Cyber Resilience

CVE-2013-3906

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 06 November 2013

Published
06 November 2013
Modified
22 April 2026
KEV Added
15 February 2022
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.9245 99.7th percentile
Risk Priority 91 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2013-3906 is a high-severity Code Injection (CWE-94) vulnerability in Microsoft Office. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-6 (Least Privilege).

Deeper analysis

GDI+ in Microsoft Windows Vista SP2 and Server 2008 SP2, along with Office 2003 SP3, 2007 SP3, 2010 SP1 and SP2, Office Compatibility Pack SP3, and multiple Lync 2010 and 2013 editions, contains a code injection flaw tracked as CVE-2013-3906. The vulnerability permits remote attackers to execute arbitrary code when a victim processes a malicious TIFF image, which may be embedded in a Word document or other Office file.

An attacker can exploit the issue by supplying a crafted document that triggers the flaw during image rendering in GDI+. Successful exploitation grants the attacker the ability to run arbitrary code with the privileges of the current user, achieving full control over confidentiality, integrity, and availability on the affected system.

Microsoft security bulletins, including MS13-096, and the associated advisory 2896666 direct administrators to apply the vendor-supplied patches for the listed products. Detection guidance and exploit analysis are also provided in Microsoft and McAfee technical blogs.

The vulnerability was actively exploited in the wild during October and November 2013, with public exploit code later appearing on Exploit-DB.

EU & UK References

Vulnerability details

GDI+ in Microsoft Windows Vista SP2 and Server 2008 SP2; Office 2003 SP3, 2007 SP3, and 2010 SP1 and SP2; Office Compatibility Pack SP3; and Lync 2010, 2010 Attendee, 2013, and Basic 2013 allows remote attackers to execute arbitrary code…

more

via a crafted TIFF image, as demonstrated by an image in a Word document, and exploited in the wild in October and November 2013.

CWE(s)
KEV Date Added
15 February 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
excel viewer
all versions
microsoft
lync
2010, 2013
microsoft
office
2003, 2007, 2010
microsoft
office compatibility pack
all versions
microsoft
powerpoint viewer
2010
microsoft
word viewer
all versions
microsoft
windows server 2008
all versions
microsoft
windows vista
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires applying the vendor patch (MS13-096) that eliminates the GDI+ TIFF parsing flaw before any malicious image can be processed.

prevent

Limits the impact of successful exploitation by ensuring the current user account has only the minimum privileges needed, reducing the blast radius of arbitrary code execution.

preventdetect

Malicious-code protection mechanisms can block or alert on known exploit documents and post-exploitation behavior associated with this TIFF-based remote code execution.

References