Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2013.1582
Vulnerability in Microsoft Graphics Component Could Allow
Remote Code Execution
6 November 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
Microsoft Office 2003 Service Pack 3
Microsoft Office 2007 Service Pack 3
Microsoft Office 2010 Service Pack 1 (32-bit editions)
Microsoft Office 2010 Service Pack 2 (32-bit editions)
Microsoft Office 2010 Service Pack 1 (64-bit editions)
Microsoft Office 2010 Service Pack 2 (64-bit editions)
Microsoft Office Compatibility Pack Service Pack 3
Microsoft Lync 2010 (32-bit)
Microsoft Lync 2010 (64-bit)
Microsoft Lync 2010 Attendee
Microsoft Lync 2013 (32-bit)
Microsoft Lync Basic 2013 (32-bit)
Microsoft Lync 2013 (64-bit)
Microsoft Lync Basic 2013 (64-bit)
Publisher: Microsoft
Operating System: Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Resolution: Mitigation
CVE Names: CVE-2013-3906
Original Bulletin:
http://technet.microsoft.com/en-us/security/advisory/2896666
Comment: In the wild targeted attacks are exploiting this vulnerability.
Microsoft has currently only provided mitigations to solves this
issue.
- --------------------------BEGIN INCLUDED TEXT--------------------
Microsoft Security Advisory (2896666)
Vulnerability in Microsoft Graphics Component Could Allow Remote Code Execution
Published: Tuesday, November 05, 2013
Version: 1.0
General Information
Executive Summary
Microsoft is investigating private reports of a vulnerability in the Microsoft
Graphics component that affects Microsoft Windows, Microsoft Office, and
Microsoft Lync. Microsoft is aware of targeted attacks that attempt to exploit
this vulnerability in Microsoft Office products.
The vulnerability is a remote code execution vulnerability that exists in the
way affected components handle specially crafted TIFF images. An attacker
could exploit this vulnerability by convincing a user to preview or open a
specially crafted email message, open a specially crafted file, or browse
specially crafted web content. An attacker who successfully exploited the
vulnerability could gain the same user rights as the current user. Users
whose accounts are configured to have fewer user rights on the system could
be less impacted than users who operate with administrative user rights.
Affected Software
Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core
installation)
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core
installation)
Microsoft Office 2003 Service Pack 3
Microsoft Office 2007 Service Pack 3
Microsoft Office 2010 Service Pack 1 (32-bit editions)
Microsoft Office 2010 Service Pack 2 (32-bit editions)
Microsoft Office 2010 Service Pack 1 (64-bit editions)
Microsoft Office 2010 Service Pack 2 (64-bit editions)
Microsoft Office Compatibility Pack Service Pack 3
Microsoft Lync 2010 (32-bit)
Microsoft Lync 2010 (64-bit)
Microsoft Lync 2010 Attendee
Microsoft Lync 2013 (32-bit)
Microsoft Lync Basic 2013 (32-bit)
Microsoft Lync 2013 (64-bit)
Microsoft Lync Basic 2013 (64-bit)
Suggested Actions
Apply Workarounds
Workarounds refer to a setting or configuration change that does not correct
the underlying issue but would help block known attack vectors before a
security update is available. See the next section, Workarounds, for more
information.
Workarounds
Disable the TIFF codec
Note See Microsoft Knowledge Base Article 2896666 to use the automated
Microsoft Fix it solution to enable or disable this workaround.
You can prevent TIFF files from being displayed by modifying the registry to
control the parsing of the TIFF codec. By changing the registry entries, you
can control which images are parsed and rendered and which images are rejected
in GDI+. For example, you can select to parse and render Joint Photographic
Experts Group (JPEG) images, but block Tagged Image File Format (TIFF) images.
Warning: If you use Registry Editor incorrectly, you may cause serious problems
that may require you to reinstall your operating system. Microsoft cannot
guarantee that you can solve problems that result from using Registry
Editor incorrectly. Use Registry Editor at your own risk.
