0-Day Fixes

Microsoft Graphics Component vulnerability could allow remote code execution

Details
Report ID: MAPP-CVE20133906
Date Published: 8 November 2013
Date Revised:  
Criticality: Critical
Compromise Type: remote-code-execution
Compromise From: remote
Affected Product/Component:
Windows Vista
Windows Server 2008
Microsoft Office 2003
Microsoft Office 2007
Microsoft Office 2010
Microsoft Office Compatibility Pack
Microsoft Lync 2010
Microsoft Lync 2013
Microsoft Lync Basic

Summary

A vulnerability in the Microsoft Graphics component could, upon successful exploitation, allow a remote attacker to execute arbitrary code on an affected system.

Detailed Description

Microsoft has reported about a remote code execution vulnerability that affects the Microsoft Graphics component. The vulnerability was caused by improper handling of TIFF files, causing memory corruption that may give an opportunity for an attacker to execute binary code on an affected system.

To mitigate the impact of this vulnerability, users are advised to implement some workarounds such as disabling the TIFF codec, or deploying the Enhanced Mitigation Experience Toolkit (EMET). Complete instruction is available from Microsoft Security Advisory (2896666).

F-Secure detects the files taking advantage of this vulnerability with these detections:

  1. Exploit:W32/BrowserExploitPayload - in current DeepGuard 5 release
  2. Exploit:W32/CVE-2013-3906.E - starting in Hydra database version 2013-11-08_03, which was released on 8 November 2013
  3. Exploit:W32/CVE-2013-3906.C - starting in Hydra database version 2013-11-08_01, which was released on 8 November 2013
  4. Exploit:W32/CVE-2013-3906.B - starting in Hydra database version 2013-11-08_01, which was released on 8 November 2013
  5. Exploit.CVE-2013-3906.Gen - starting in Aquarius database version 2013-11-07_01, which was released on 7 November 2013
  6. Exploit:W32/CVE-2013-3906.A - starting in Hydra database version 2013-11-06_03, which was released on 6 November 2013
  7. Trojan-Dropper:W32/Agent.DUOX - starting in Hydra database version 2013-11-06_05, which was released on 6 November 2013
  8. Gen:Variant.Graftor.111627 - starting in Aquarius database version 2013-10-16_07, which was released on 16 October 2013

Please allow F-Secure products to block installation of files that take advantage of this vulnerability.

CVE Reference

  • CVE-2013-3906

Detected Exploit

Detections
  • Exploit:W32/BrowserExploitPayload
  • Exploit:W32/CVE-2013-3906.E
  • Exploit:W32/CVE-2013-3906.C
  • Exploit:W32/CVE-2013-3906.B
  • Exploit.CVE-2013-3906.Gen
  • Exploit:W32/CVE-2013-3906.A
  • Trojan-Dropper:W32/Agent.DUOX
  • Gen:Variant.Graftor.111627
Databases
  • Current DeepGuard 5 release
  • Hydra database version 2013-11-08_03 at 23:54:41 UTC
  • Hydra database version 2013-11-08_01 at 10:23:51 UTC
  • Hydra database version 2013-11-08_01 at 10:23:51 UTC
  • Aquarius database version 2013-11-07_01 at 02:05:22 UTC
  • Hydra database version 2013-11-06_03 at 18:34:00 UTC
  • Hydra database version 2013-11-06_05 at 20:23:37 UTC
  • Aquarius database version 2013-10-16_07 at 17:53:24 UTC
Release Dates
  • 8 November 2013
  • 7 November 2013
  • 6 November 2013
  • 16 October 2013

Solution

Microsoft recommends users to apply the following workarounds to mitigate the impact of the vulnerability until a patch is released:

  • Disable the TIFF codec. Get instructions here
  • Deploy the Enhanced Mitigation Experience Toolkit (EMET)

For complete instructions, please refer to Microsoft Security Advisory (2896666).

Removal/Disinfection

Allow F-Secure Internet Security or F-Secure Anti-Virus to block installation of malicious files, and to remove or disinfect malicious files if found on the system.

Original Source

Microsoft Security Advisory (2896666)