Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2013.1582 Vulnerability in Microsoft Graphics Component Could Allow Remote Code Execution 6 November 2013 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Windows Vista Service Pack 2 Windows Vista x64 Edition Service Pack 2 Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 for Itanium-based Systems Service Pack 2 Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) Microsoft Office 2003 Service Pack 3 Microsoft Office 2007 Service Pack 3 Microsoft Office 2010 Service Pack 1 (32-bit editions) Microsoft Office 2010 Service Pack 2 (32-bit editions) Microsoft Office 2010 Service Pack 1 (64-bit editions) Microsoft Office 2010 Service Pack 2 (64-bit editions) Microsoft Office Compatibility Pack Service Pack 3 Microsoft Lync 2010 (32-bit) Microsoft Lync 2010 (64-bit) Microsoft Lync 2010 Attendee Microsoft Lync 2013 (32-bit) Microsoft Lync Basic 2013 (32-bit) Microsoft Lync 2013 (64-bit) Microsoft Lync Basic 2013 (64-bit) Publisher: Microsoft Operating System: Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Resolution: Mitigation CVE Names: CVE-2013-3906 Original Bulletin: http://technet.microsoft.com/en-us/security/advisory/2896666 Comment: In the wild targeted attacks are exploiting this vulnerability. Microsoft has currently only provided mitigations to solves this issue. - --------------------------BEGIN INCLUDED TEXT-------------------- Microsoft Security Advisory (2896666) Vulnerability in Microsoft Graphics Component Could Allow Remote Code Execution Published: Tuesday, November 05, 2013 Version: 1.0 General Information Executive Summary Microsoft is investigating private reports of a vulnerability in the Microsoft Graphics component that affects Microsoft Windows, Microsoft Office, and Microsoft Lync. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability in Microsoft Office products. The vulnerability is a remote code execution vulnerability that exists in the way affected components handle specially crafted TIFF images. An attacker could exploit this vulnerability by convincing a user to preview or open a specially crafted email message, open a specially crafted file, or browse specially crafted web content. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Affected Software Windows Vista Service Pack 2 Windows Vista x64 Edition Service Pack 2 Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 for Itanium-based Systems Service Pack 2 Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) Microsoft Office 2003 Service Pack 3 Microsoft Office 2007 Service Pack 3 Microsoft Office 2010 Service Pack 1 (32-bit editions) Microsoft Office 2010 Service Pack 2 (32-bit editions) Microsoft Office 2010 Service Pack 1 (64-bit editions) Microsoft Office 2010 Service Pack 2 (64-bit editions) Microsoft Office Compatibility Pack Service Pack 3 Microsoft Lync 2010 (32-bit) Microsoft Lync 2010 (64-bit) Microsoft Lync 2010 Attendee Microsoft Lync 2013 (32-bit) Microsoft Lync Basic 2013 (32-bit) Microsoft Lync 2013 (64-bit) Microsoft Lync Basic 2013 (64-bit) Suggested Actions Apply Workarounds Workarounds refer to a setting or configuration change that does not correct the underlying issue but would help block known attack vectors before a security update is available. See the next section, Workarounds, for more information. Workarounds Disable the TIFF codec Note See Microsoft Knowledge Base Article 2896666 to use the automated Microsoft Fix it solution to enable or disable this workaround. You can prevent TIFF files from being displayed by modifying the registry to control the parsing of the TIFF codec. By changing the registry entries, you can control which images are parsed and rendered and which images are rejected in GDI+. For example, you can select to parse and render Joint Photographic Experts Group (JPEG) images, but block Tagged Image File Format (TIFF) images. Warning: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk. Note After you change a registry entry, you must restart the application that uses the codec. To disable the TIFF codec: To add a registry entry, create the following registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Gdiplus Create a DWORD value for the TIFF code by creating a registry entry (DWORD value) under the registry subkey you created in step 1: DisableTIFFCodec To disable the TIFF codec, set value of the DisableTIFFCodec registry entry to 1. Impact of Workaround. You will not be able to view TIFF files. How to undo the workaround To re-enable the TIFF codec, set the value of the DisableTIFFCodec registry entry to 0. Deploy the Enhanced Mitigation Experience Toolkit The Enhanced Mitigation Experience Toolkit (EMET) helps mitigate the exploitation of this vulnerability by adding additional protection layers that make the vulnerability harder to exploit. EMET 4.0 is officially supported by Microsoft. At this time, EMET is only available in the English language. For more information, see Microsoft Knowledge Base Article 2458544. For more information about configuring EMET, see the EMET User's Guide: On 32-bit systems the EMET User's Guide is located in C:\Program Files\EMET\EMET User's Guide.pdf On 64-bit systems the EMET User's Guide is located in C:\Program Files (x86)\EMET\EMET User's Guide.pdf Configure EMET 4.0 for affected software EMET 4.0, in the