Microsoft announced yesterday that an unpatched vulnerability was reportedly being exploited and used in targeted attacks in certain countries. The said exploit is designed to take advantage of a previously unknown vulnerability in Microsoft Office 2003, 2007 and 2010 and Windows XP and Server 2003.
The said vulnerability stems from how older versions of Office and Windows graphic components process TIFF images (CVE-2013-3906). A common way that this is being exploited is embedding a DOC file with a malicious TIFF file. Using clever social engineering tactics, an attacker can persuade users to open an email with a malicious attachment or visit a site hosting the exploit. Once done, an attacker gains the same user account privileges as the logged-in user. Fortunately, those user accounts configured with limited rights are not as affected.
There are two important points that need to be considered. First, this zero-day attack was initially seen in certain regions particularly the Middle East and South Asia. However, it’s only a matter of time before the attack reaches other countries. It is important for users and organizations to understand the basics of social engineering and how threat actors can incorporate this in their attacks. Organizations can always benefit from well-conceived employee social engineering training program, which includes “social” penetration testing. For more information on how companies can protect their infrastructure from targeted attacks, you may refer here.
Second, only older versions of the software are affected by this threat. This is not the first instance that older software versions were susceptible to such attacks, for example the Java 6 zero-day incident last August. Fortunately, in this case, patches will still be made available, but in the long run it is a potential risk. Users and system administrators should consider the security benefits of keeping their software up to date.
Microsoft has released a Fix-it Tool to temporarily address the issue. Trend Micro Deep Security also protects users from this threat via the following rules:
- 1005764 – Microsoft Graphics Component Remote Code Execution Vulnerability (CVE-2013-3906)
- 1005765 – Identified Microsoft Office File With Embedded TIFF File
We have blocked several websites related to this attack and obtained several samples of this exploit. We detect these as TROJ_ACTIFF.A and TROJ_ACTIFF.B. We are actively monitoring this threat and will update this post with further information as necessary.