Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


Vulnerability protection

Microsoft Graphics component vulnerability could allow remote code execution


Report ID: MAPP-CVE20133906
Date Published: 8 November 2013
Date Revised:

Criticality: Critical
Compromise Type: remote-code-execution
Compromise From: remote


Affected Product/Component:

Windows Vista
Windows Server 2008
Microsoft Office 2003
Microsoft Office 2007
Microsoft Office 2010
Microsoft Office Compatibility Pack
Microsoft Lync 2010
Microsoft Lync 2013
Microsoft Lync Basic




Summary

A vulnerability in the Microsoft Graphics component could, upon successful exploitation, allow a remote attacker to execute arbitrary code on an affected system.



Detailed Description

Microsoft has reported about a remote code execution vulnerability that affects the Microsoft Graphics component. The vulnerability was caused by improper handling of TIFF files, causing memory corruption that may give an opportunity for an attacker to execute binary code on an affected system.

To mitigate the impact of this vulnerability, users are advised to implement some workarounds such as disabling the TIFF codec, or deploying the Enhanced Mitigation Experience Toolkit (EMET). Complete instruction is available from Microsoft Security Advisory (2896666).

F-Secure detects the files taking advantage of this vulnerability with these detections:

  1. Exploit:W32/BrowserExploitPayload - in current DeepGuard 5 release
  2. Exploit:W32/CVE-2013-3906.E - starting in Hydra database version 2013-11-08_03, which was released on 8 November 2013
  3. Exploit:W32/CVE-2013-3906.C - starting in Hydra database version 2013-11-08_01, which was released on 8 November 2013
  4. Exploit:W32/CVE-2013-3906.B - starting in Hydra database version 2013-11-08_01, which was released on 8 November 2013
  5. Exploit.CVE-2013-3906.Gen - starting in Aquarius database version 2013-11-07_01, which was released on 7 November 2013
  6. Exploit:W32/CVE-2013-3906.A - starting in Hydra database version 2013-11-06_03, which was released on 6 November 2013
  7. Trojan-Dropper:W32/Agent.DUOX - starting in Hydra database version 2013-11-06_05, which was released on 6 November 2013
  8. Gen:Variant.Graftor.111627 - starting in Aquarius database version 2013-10-16_07, which was released on 16 October 2013

Please allow F-Secure products to block installation of files that take advantage of this vulnerability.



CVE Reference

CVE-2013-3906



Detected Exploit

Detections
Exploit:W32/BrowserExploitPayload
Exploit:W32/CVE-2013-3906.E
Exploit:W32/CVE-2013-3906.C
Exploit:W32/CVE-2013-3906.B
Exploit.CVE-2013-3906.Gen
Exploit:W32/CVE-2013-3906.A
Trojan-Dropper:W32/Agent.DUOX
Gen:Variant.Graftor.111627

Databases
Current DeepGuard 5 release
Hydra database version 2013-11-08_03 at 23:54:41 UTC
Hydra database version 2013-11-08_01 at 10:23:51 UTC
Hydra database version 2013-11-08_01 at 10:23:51 UTC
Aquarius database version 2013-11-07_01 at 02:05:22 UTC
Hydra database version 2013-11-06_03 at 18:34:00 UTC
Hydra database version 2013-11-06_05 at 20:23:37 UTC
Aquarius database version 2013-10-16_07 at 17:53:24 UTC

Release Dates
8 November 2013
7 November 2013
6 November 2013
16 October 2013

 



Solution

Microsoft recommends users to apply the following workarounds to mitigate the impact of the vulnerability until a patch is released:

  • Disable the TIFF codec. Get instructions here
  • Deploy the Enhanced Mitigation Experience Toolkit (EMET)

For complete instructions, please refer to Microsoft Security Advisory (2896666).

 

Removal/Disinfection
Allow F-Secure Internet Security or F-Secure Anti-Virus to block installation of malicious files, and to remove or disinfect malicious files if found on the system.



Additional Info

-




Online Virus Scanner

 
Run a quick online virus scan of your computer.

 

Submit a sample

Wondering if a file or URL is malicious?

Submit a sample to our Lab for analysis via the Sample Analysis System (SAS)