Office TIFF Graphics Component (CVE-2013-3906)
POSTED ON: 11/07/2013
REPORTER: Jocelyn E Kasamoto (jocelyn)
START TIME: Nov 07 05:04 PM
END TIME: Nov 07 05:04 PM
DESCRIPTION: On Nov. 5, 2013 Microsoft released Security Advisory 2896666 reporting a new zero-day vulnerability (CVE-2013-3906) in Microsoft Graphics component that affects Windows, Microsoft Office, and Microsoft Lync, in the handling of specially crafted TIFF graphics images. The vulnerability allows an attacker to remotely execute code on the affected system. It is currently being exploited in targeted attacks and crimeware campaigns and is now thought to be more widely spread than when first reported.

An attacker could exploit this vulnerability by convincing a user to preview or open a specially crafted email message (eg a Word document with an embedded malicious TIFF image), open a specially crafted file, or browse specially crafted web content.

Microsoft has published a temporary Fix it solution. If you are using the affected software, please install the temporary Fix it until Microsoft releases a permanent patch. Go to https://support.microsoft.com/kb/2896666 to download Microsoft Fix it 51004 (to enable Fix it) and Fix it 51005 (to disable Fix it).

Affected software include Microsoft Vista, Windows Server 2008, Microsoft Office 2003 through 2010 and all supported versions of Microsoft Lync.

Office 2003 - affected
Office 2007 - affected
Office 2010 - affected only on Windows XP/Windows Server 2003
Office 2013 - not affected

Note: Microsoft will end support for Windows XP and Office 2003 on April 8, 2014.

For more information

Microsoft Security Advisory (2896666)
Vulnerability in Microsoft Graphics Component Could Allow Remote Code Execution
https://technet.microsoft.com/en-us/security/advisory/2896666

CVE-2013-3906: a graphics vulnerability exploited through Word documents
http://blogs.technet.com/b/srd/archive/2013/11/05/cve-2013-3906-a-graphics-vulnerability-exploited-through-word-documents.aspx

Exploits of critical Microsoft zero day more widespread than thought
http://arstechnica.com/security/2013/11/exploits-of-critical-microsoft-zero-day-more-widespread-than-thought/

The Dual User Exploit: CVE-2013-3906 Used in Both Targeted Attacks and Crimeware Campaigns
http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/the-dual-use-exploit-cve-2013-3906-used-in-both-targeted-attacks-and-crimeware-campaigns.html

If you have questions, please contact the ITS Help Desk at 956-8883 or email help@hawaii.edu.