A few days ago Microsoft released a bulletin that described a newly discovered vulnerability (CVE-2013-3906) in several flagship products of the company and reported some detected exploits for it. Attackers have already been using them; this is the bad news. The good news is that our Automatic Exploit Prevention technology is OK, and new zero day exploits are powerless against it.
At the moment the only incidents that took place happened in Southeast Asia, but it does not mean that something like this could not happen anywhere else.
The vulnerability is a remote code execution vulnerability that exists in the way Microsoft Office/Microsoft Word handle specially crafted TIFF images. The detected exploits use the heap spray technique by writing their own code to the address 0x08080808 in the heap – the area of an application’s dynamically allocated memory. Our experts have already studied the known exploits, their technical descriptions may be found here.
The general degree of any vulnerability’s danger is determined by four factors: prevalence of programs, ease of exploitation (or the existence of exploits “in the wild”), possible consequences of the attack and the availability of prepared countermeasures.
In this situation, we are dealing with a critical vulnerability in the software whose prevalence is hard to overestimate: Microsoft Windows, Microsoft Office and Microsoft Lync. However, the vulnerability does not affect all versions of those programs. The Microsoft bulletin does not make it clear enough what combinations are dangerous, but the “puzzle” was solved by InfoWorld: Word 2003 and 2007 are vulnerable under all versions of Windows, from XP to Windows 8.1. Word 2010 is vulnerable under Windows XP and Windows Server 2003, but not under Windows Vista, Windows 7 and Windows 8/8.1. Eventually, Word 2013 is not affected at all.
The Microsoft bulletin reports successful attacks by means of currently known exploits against Microsoft Office 2007 under Windows XP SP 3. This operating system is 12 years old already but still actively used (to the delight of the many hackers who know that this system is highly vulnerable).
A typical attack involves opening a Word document with an infected embedded TIFF graphic. This may be the main threat because attackers actually do not have to waste time on difficult tricks by trying to use something like social engineering to make a user open the attachment. The victim simply has to open the message.
The possible consequences of an attack are very serious because the attacker gets the same privileges in the system the user has. Accordingly, those most affected are people who constantly use the system with administrator’s authority. Most Windows XP users have always done and probably still do so, even though it is a direct violation of basic safety precautions.
As for the countermeasures, Microsoft has almost nothing to offer. There is just a Fixit utility which simply disables TIFF processing under Windows. An appropriate patch will be released with the next set of updates, probably prior to the end of the month.
In the meantime, you can use our Automatic Exploit Prevention technology to protect yourself against this threat. AEP is based on the analysis of exploits’ behavior and the data of the most frequently attacked applications, including Adobe Acrobat, Java, Windows components, Internet Explorer, and Microsoft Office, too.
Every time these programs try to run a suspicious code special controls immediately interfere to interrupt the launch and scan the system.
Another layer of protection is ensured by Address Space Layout Randomization feature, which provides a random arrangement of key data (e.g., system libraries) in the address space, which greatly complicates the use of certain vulnerabilities.
This technology is used in Windows since Vista, but it is absent in Windows XP. With Automatic Exploit Prevention using the address space randomization is forced for Windows XP, too.
As I stated above, the observed successful attacks were carried out against computers with Word 2007 under Windows XP.
All the current known attacks using this vulnerability were strictly targeted. This, however, does not imply there is no potential threat. The vulnerability clearly belongs to critical ones and the exploits are of the zero day class (for at least as long as the appropriate patches are released by Microsoft), and we should not ignore these facts.