Note After you change a registry entry, you must restart the application that
uses the codec.
To disable the TIFF codec:
To add a registry entry, create the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Gdiplus
Create a DWORD value for the TIFF code by creating a registry entry
(DWORD value) under the registry subkey you created in step 1:
DisableTIFFCodec
To disable the TIFF codec, set value of the DisableTIFFCodec registry
entry to 1.
Impact of Workaround. You will not be able to view TIFF files.
How to undo the workaround
To re-enable the TIFF codec, set the value of the DisableTIFFCodec
registry entry to 0.
Deploy the Enhanced Mitigation Experience Toolkit
The Enhanced Mitigation Experience Toolkit (EMET) helps mitigate the
exploitation of this vulnerability by adding additional protection layers that
make the vulnerability harder to exploit. EMET 4.0 is officially supported by
Microsoft. At this time, EMET is only available in the English language. For
more information, see Microsoft Knowledge Base Article 2458544.
For more information about configuring EMET, see the EMET User's Guide:
On 32-bit systems the EMET User's Guide is located in C:\Program Files\EMET\EMET User's Guide.pdf
On 64-bit systems the EMET User's Guide is located in C:\Program Files (x86)\EMET\EMET User's Guide.pdf
Configure EMET 4.0 for affected software
EMET 4.0, in the recommended configuration, is automatically configured to help
protect the affected software installed on your system. No additional steps
are required.
Configure EMET 3.0 for affected software from the EMET user interface
Office applications:
To add an Office application to the list of applications using EMET 3.0,
perform
the following steps. You need to perform these steps for each of the following
Office application executables:
Word.exe, Excel.exe, PowerPoint.exe, InfoPath.exe, Outlook.exe,
Publisher.exe, OneNote.exe, wordview.exe, Pptview.exe, Lync.exe
Click Start, All Programs, Enhanced Mitigation Experience Toolkit, and
EMET 3.0.
Click Yes on the UAC prompt, click Configure Apps, then select Add.
Select and add the above mentioned executables into EMET configuration
from Office installation folder:
For 32-bit versions of Microsoft Office software and Lync 2013:
For Office 2003 %ProgramFiles(x86)%\Microsoft Office\Office11\
For Office 2007 %ProgramFiles(x86)%\Microsoft Office\Office12\
For Office 2010 %ProgramFiles(x86)%\Microsoft Office\Office14\
OR
For Office 2003 %ProgramFiles%\Microsoft Office\Office11\
For Office 2007 %ProgramFiles%\Microsoft Office\Office12\
For Office 2010 %ProgramFiles%\Microsoft Office\Office14\
For 64-bit versions of Microsoft Office software and Lync 2013:
For Office 2003 %ProgramFiles%\Microsoft Office\Office11\
For Office 2007 %ProgramFiles%\Microsoft Office\Office12\
For Office 2010 %ProgramFiles%\Microsoft Office\Office14\
Click OK and exit EMET.
Lync 2010 application:
To add the Lync 2010 application to the list of applications using EMET
3.0, perform the following steps:
Click Start, All Programs, Enhanced Mitigation Experience Toolkit, and
EMET 3.0.
Click Yes on the UAC prompt, click Configure Apps, then select Add.
Type the following entry:
*\Microsoft Lync\communicator.exe
Click OK and exit EMET.
