On November 5, Microsoft posted Security Advisory 2896666. This vulnerability, discovered by Haifei Li of McAfee Labs, affects multiple versions of Microsoft Office, Windows, and Lync. Successful exploitation could result in the ability to execute arbitrary code on a vulnerable host (a remote code execution vulnerability).
The issue (an integer overflow) lies in the handling of maliciously crafted TIFF files. A remote attacker can potentially exploit this flaw via a specially designed email message, distribution of a malicious binary, or via a maliciously crafted web page. Successful exploitation of the vulnerability will result in the attacker’s acquiring the same user rights as the current user.
Our blog post (McAfee Labs Detects Zero-Day Exploit Targeting Microsoft Office) describes the issue in further detail:
McAfee Product Coverage/Mitigation
- McAfee VirusScan (Updated Nov 5)
- MD5: 97bcb5031d28f55f20e6f3637270751d (Payload) – BackDoor-FBKI!920FEFDC36DA
- MD5: cb28d93d9eb3c38058a24ad3b05ec3eb (Payload) – Generic Backdoor.u
- MD5: 5ba7ed3956f76df0e12b8ae7985aa171 (Payload) – Artemis!5BA7ED3956F7
- MD5: 5a95ca7da496d8bd22b779c4e6f41df9 (Payload) – Generic Backdoor.u
- MD5: b44359628d7b03b68b41b14536314083 (Office Document) – Exploit-CVE2013-3906
- MD5: 1FD4F3F063D641F84C5776C2C15E4621 (Office Document) – Exploit-CVE2013-3906
- McAfee Network Security Platform (Updated Nov 5)
- UDS-ShantiMalwareDetected
- McAfee Vulnerability Manager (Updated Nov 5)
- MVM / FSL Check to release 11/5/2013
General Indicators:
MD5 hash list:
- b44359628d7b03b68b41b14536314083
- 97bcb5031d28f55f20e6f3637270751d
- cb28d93d9eb3c38058a24ad3b05ec3eb
- 1FD4F3F063D641F84C5776C2C15E4621
- 5ba7ed3956f76df0e12b8ae7985aa171
- 5a95ca7da496d8bd22b779c4e6f41df9
- fd75a23d8b3345e550c4a9bbc6dd2a0e
- 4e878b13459f652a99168aad2dce7c9a
- 6a57cda67939806359a03a86fd0eabc2
- 1510821831c6e2bcbffba909bb48a437
- fd75a23d8b3345e550c4a9bbc6dd2a0e
- 654f558cf824e98dde09b197dbdfd407
- 0d51296e5c74a22339ec8b7e318f274a
- 701a6063458120943a6d3a4eb4440373
- 654f558cf824e98dde09b197dbdfd407
- 4f73248a2641a5bc1a14bda3ef11f454 (Embedded)
- 6cad22128a105c455bd4a5152272239d (Embedded)
- 7523a56ea1526fa027735e09bffff00e (Embedded)
- abc311f99a72002457f28fe26bd2e59d (Embedded)
- c035acd1c10d8b17773d23be4059754f (Embedded)
- e6fa16d2e808103ab9bec5676146520b (Embedded)
Network:
- h x x p: // myflatnet[.]com
- 31[.]210[.]96[.]213
- http query: h x x p: / / myflatnet[.]com[:]80 GET / ralph_3/ winword.exe
- http query: h x x p: / / myflatnet[.]com[:]80 GET / new_red/ winword.exe
- http query: h x x p: / / myflatnet[.]com[:]80 GET / bruce_3/ winword.exe
- http query: h x x p: / / myflatnet[.]com[:]80 GET / blue / winword.exe
Stay Updated
Follow us to stay updated on all things McAfee and on top of the latest consumer and mobile security threats.
