CVE-2013-3906
Published: 06 November 2013
Summary
CVE-2013-3906 is a high-severity Code Injection (CWE-94) vulnerability in Microsoft Office. Its CVSS base score is 7.8 (High).
Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-6 (Least Privilege).
Deeper analysis
GDI+ in Microsoft Windows Vista SP2 and Server 2008 SP2, along with Office 2003 SP3, 2007 SP3, 2010 SP1 and SP2, Office Compatibility Pack SP3, and multiple Lync 2010 and 2013 editions, contains a code injection flaw tracked as CVE-2013-3906. The vulnerability permits remote attackers to execute arbitrary code when a victim processes a malicious TIFF image, which may be embedded in a Word document or other Office file.
An attacker can exploit the issue by supplying a crafted document that triggers the flaw during image rendering in GDI+. Successful exploitation grants the attacker the ability to run arbitrary code with the privileges of the current user, achieving full control over confidentiality, integrity, and availability on the affected system.
Microsoft security bulletins, including MS13-096, and the associated advisory 2896666 direct administrators to apply the vendor-supplied patches for the listed products. Detection guidance and exploit analysis are also provided in Microsoft and McAfee technical blogs.
The vulnerability was actively exploited in the wild during October and November 2013, with public exploit code later appearing on Exploit-DB.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2013-3838
Vulnerability details
GDI+ in Microsoft Windows Vista SP2 and Server 2008 SP2; Office 2003 SP3, 2007 SP3, and 2010 SP1 and SP2; Office Compatibility Pack SP3; and Lync 2010, 2010 Attendee, 2013, and Basic 2013 allows remote attackers to execute arbitrary code…
more
via a crafted TIFF image, as demonstrated by an image in a Word document, and exploited in the wild in October and November 2013.
- CWE(s)
- KEV Date Added
- 15 February 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires applying the vendor patch (MS13-096) that eliminates the GDI+ TIFF parsing flaw before any malicious image can be processed.
Limits the impact of successful exploitation by ensuring the current user account has only the minimum privileges needed, reducing the blast radius of arbitrary code execution.
Malicious-code protection mechanisms can block or alert on known exploit documents and post-exploitation behavior associated with this TIFF-based remote code execution.