GDI+ in Microsoft Windows Vista SP2 and Server 2008 SP2; Office 2003 SP3, 2007 SP3, and 2010 SP1 and SP2; Office Compatibility Pack SP3; and Lync 2010, 2010 Attendee, 2013, and Basic 2013 allows remote attackers to execute arbitrary code via a crafted TIFF image, as demonstrated by an image in a Word document, and exploited in the wild in October and November 2013.
References
Link | Resource |
---|---|
http://blogs.mcafee.com/mcafee-labs/mcafee-labs-detects-zero-day-exploit-targeting-microsoft-office-2 | Broken Link Exploit |
http://blogs.technet.com/b/srd/archive/2013/11/05/cve-2013-3906-a-graphics-vulnerability-exploited-through-word-documents.aspx | Broken Link Exploit |
http://technet.microsoft.com/security/advisory/2896666 | Patch Vendor Advisory |
http://www.exploit-db.com/exploits/30011 | Exploit Third Party Advisory VDB Entry |
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-096 | Patch Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
24 Jul 2024, 16:19
Type | Values Removed | Values Added |
---|---|---|
References | () http://blogs.mcafee.com/mcafee-labs/mcafee-labs-detects-zero-day-exploit-targeting-microsoft-office-2 - Broken Link, Exploit | |
References | () http://blogs.technet.com/b/srd/archive/2013/11/05/cve-2013-3906-a-graphics-vulnerability-exploited-through-word-documents.aspx - Broken Link, Exploit | |
References | () http://www.exploit-db.com/exploits/30011 - Exploit, Third Party Advisory, VDB Entry | |
References | () https://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-096 - Patch, Vendor Advisory | |
CPE | cpe:2.3:a:microsoft:office:2010:sp2:x64:*:*:*:*:* cpe:2.3:o:microsoft:windows_server_2008:*:sp2:itanium:*:*:*:*:* cpe:2.3:a:microsoft:office:2010:sp1:x64:*:*:*:*:* cpe:2.3:o:microsoft:windows_vista:*:sp2:*:*:*:*:*:* cpe:2.3:a:microsoft:lync:2010:*:attendee:*:*:*:*:* cpe:2.3:o:microsoft:windows_server_2008:*:sp2:x64:*:*:*:*:* cpe:2.3:a:microsoft:lync_basic:2013:-:x64:*:*:*:*:* cpe:2.3:o:microsoft:windows_server_2008:*:sp2:x86:*:*:*:*:* cpe:2.3:a:microsoft:office:2010:sp2:x86:*:*:*:*:* cpe:2.3:a:microsoft:lync:2013:-:x64:*:*:*:*:* cpe:2.3:a:microsoft:lync_basic:2013:-:x86:*:*:*:*:* cpe:2.3:a:microsoft:lync:2010:*:x64:*:*:*:*:* cpe:2.3:a:microsoft:office:2010:sp1:x86:*:*:*:*:* cpe:2.3:a:microsoft:lync:2010:*:x86:*:*:*:*:* |
cpe:2.3:a:microsoft:lync:2013:*:*:*:*:*:*:* cpe:2.3:a:microsoft:office:2010:sp1:*:*:*:*:*:* cpe:2.3:a:microsoft:powerpoint_viewer:2010:sp1:*:*:*:*:*:* cpe:2.3:a:microsoft:lync:2010:*:*:*:attendee:*:*:* cpe:2.3:a:microsoft:office:2010:sp2:*:*:*:*:*:* cpe:2.3:a:microsoft:office_compatibility_pack:-:sp3:*:*:*:*:*:* cpe:2.3:a:microsoft:excel_viewer:-:*:*:*:*:*:*:* cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:* cpe:2.3:a:microsoft:word_viewer:-:*:*:*:*:*:*:* cpe:2.3:o:microsoft:windows_vista:-:sp2:*:*:*:*:*:* cpe:2.3:a:microsoft:powerpoint_viewer:2010:sp2:*:*:*:*:*:* |
CVSS |
v2 : v3 : |
v2 : 9.3
v3 : 7.8 |
First Time |
Microsoft office Compatibility Pack
Microsoft excel Viewer Microsoft powerpoint Viewer Microsoft word Viewer |
07 Dec 2023, 18:38
Type | Values Removed | Values Added |
---|---|---|
CPE |
Information
Published : 2013-11-06 15:55
Updated : 2024-07-24 16:19
NVD link : CVE-2013-3906
Mitre link : CVE-2013-3906
CVE.ORG link : CVE-2013-3906
JSON object : View
Products Affected
microsoft
- office_compatibility_pack
- office
- powerpoint_viewer
- lync
- windows_server_2008
- windows_vista
- word_viewer
- excel_viewer
CWE
CWE-94
Improper Control of Generation of Code ('Code Injection')