recommended configuration, is automatically configured to help protect the affected software installed on your system. No additional steps are required. Configure EMET 3.0 for affected software from the EMET user interface Office applications: To add an Office application to the list of applications using EMET 3.0, perform the following steps. You need to perform these steps for each of the following Office application executables: Word.exe, Excel.exe, PowerPoint.exe, InfoPath.exe, Outlook.exe, Publisher.exe, OneNote.exe, wordview.exe, Pptview.exe, Lync.exe Click Start, All Programs, Enhanced Mitigation Experience Toolkit, and EMET 3.0. Click Yes on the UAC prompt, click Configure Apps, then select Add. Select and add the above mentioned executables into EMET configuration from Office installation folder: For 32-bit versions of Microsoft Office software and Lync 2013: For Office 2003 %ProgramFiles(x86)%\Microsoft Office\Office11\ For Office 2007 %ProgramFiles(x86)%\Microsoft Office\Office12\ For Office 2010 %ProgramFiles(x86)%\Microsoft Office\Office14\ OR For Office 2003 %ProgramFiles%\Microsoft Office\Office11\ For Office 2007 %ProgramFiles%\Microsoft Office\Office12\ For Office 2010 %ProgramFiles%\Microsoft Office\Office14\ For 64-bit versions of Microsoft Office software and Lync 2013: For Office 2003 %ProgramFiles%\Microsoft Office\Office11\ For Office 2007 %ProgramFiles%\Microsoft Office\Office12\ For Office 2010 %ProgramFiles%\Microsoft Office\Office14\ Click OK and exit EMET. Lync 2010 application: To add the Lync 2010 application to the list of applications using EMET 3.0, perform the following steps: Click Start, All Programs, Enhanced Mitigation Experience Toolkit, and EMET 3.0. Click Yes on the UAC prompt, click Configure Apps, then select Add. Type the following entry: *\Microsoft Lync\communicator.exe Click OK and exit EMET. Configure EMET 3.0 for affected software from a command line Office applications and Lync 2013: Opt in the following Office application executables to all EMET 3.0 mitigations: Word.exe, Excel.exe, PowerPoint.exe, InfoPath.exe, Outlook.exe, Publisher.exe, OneNote.exe, wordview.exe, Pptview.exe, Lync.exe Run the following from an elevated command prompt: For 32-bit versions of Microsoft Office software and Lync 2013: "C:\Program Files\EMET\EMET_Conf.exe" --set "*\Microsoft Office\Office1*\<Office application filename>.exe" OR "C:\Program Files(x86)\EMET\EMET_Conf.exe" --set "*\Microsoft Office\Office1*\<Office application filename>.exe" For 64-bit versions of Microsoft Office software and Lync 2013: "C:\Program Files\EMET\EMET_Conf.exe" --set "*\Microsoft Office\Office1*\<Office application filename>.exe" If you have completed this successfully, the following message appears: "The changes you have made may require restarting one or more applications" Lync 2010 application: Run the following from an elevated command prompt: For 32-bit versions of Lync 2010: "C:\Program Files\EMET\EMET_Conf.exe" --set "*\Microsoft Lync\communicator.exe" OR "C:\Program Files(x86)\EMET\EMET_Conf.exe" --set "*\Microsoft Lync\communicator.exe" For 64-bit versions of Lync 2010: "C:\Program Files\EMET\EMET_Conf.exe" --set "*\Microsoft Lync\communicator.exe" If you have completed this successfully, the following message appears: "The changes you have made may require restarting one or more applications" For more information regarding running EMET_Conf.exe, see the command line help by running the following from a command prompt. On 32-bit systems: "C:\Program Files\EMET\EMET_Conf.exe" /? On 64-bit systems: "C:\Program Files(x86)\EMET\EMET_Conf.exe" /? Configure EMET for affected software using Group Policy EMET can be configured using Group Policy. For information about configuring EMET using Group Policy, see the EMET User's Guide: For EMET 4.0: On 32-bit systems the EMET User's Guide is located in C:\Program Files\EMET 4.0\EMET User's Guide.pdf On 64-bit systems the EMET User's Guide is located in C:\Program Files (x86)\EMET 4.0\EMET User's Guide.pdf For EMET 3.0: On 32-bit systems the EMET User's Guide is located in C:\Program Files\EMET\EMET User's Guide.pdf On 64-bit systems the EMET User's Guide is located in C:\Program Files (x86)\EMET\EMET User's Guide.pdf Note For more information about Group Policy, see Group Policy collection. Acknowledgments Microsoft thanks the following for working with us to help protect customers: Haifei Li of McAfee Labs IPS Team for reporting the Microsoft Graphics Component Memory Corruption Vulnerability (CVE-2013-3906) - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUnmqBxLndAQH1ShLAQKvXBAAkScjXnCK0m/tOuswxsfERFP77YLBuQTR WnOIz0t8bIf0oktSE2QxqyiI0eZ5WIYtDHuLyEALoyKZZ9VwBS/sJiS0c/u9y09x VD5BRmyY0ctTRI3DCoNNj3CYk/HQLNy9NyPz34AhWkvpQxfVetr4Uy+VEIMf6ulY iEoRfvpVyuEQJIz9sQklw0oouDy66naG8HloMbHgX2taQt2cObDYA4/tgT7cs0AM NWoyBfOg6/Z5joVQlX+ZvKsBwsjrEQ7HwCFX5j9v6JT+XBWKSMu/n6KymLeyi7v6 Xeg8YK9BTF4hn/zA9O8g5dbmnRWEfl9HEFpmUpHuBL4OlJDN1s0SMKBDnZMguwnl 860R6o+PKRK8L5kLkzbpFWR6ZqoZhJ633IcjZSXIcJFIj5ikB3M1C4Y+CoGYLcnl G04eh9xz9ZUuodDrFHbP/LHwUQnkqZkyJVacHrzEJnK9NXEG8M91nUG52sPDgskw HCrgOPsGsoTra4h54dNiqHbPt1+DmWGxMLTeJ+H983zIoo5fvESF5GBQXAzuheQ3 meeYbt7mnT8P2U+OFjpo5HRWZXjuQkbGUk/yV5mw+T4jP30Xj/+hLXow0EWYySeC pwM08gKY+ZhT5x6iOVXtyIdOLIuNoGahXmJdVPUvnsNmg+GlPCX/ggY+rKElSfPi KUQTdBr/l1o= =BSIk -----END PGP SIGNATURE-----