Updates and Mitigation to Microsoft Office Zero-Day Threat (CVE-2013-3906)

By on

On November 5, Microsoft posted Security Advisory 2896666. This vulnerability, discovered by Haifei Li of McAfee Labs, affects multiple versions of Microsoft Office, Windows, and Lync. Successful exploitation could result in the ability to execute arbitrary code on a vulnerable host (a remote code execution vulnerability).

The issue (an integer overflow) lies in the handling of maliciously crafted TIFF files. A remote attacker can potentially exploit this flaw via a specially designed email message, distribution of a malicious binary, or via a maliciously crafted web page. Successful exploitation of the vulnerability will result in the attacker’s acquiring the same user rights as the current user.

Our blog post (McAfee Labs Detects Zero-Day Exploit Targeting Microsoft Office) describes the issue in further detail:

 

McAfee Product Coverage/Mitigation

  • McAfee VirusScan (Updated Nov 5)
    • MD5: 97bcb5031d28f55f20e6f3637270751d (Payload) – BackDoor-FBKI!920FEFDC36DA
    • MD5: cb28d93d9eb3c38058a24ad3b05ec3eb (Payload) – Generic Backdoor.u
    • MD5: 5ba7ed3956f76df0e12b8ae7985aa171 (Payload) – Artemis!5BA7ED3956F7
    • MD5: 5a95ca7da496d8bd22b779c4e6f41df9 (Payload) – Generic Backdoor.u
    • MD5: b44359628d7b03b68b41b14536314083 (Office Document) – Exploit-CVE2013-3906
    • MD5: 1FD4F3F063D641F84C5776C2C15E4621 (Office Document) – Exploit-CVE2013-3906
  • McAfee Network Security Platform (Updated Nov 5)
    • UDS-ShantiMalwareDetected
  • McAfee Vulnerability Manager (Updated Nov 5)
    • MVM / FSL Check to release 11/5/2013

 

General Indicators:

MD5 hash list:

  • b44359628d7b03b68b41b14536314083
  • 97bcb5031d28f55f20e6f3637270751d
  • cb28d93d9eb3c38058a24ad3b05ec3eb
  • 1FD4F3F063D641F84C5776C2C15E4621
  • 5ba7ed3956f76df0e12b8ae7985aa171
  • 5a95ca7da496d8bd22b779c4e6f41df9
  • fd75a23d8b3345e550c4a9bbc6dd2a0e
  • 4e878b13459f652a99168aad2dce7c9a
  • 6a57cda67939806359a03a86fd0eabc2
  • 1510821831c6e2bcbffba909bb48a437
  • fd75a23d8b3345e550c4a9bbc6dd2a0e
  • 654f558cf824e98dde09b197dbdfd407
  • 0d51296e5c74a22339ec8b7e318f274a
  • 701a6063458120943a6d3a4eb4440373
  • 654f558cf824e98dde09b197dbdfd407
  • 4f73248a2641a5bc1a14bda3ef11f454 (Embedded)
  • 6cad22128a105c455bd4a5152272239d (Embedded)
  • 7523a56ea1526fa027735e09bffff00e (Embedded)
  • abc311f99a72002457f28fe26bd2e59d (Embedded)
  • c035acd1c10d8b17773d23be4059754f (Embedded)
  • e6fa16d2e808103ab9bec5676146520b (Embedded)

Network:

  • h x x p: // myflatnet[.]com
  • 31[.]210[.]96[.]213
  • http query: h x x p: / / myflatnet[.]com[:]80 GET / ralph_3/ winword.exe
  • http query: h x x p: / / myflatnet[.]com[:]80 GET / new_red/ winword.exe
  • http query: h x x p: / / myflatnet[.]com[:]80 GET / bruce_3/ winword.exe
  • http query: h x x p: / / myflatnet[.]com[:]80 GET / blue / winword.exe

 

Leave a Comment

Similar articles

Sports fans everywhere look forward to mid-March for the NCAA men’s college basketball tournament. However, it’s not just college basketball fans that look forward to this time of year. Cybercriminals use March to launch malicious campaigns in the hopes of gaining access to personal information from unsuspecting fans. Let’s take a look at the most ...
Read Blog
The risk to your family's healthcare data often begins with that piece of paper on a clipboard your physician or hospital asks you to fill out or in the online application for healthcare you completed. That data gets transferred into a computer where a patient Electronic Health Record (EHR) is created or added to. From ...
Read Blog
It's that time of year again – tax season! Whether you've already filed in the hopes of an early refund or have yet to start the process, one thing is for sure: cybercriminals will certainly use tax season as a means to get victims to give up their personal and financial information. This time of ...
Read Blog