Business, Featured, Security Connected

Updates and Mitigation to Microsoft Office Zero-Day Threat (CVE-2013-3906)

0
By on Nov 06, 2013

On November 5, Microsoft posted Security Advisory 2896666. This vulnerability, discovered by Haifei Li of McAfee Labs, affects multiple versions of Microsoft Office, Windows, and Lync. Successful exploitation could result in the ability to execute arbitrary code on a vulnerable host (a remote code execution vulnerability).

The issue (an integer overflow) lies in the handling of maliciously crafted TIFF files. A remote attacker can potentially exploit this flaw via a specially designed email message, distribution of a malicious binary, or via a maliciously crafted web page. Successful exploitation of the vulnerability will result in the attacker’s acquiring the same user rights as the current user.

Our blog post (McAfee Labs Detects Zero-Day Exploit Targeting Microsoft Office) describes the issue in further detail:

 

McAfee Product Coverage/Mitigation

  • McAfee VirusScan (Updated Nov 5)
    • MD5: 97bcb5031d28f55f20e6f3637270751d (Payload) - BackDoor-FBKI!920FEFDC36DA
    • MD5: cb28d93d9eb3c38058a24ad3b05ec3eb (Payload) - Generic Backdoor.u
    • MD5: 5ba7ed3956f76df0e12b8ae7985aa171 (Payload) - Artemis!5BA7ED3956F7
    • MD5: 5a95ca7da496d8bd22b779c4e6f41df9 (Payload) - Generic Backdoor.u
    • MD5: b44359628d7b03b68b41b14536314083 (Office Document) - Exploit-CVE2013-3906
    • MD5: 1FD4F3F063D641F84C5776C2C15E4621 (Office Document) - Exploit-CVE2013-3906
  • McAfee Network Security Platform (Updated Nov 5)
    • UDS-ShantiMalwareDetected
  • McAfee Vulnerability Manager (Updated Nov 5)
    • MVM / FSL Check to release 11/5/2013

 

General Indicators:

MD5 hash list:

  • b44359628d7b03b68b41b14536314083
  • 97bcb5031d28f55f20e6f3637270751d
  • cb28d93d9eb3c38058a24ad3b05ec3eb
  • 1FD4F3F063D641F84C5776C2C15E4621
  • 5ba7ed3956f76df0e12b8ae7985aa171
  • 5a95ca7da496d8bd22b779c4e6f41df9
  • fd75a23d8b3345e550c4a9bbc6dd2a0e
  • 4e878b13459f652a99168aad2dce7c9a
  • 6a57cda67939806359a03a86fd0eabc2
  • 1510821831c6e2bcbffba909bb48a437
  • fd75a23d8b3345e550c4a9bbc6dd2a0e
  • 654f558cf824e98dde09b197dbdfd407
  • 0d51296e5c74a22339ec8b7e318f274a
  • 701a6063458120943a6d3a4eb4440373
  • 654f558cf824e98dde09b197dbdfd407
  • 4f73248a2641a5bc1a14bda3ef11f454 (Embedded)
  • 6cad22128a105c455bd4a5152272239d (Embedded)
  • 7523a56ea1526fa027735e09bffff00e (Embedded)
  • abc311f99a72002457f28fe26bd2e59d (Embedded)
  • c035acd1c10d8b17773d23be4059754f (Embedded)
  • e6fa16d2e808103ab9bec5676146520b (Embedded)

Network:

  • h x x p: // myflatnet[.]com
  • 31[.]210[.]96[.]213
  • http query: h x x p: / / myflatnet[.]com[:]80 GET / ralph_3/ winword.exe
  • http query: h x x p: / / myflatnet[.]com[:]80 GET / new_red/ winword.exe
  • http query: h x x p: / / myflatnet[.]com[:]80 GET / bruce_3/ winword.exe
  • http query: h x x p: / / myflatnet[.]com[:]80 GET / blue / winword.exe

 

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>