-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2013-0089 Title: Microsoft Security Advisory [1] Version history: 06.11.2013 Initial publication Summary ================ Microsoft is investigating private reports of a vulnerability in the Microsoft Graphics component that affects Microsoft Windows, Microsoft Office, and Microsoft Lync. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability in Microsoft Office products. The vulnerability is a remote code execution vulnerability that exists in the way affected components handle specially crafted TIFF images. An attacker could exploit this vulnerability by convincing a user to preview or open a specially crafted email message, open a specially crafted file, or browse specially crafted web content. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs. Mitigating Factors: An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit this vulnerability and then convince a user to view the website. An attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email message or in an Instant Messenger message that takes users to the attacker's website, or by opening an attachment sent through email. CVE number: CVE-2013-3906 Vulnerable systems ================ Windows Operating System: Windows Vista Service Pack 2 Windows Vista x64 Edition Service Pack 2 Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 for Itanium-based Systems Service Pack 2 Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) Microsoft Office Suites and Software: Microsoft Office 2003 Service Pack 3 Microsoft Office 2007 Service Pack 3 Microsoft Office 2010 Service Pack 1 (32-bit editions) Microsoft Office 2010 Service Pack 2 (32-bit editions) Microsoft Office 2010 Service Pack 1 (64-bit editions) Microsoft Office 2010 Service Pack 2 (64-bit editions) Microsoft Office Compatibility Pack Service Pack 3 Microsoft Communication Platforms and Software: Microsoft Lync 2010 (32-bit) Microsoft Lync 2010 (64-bit) Microsoft Lync 2010 Attendee Microsoft Lync 2013 (32-bit) Microsoft Lync Basic 2013 (32-bit) Microsoft Lync 2013 (64-bit) Microsoft Lync Basic 2013 (64-bit) What can you do? ================ There is no patch available yet. A work-around is provided meanwhile, see [1] the detailed description: - - Disable the TIFF codec - - Deploy the Enhanced Mitigation Experience Toolkit What to tell your users? ================ Normal security best practices apply. Especially, inform your Web users to be cautious about files or links to sites that are provided by unfamiliar or suspicious sources. Users are to be aware not open suspicious files or to click on the link in suspicious emails; to immediately forward the suspicious email to the respective IT security officer / contact in your institution. More information ================ [1] http://technet.microsoft.com/en-us/security/advisory/2896666 [2] http://web.nvd.nist.gov/ Best regards, CERT-EU Pre-configuration Team (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 Privacy Statement: http://cert.europa.eu/cert/plainedition/en/cert_privacy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBAgAGBQJSeiPNAAoJEPpzpNLI8SVoK+sP/2TtEuOKfv1We/jLvtV2PDmv qwWr0ym5/3iLKtZ3Yserw9+jEp9MaA7w8ZXWqpE2VtmHR+YyO27Wqf4K08dC7Xt2 CLmuk8D24Wng1/w1OvdLkdbaMe/4/QVBij5mNDWG3IUNFIeqqYXvaS79Wk5C6Qpn aNvhPpFfdPdf0Ec8V1Z7Uu+QdD5GPb/gBJgluafTxznTcyk1xqSI7Eve6W6c1ubU MnA2D9khB+gG/pDcBDF1ThPhrH/sladBzEjR+YayOMgqw6s101Ss+YL6H352VODg P/Nwti6QbP56FZviOniFUpHwI+hBl9JjAKy9lUw26aSPUvWv3XCCDDNgCj1nw3H9 kxIGXuE4/t8lzT1jh15UYfL0ifoGnBN+AHhT3tye/9PBiSV4FamW4LSfRshqyL22 YTYfE4wcyaFVrig+rPvt+4V4R20kw/bM/JINHaMo8ceQFSQJvW2ZkKzj0gxqju+S bDTf1HPp+l8NQem6s+nnD/UzsqYKuUkezi/YRfjlHAmE1ADY2dIez+Rn0LIcBANv ZSz9kVA21VapRp51afjMCly7ZXZeqBZhewier4TuL9tQSevu7vBILI2TY9YqN1mL x+2y9GVVUnzi9JgswK3pFi9bGe0DMTmgNKOoyX9JPjLgE+bX2MT6umDPn5UKY8ma 70aRbakKOZE0HO4j+DBR =0ldN -----END PGP SIGNATURE-----