0-Day Fixes

MICROSOFT GRAPHICS COMPONENT VULNERABILITY COULD ALLOW REMOTE CODE EXECUTION

Summary

A vulnerability in the Microsoft Graphics component could, upon successful exploitation, allow a remote attacker to execute arbitrary code on an affected system.

Detailed Description


Microsoft has reported about a remote code execution vulnerability that affects the Microsoft Graphics component. The vulnerability was caused by improper handling of TIFF files, causing memory corruption that may give an opportunity for an attacker to execute binary code on an affected system.

To mitigate the impact of this vulnerability, users are advised to implement some workarounds such as disabling the TIFF codec, or deploying the Enhanced Mitigation Experience Toolkit (EMET). Complete instruction is available from Microsoft Security Advisory (2896666).

F-Secure detects the files taking advantage of this vulnerability with these detections:

  1. Exploit:W32/BrowserExploitPayload - in current DeepGuard 5 release
  2. Exploit:W32/CVE-2013-3906.E - starting in Hydra database version 2013-11-08_03, which was released on 8 November 2013
  3. Exploit:W32/CVE-2013-3906.C - starting in Hydra database version 2013-11-08_01, which was released on 8 November 2013
  4. Exploit:W32/CVE-2013-3906.B - starting in Hydra database version 2013-11-08_01, which was released on 8 November 2013
  5. Exploit.CVE-2013-3906.Gen - starting in Aquarius database version 2013-11-07_01, which was released on 7 November 2013
  6. Exploit:W32/CVE-2013-3906.A - starting in Hydra database version 2013-11-06_03, which was released on 6 November 2013
  7. Trojan-Dropper:W32/Agent.DUOX - starting in Hydra database version 2013-11-06_05, which was released on 6 November 2013
  8. Gen:Variant.Graftor.111627 - starting in Aquarius database version 2013-10-16_07, which was released on 16 October 2013

Please allow F-Secure products to block installation of files that take advantage of this vulnerability.

CVE Reference


  • CVE-2013-3906

Detected Exploit


Detections

  • Exploit:W32/BrowserExploitPayload
  • Exploit:W32/CVE-2013-3906.E
  • Exploit:W32/CVE-2013-3906.C
  • Exploit:W32/CVE-2013-3906.B
  • Exploit.CVE-2013-3906.Gen
  • Exploit:W32/CVE-2013-3906.A
  • Trojan-Dropper:W32/Agent.DUOX
  • Gen:Variant.Graftor.111627

Databases

  • Current DeepGuard 5 release
  • Hydra database version 2013-11-08_03 at 23:54:41 UTC
  • Hydra database version 2013-11-08_01 at 10:23:51 UTC
  • Hydra database version 2013-11-08_01 at 10:23:51 UTC
  • Aquarius database version 2013-11-07_01 at 02:05:22 UTC
  • Hydra database version 2013-11-06_03 at 18:34:00 UTC
  • Hydra database version 2013-11-06_05 at 20:23:37 UTC
  • Aquarius database version 2013-10-16_07 at 17:53:24 UTC

Release Dates

  • 8 November 2013
  • 7 November 2013
  • 6 November 2013
  • 16 October 2013

Solution


Microsoft recommends users to apply the following workarounds to mitigate the impact of the vulnerability until a patch is released:

  • Disable the TIFF codec. Get instructions here
  • Deploy the Enhanced Mitigation Experience Toolkit (EMET)

For complete instructions, please refer to Microsoft Security Advisory (2896666).

Removal/Disinfection

Allow F-Secure Internet Security or F-Secure Anti-Virus to block installation of malicious files, and to remove or disinfect malicious files if found on the system.

Original Source


Microsoft Security Advisory (2896666)

SCAN & CLEAN?: YES FREE?: ABSOLUTELY

Scan and clean your PC with F-Secure's Online Scanner. The best thing is, its free!

Learn More Try Out Now!