Configure EMET 3.0 for affected software from a command line
Office applications and Lync 2013:
Opt in the following Office application executables to all EMET 3.0
mitigations:
Word.exe, Excel.exe, PowerPoint.exe, InfoPath.exe, Outlook.exe,
Publisher.exe, OneNote.exe, wordview.exe, Pptview.exe, Lync.exe
Run the following from an elevated command prompt:
For 32-bit versions of Microsoft Office software and Lync 2013:
"C:\Program Files\EMET\EMET_Conf.exe" --set "*\Microsoft Office\Office1*\<Office application filename>.exe"
OR
"C:\Program Files(x86)\EMET\EMET_Conf.exe" --set "*\Microsoft Office\Office1*\<Office application filename>.exe"
For 64-bit versions of Microsoft Office software and Lync 2013:
"C:\Program Files\EMET\EMET_Conf.exe" --set "*\Microsoft Office\Office1*\<Office application filename>.exe"
If you have completed this successfully, the following message appears:
"The changes you have made may require restarting one or more applications"
Lync 2010 application:
Run the following from an elevated command prompt:
For 32-bit versions of Lync 2010:
"C:\Program Files\EMET\EMET_Conf.exe" --set "*\Microsoft Lync\communicator.exe"
OR
"C:\Program Files(x86)\EMET\EMET_Conf.exe" --set "*\Microsoft Lync\communicator.exe"
For 64-bit versions of Lync 2010:
"C:\Program Files\EMET\EMET_Conf.exe" --set "*\Microsoft Lync\communicator.exe"
If you have completed this successfully, the following message appears:
"The changes you have made may require restarting one or more applications"
For more information regarding running EMET_Conf.exe, see the command
line
help by running the following from a command prompt.
On 32-bit systems:
"C:\Program Files\EMET\EMET_Conf.exe" /?
On 64-bit systems:
"C:\Program Files(x86)\EMET\EMET_Conf.exe" /?
Configure EMET for affected software using Group Policy
EMET can be configured using Group Policy. For information about
configuring EMET using Group Policy, see the EMET User's Guide:
For EMET 4.0:
On 32-bit systems the EMET User's Guide is located in C:\Program Files\EMET 4.0\EMET User's Guide.pdf
On 64-bit systems the EMET User's Guide is located in C:\Program Files (x86)\EMET 4.0\EMET User's Guide.pdf
For EMET 3.0:
On 32-bit systems the EMET User's Guide is located in C:\Program Files\EMET\EMET User's Guide.pdf
On 64-bit systems the EMET User's Guide is located in C:\Program Files (x86)\EMET\EMET User's Guide.pdf
Note For more information about Group Policy, see Group Policy collection.
Acknowledgments
Microsoft thanks the following for working with us to help protect customers:
Haifei Li of McAfee Labs IPS Team for reporting the Microsoft Graphics
Component Memory Corruption Vulnerability (CVE-2013-3906)
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUnmqBxLndAQH1ShLAQKvXBAAkScjXnCK0m/tOuswxsfERFP77YLBuQTR
WnOIz0t8bIf0oktSE2QxqyiI0eZ5WIYtDHuLyEALoyKZZ9VwBS/sJiS0c/u9y09x
VD5BRmyY0ctTRI3DCoNNj3CYk/HQLNy9NyPz34AhWkvpQxfVetr4Uy+VEIMf6ulY
iEoRfvpVyuEQJIz9sQklw0oouDy66naG8HloMbHgX2taQt2cObDYA4/tgT7cs0AM
NWoyBfOg6/Z5joVQlX+ZvKsBwsjrEQ7HwCFX5j9v6JT+XBWKSMu/n6KymLeyi7v6
Xeg8YK9BTF4hn/zA9O8g5dbmnRWEfl9HEFpmUpHuBL4OlJDN1s0SMKBDnZMguwnl
860R6o+PKRK8L5kLkzbpFWR6ZqoZhJ633IcjZSXIcJFIj5ikB3M1C4Y+CoGYLcnl
G04eh9xz9ZUuodDrFHbP/LHwUQnkqZkyJVacHrzEJnK9NXEG8M91nUG52sPDgskw
HCrgOPsGsoTra4h54dNiqHbPt1+DmWGxMLTeJ+H983zIoo5fvESF5GBQXAzuheQ3
meeYbt7mnT8P2U+OFjpo5HRWZXjuQkbGUk/yV5mw+T4jP30Xj/+hLXow0EWYySeC
pwM08gKY+ZhT5x6iOVXtyIdOLIuNoGahXmJdVPUvnsNmg+GlPCX/ggY+rKElSfPi
KUQTdBr/l1o=
=BSIk
-----END PGP SIGNATURE-----