Microsoft Security Advisory (2896666)

siljaline · Nov 5, 2013

Vulnerability in Microsoft Graphics Component Could Allow Remote Code Execution

Microsoft is investigating private reports of a vulnerability in the Microsoft Graphics component that affects Microsoft Windows, Microsoft Office, and Microsoft Lync. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability in Microsoft Office products.

The vulnerability is a remote code execution vulnerability that exists in the way affected components handle specially crafted TIFF images. An attacker could exploit this vulnerability by convincing a user to preview or open a specially crafted email message, open a specially crafted file, or browse specially crafted web content. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Click to expand...

https://technet.microsoft.com/en-us/security/advisory/2896666

ronjor · Nov 5, 2013

CVE-2013-3906: a graphics vulnerability exploited through Word documents
swiat
5 Nov 2013 9:09 AM

The exploit

The attacks observed are very limited and carefully carried out against selected computers, largely in the Middle East and South Asia. The exploit needs some user interaction since it arrives disguised as an email that entices potential victims to open a specially crafted Word attachment. This attachment will attempt to exploit the vulnerability by using a malformed graphics image embedded in the document itself.
Click to expand...

http://blogs.technet.com/b/srd/arch...d-through-word-documents.aspx?Redirected=true

siljaline · Nov 5, 2013

MS Fix It now available:
https://support.microsoft.com/kb/2896666

ronjor · Nov 5, 2013

Microsoft Releases Security Advisory 2896666

Dustin C. Childs

Today we released Security Advisory 2896666 regarding an issue that affects customers using Microsoft Windows Vista and Windows Server 2008, Microsoft Office 2003 through 2010, and all supported versions of Microsoft Lync. We are aware of targeted attacks, largely in the Middle East and South Asia. The current versions of Microsoft Windows and Office are not affected by this issue.
Click to expand...

https://blogs.technet.com/b/msrc/ar...rity-advisory-2896666-v2.aspx?Redirected=true

Gullible Jones · Nov 5, 2013

Hmm. Anyone know more about the ITW attacks using this exploit? Do they try to invoke any privilege elevation exploits, etc. before running their payload?

Also, weird that Windows XP itself is not affected, though versions of Office running on it are. I take it that Office at one point used different image rendering libraries than Windows?

Dermot7 · Nov 5, 2013

Last Thursday morning (October 31), our Advanced Exploit Detection System (AEDS), which we discussed in an earlier post, detected a suspicious sample targeting Microsoft Office. After some investigation, we confirmed this is a zero-day attack.

Considering the importance of this incident, we shared our findings immediately with the Microsoft Security Response Center and worked closely with them in the last couple days. Today, as Microsoft has publicly released the security advisory with mitigations and workarounds, we feel it is time to share some detail of this zero-day attack.
Click to expand...

http://blogs.mcafee.com/mcafee-labs...zero-day-exploit-targeting-microsoft-office-2

ronjor · Nov 5, 2013

Excellent work McAfee.

siljaline · Nov 5, 2013

There seems to be some confusion over O/S in lieu of affected software.

See: https://support.microsoft.com/kb/2896666#appliesto

Gullible Jones · Nov 5, 2013

Another multistage dropper... Feh. It looks like this thing could be halted at several different locations after Word gets compromised.

- Download of the fake winword.exe archive. MS Word wouldn't normally download files on its own; an outbound firewall would block this.

- Unpacking of the self-extracting archive. Pretty much any HIPS/FW out there would see this, and most could be configured to block it without any user input. (Why should MS Word ever be allowed to launch another application?)

- Running the backdoor executable, Updates.exe. As above, only this time an antivirus might catch it too.

All old tactics...

The most obnoxious thing about this IMO isn't the zero-day exploit, which could have happened to anyone; it's that MS Office still allows things like ActiveX and Flash embedded in text documents.

Daveski17 · Nov 5, 2013

My laptop runs Vista but doesn't have MS Word. Does this make me safer?

siljaline · Nov 6, 2013

A note from this article that some might find of interest:
http://www.computerworld.com/s/arti...rns_of_Office_zero_day_active_hacker_exploits

"I would not expect it on Patch Tuesday," Storms said in an interview today. "If it was IE [Internet Explorer], maybe. And I don't think they're taking any chances, what with the problems with some updates lately. They'll move very cautiously on this, unless their telemetry shows that attacks have really spread."
Click to expand...

Dermot7 · Nov 6, 2013

Microsoft Office Zeroday used to attack Pakistani targets
Click to expand...

http://www.alienvault.com/open-thre...fice-zeroday-used-to-attack-pakistani-targets

siljaline · Nov 9, 2013

Clarification on Security Advisory 2896666 and the ANS for the November 2013 Security Bulletin Release -

While this release won’t include an update for the issue first described in Security Advisory 2896666, we’d like to tell you a bit more about it. We’re working to develop a security update and we’ll release it when ready. In the meantime, the advisory includes a Fix it which prevents the attacks from succeeding and we recommend customers apply it to help protect their systems. We also want to provide clarification on the products that the advisory notes are affected. We’ve seen some confusion due to the shared nature of the GDI+ component, which is where the issue resides. There are three ways you can have the GDI+ component installed on your system: Office, Windows, and Lync.
Click to expand...

http://blogs.technet.com/b/msrc/arc...-november-2013-security-bulletin-release.aspx

ronjor · Nov 9, 2013

Clarification on Security Advisory 2896666 and the ANS for the November 2013 Security Bulletin Release
Click to expand...

Posted here. _> https://www.wilderssecurity.com/showpost.php?p=2302798&postcount=1

siljaline · Nov 9, 2013

Noted although I thought the link would help for better clarity of this thread.

Log in or Sign up

Microsoft Security Advisory (2896666)

siljaline Registered Member

ronjor Global Moderator

siljaline Registered Member

ronjor Global Moderator

Gullible Jones Registered Member

Dermot7 Registered Member

ronjor Global Moderator

siljaline Registered Member

Gullible Jones Registered Member

Daveski17 Registered Member

siljaline Registered Member

Dermot7 Registered Member

siljaline Registered Member

ronjor Global Moderator

siljaline Registered Member

Log in or Sign up

Microsoft Security Advisory (2896666)

siljaline Registered Member

ronjor Global Moderator

siljaline Registered Member

ronjor Global Moderator

Gullible Jones Registered Member

Dermot7 Registered Member

ronjor Global Moderator

siljaline Registered Member

Gullible Jones Registered Member

Daveski17 Registered Member

siljaline Registered Member

Dermot7 Registered Member

siljaline Registered Member

ronjor Global Moderator

siljaline Registered Member

Useful Searches