Updates and Mitigation to Microsoft Office Zero-Day Threat (CVE-2013-3906)

By on

On November 5, Microsoft posted Security Advisory 2896666. This vulnerability, discovered by Haifei Li of McAfee Labs, affects multiple versions of Microsoft Office, Windows, and Lync. Successful exploitation could result in the ability to execute arbitrary code on a vulnerable host (a remote code execution vulnerability).

The issue (an integer overflow) lies in the handling of maliciously crafted TIFF files. A remote attacker can potentially exploit this flaw via a specially designed email message, distribution of a malicious binary, or via a maliciously crafted web page. Successful exploitation of the vulnerability will result in the attacker’s acquiring the same user rights as the current user.

Our blog post (McAfee Labs Detects Zero-Day Exploit Targeting Microsoft Office) describes the issue in further detail:

 

McAfee Product Coverage/Mitigation

  • McAfee VirusScan (Updated Nov 5)
    • MD5: 97bcb5031d28f55f20e6f3637270751d (Payload) – BackDoor-FBKI!920FEFDC36DA
    • MD5: cb28d93d9eb3c38058a24ad3b05ec3eb (Payload) – Generic Backdoor.u
    • MD5: 5ba7ed3956f76df0e12b8ae7985aa171 (Payload) – Artemis!5BA7ED3956F7
    • MD5: 5a95ca7da496d8bd22b779c4e6f41df9 (Payload) – Generic Backdoor.u
    • MD5: b44359628d7b03b68b41b14536314083 (Office Document) – Exploit-CVE2013-3906
    • MD5: 1FD4F3F063D641F84C5776C2C15E4621 (Office Document) – Exploit-CVE2013-3906
  • McAfee Network Security Platform (Updated Nov 5)
    • UDS-ShantiMalwareDetected
  • McAfee Vulnerability Manager (Updated Nov 5)
    • MVM / FSL Check to release 11/5/2013

 

General Indicators:

MD5 hash list:

  • b44359628d7b03b68b41b14536314083
  • 97bcb5031d28f55f20e6f3637270751d
  • cb28d93d9eb3c38058a24ad3b05ec3eb
  • 1FD4F3F063D641F84C5776C2C15E4621
  • 5ba7ed3956f76df0e12b8ae7985aa171
  • 5a95ca7da496d8bd22b779c4e6f41df9
  • fd75a23d8b3345e550c4a9bbc6dd2a0e
  • 4e878b13459f652a99168aad2dce7c9a
  • 6a57cda67939806359a03a86fd0eabc2
  • 1510821831c6e2bcbffba909bb48a437
  • fd75a23d8b3345e550c4a9bbc6dd2a0e
  • 654f558cf824e98dde09b197dbdfd407
  • 0d51296e5c74a22339ec8b7e318f274a
  • 701a6063458120943a6d3a4eb4440373
  • 654f558cf824e98dde09b197dbdfd407
  • 4f73248a2641a5bc1a14bda3ef11f454 (Embedded)
  • 6cad22128a105c455bd4a5152272239d (Embedded)
  • 7523a56ea1526fa027735e09bffff00e (Embedded)
  • abc311f99a72002457f28fe26bd2e59d (Embedded)
  • c035acd1c10d8b17773d23be4059754f (Embedded)
  • e6fa16d2e808103ab9bec5676146520b (Embedded)

Network:

  • h x x p: // myflatnet[.]com
  • 31[.]210[.]96[.]213
  • http query: h x x p: / / myflatnet[.]com[:]80 GET / ralph_3/ winword.exe
  • http query: h x x p: / / myflatnet[.]com[:]80 GET / new_red/ winword.exe
  • http query: h x x p: / / myflatnet[.]com[:]80 GET / bruce_3/ winword.exe
  • http query: h x x p: / / myflatnet[.]com[:]80 GET / blue / winword.exe

 

Leave a Comment

Similar articles

With summertime just around the corner, families are eagerly looking to book their next getaway. Since vacation is so top-of-mind during the summer months, users are bound to come across websites offering cheap deals on flights, accommodations, and other experiences and activities. With so many websites claiming to offer these "can't-miss deals," how do you ...
Read Blog
Messaging apps are a common form of digital communication these days, with Facebook’s WhatsApp being one of the most popular options out there. The communication platform boasts over 1.5 billion users – who now need to immediately update the app due to a new security threat. In fact, WhatsApp just announced a recently discovered security ...
Read Blog