Vulnerability in Microsoft Graphics Component Could Allow Remote Code Execution

Number: AL13-006
Date: 6 November 2013

Purpose

The purpose of this alert is to raise awareness of a reported vulnerability in the Microsoft Graphics component.

Assessment

CCIRC is aware of reports of a remote code execution vulnerability in some Microsoft products that affects the way components handle specially crafted TIFF images.

An attacker could exploit this vulnerability by convincing a user to preview or open a specially crafted email message, a specially crafted file, or browse specially crafted web content. By successfully doing so, an attacker could possibly gain the same user rights as the current user. The severity of the situation ranges from attackers gaining access to user accounts with few rights to those accounts that operate with full administrative rights.

In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit this vulnerability. With no way to force the user to visit the site, the attacker would need to influence the user to visit the website by clicking on a link in an email message or Instant Messenger message or by opening an attachment.

With assistance from partners  in the Microsoft Active Protections Program (MAPP),  Microsoft is actively working to pass on information that they can use to provide extensive protection for its customers.

Upon completion of this investigation, Microsoft will take the appropriate action to help its customers. This may include the release of a security update through its monthly release process or providing an out-of-cycle security update, depending on customer needs.

Affected Products:
Microsoft Windows Operating Systems:

Windows Vista Service Pack 2 (and similar versions)
Windows Server 2008 for 32-bit Systems Service Pack 2 (and similar versions)

Microsoft Office Suites and Software:

Microsoft Office 2003 Service Pack 3
Microsoft Office 2007 Service Pack 3
Microsoft Office 2010 (all versions, Service Pack 2 and below)
Microsoft Office Compatibility Pack Service Pack 3

Microsoft Communication Platforms and Software:

Microsoft Lync 2010 (and similar versions)
Microsoft Lync 2013 (and similar versions)

Microsoft Security Advisory: 2896666
Microsoft Knowledge Base Article: CVE-2013-3906

Suggested action

CCIRC is recommending that system administrators review Microsoft's Security Advisory 2896666 for an overview of the issue, details on affected components, suggested actions, frequently asked questions (FAQ) and links to additional resources.

References:

Note to Readers

In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity. As Canada's computer security incident response team, CCIRC is Canada's national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber incidents on non-federal government systems. It does this by providing authoritative advice and support, and coordinating information sharing and incident response.

Please note, CCIRC PGP key has recently been updated.
http://www.publicsafety.gc.ca/cnt/ntnl-scrt/cbr-scrt/_fl/CCIRCPublicPGPKey.txt

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: ps.communications-communications.sp@canada.ca

Date modified: