Microsoft Security Advisory (2896666)

Discussion in 'other security issues & news' started by siljaline, Nov 5, 2013.

Thread Status:
Not open for further replies.
  1. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    Vulnerability in Microsoft Graphics Component Could Allow Remote Code Execution
    https://technet.microsoft.com/en-us/security/advisory/2896666
     
  2. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,757
    Location:
    Texas
    http://blogs.technet.com/b/srd/arch...d-through-word-documents.aspx?Redirected=true
     
  3. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
  4. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,757
    Location:
    Texas
    https://blogs.technet.com/b/msrc/ar...rity-advisory-2896666-v2.aspx?Redirected=true
     
  5. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    Hmm. Anyone know more about the ITW attacks using this exploit? Do they try to invoke any privilege elevation exploits, etc. before running their payload?

    Also, weird that Windows XP itself is not affected, though versions of Office running on it are. I take it that Office at one point used different image rendering libraries than Windows?
     
  6. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,196
    Location:
    Surrey, England.
    http://blogs.mcafee.com/mcafee-labs...zero-day-exploit-targeting-microsoft-office-2
     
  7. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,757
    Location:
    Texas
    Excellent work McAfee. :)
     
  8. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
  9. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    Another multistage dropper... Feh. It looks like this thing could be halted at several different locations after Word gets compromised.

    - Download of the fake winword.exe archive. MS Word wouldn't normally download files on its own; an outbound firewall would block this.

    - Unpacking of the self-extracting archive. Pretty much any HIPS/FW out there would see this, and most could be configured to block it without any user input. (Why should MS Word ever be allowed to launch another application?)

    - Running the backdoor executable, Updates.exe. As above, only this time an antivirus might catch it too.

    All old tactics...

    The most obnoxious thing about this IMO isn't the zero-day exploit, which could have happened to anyone; it's that MS Office still allows things like ActiveX and Flash embedded in text documents.
     
  10. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    8,029
    Location:
    Lloegyr
    My laptop runs Vista but doesn't have MS Word. Does this make me safer?
     
  11. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    A note from this article that some might find of interest:
    http://www.computerworld.com/s/arti...rns_of_Office_zero_day_active_hacker_exploits

     
  12. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,196
    Location:
    Surrey, England.
  13. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    Clarification on Security Advisory 2896666 and the ANS for the November 2013 Security Bulletin Release -
    http://blogs.technet.com/b/msrc/arc...-november-2013-security-bulletin-release.aspx
     
  14. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,757
    Location:
    Texas
  15. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    Noted although I thought the link would help for better clarity of this thread.
     
Loading...
Thread Status:
Not open for further replies.