===================================================================== CERT-Renater Note d'Information No. 2013/VULN490 _____________________________________________________________________ DATE : 06/11/2013 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Microsoft Windows, Systems running Microsoft Office, Microsoft Lync. ====================================================================== http://technet.microsoft.com/en-us/security/advisory/2896666 ______________________________________________________________________ Microsoft Security Advisory (2896666) Vulnerability in Microsoft Graphics Component Could Allow Remote Code Execution Published: Tuesday, November 05, 2013 Version: 1.0 General Information Executive Summary Microsoft is investigating private reports of a vulnerability in the Microsoft Graphics component that affects Microsoft Windows, Microsoft Office, and Microsoft Lync. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability in Microsoft Office products. The vulnerability is a remote code execution vulnerability that exists in the way affected components handle specially crafted TIFF images. An attacker could exploit this vulnerability by convincing a user to preview or open a specially crafted email message, open a specially crafted file, or browse specially crafted web content. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Affected Software Windows Vista Service Pack 2 Windows Vista x64 Edition Service Pack 2 Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 for Itanium-based Systems Service Pack 2 Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) Microsoft Office 2003 Service Pack 3 Microsoft Office 2007 Service Pack 3 Microsoft Office 2010 Service Pack 1 (32-bit editions) Microsoft Office 2010 Service Pack 2 (32-bit editions) Microsoft Office 2010 Service Pack 1 (64-bit editions) Microsoft Office 2010 Service Pack 2 (64-bit editions) Microsoft Office Compatibility Pack Service Pack 3 Microsoft Lync 2010 (32-bit) Microsoft Lync 2010 (64-bit) Microsoft Lync 2010 Attendee Microsoft Lync 2013 (32-bit) Microsoft Lync Basic 2013 (32-bit) Microsoft Lync 2013 (64-bit) Microsoft Lync Basic 2013 (64-bit) Suggested Actions Apply Workarounds Workarounds refer to a setting or configuration change that does not correct the underlying issue but would help block known attack vectors before a security update is available. See the next section, Workarounds, for more information. Workarounds Disable the TIFF codec Note See Microsoft Knowledge Base Article 2896666 to use the automated Microsoft Fix it solution to enable or disable this workaround. You can prevent TIFF files from being displayed by modifying the registry to control the parsing of the TIFF codec. By changing the registry entries, you can control which images are parsed and rendered and which images are rejected in GDI+. For example, you can select to parse and render Joint Photographic Experts Group (JPEG) images, but block Tagged Image File Format (TIFF) images. Warning: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk. Note After you change a registry entry, you must restart the application that uses the codec. To disable the TIFF codec: To add a registry entry, create the following registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Gdiplus Create a DWORD value for the TIFF code by creating a registry entry (DWORD value) under the registry subkey you created in step 1: DisableTIFFCodec To disable the TIFF codec, set value of the DisableTIFFCodec registry entry to 1. Impact of Workaround. You will not be able to view TIFF files. How to undo the workaround To re-enable the TIFF codec, set the value of the DisableTIFFCodec registry entry to 0. Deploy the Enhanced Mitigation Experience Toolkit The Enhanced Mitigation Experience Toolkit (EMET) helps mitigate the exploitation of this vulnerability by adding additional protection layers that make the vulnerability harder to exploit. EMET 4.0 is officially supported by Microsoft. At this time, EMET is only available in the English language. For more information, see Microsoft Knowledge Base Article 2458544. For more information about configuring EMET, see the EMET User's Guide: On 32-bit systems the EMET User's Guide is located in C:\Program Files\EMET\EMET User's Guide.pdf On 64-bit systems the EMET User's Guide is located in C:\Program Files (x86)\EMET\EMET User's Guide.pdf Configure EMET 4.0 for affected software EMET 4.0, in the recommended configuration, is automatically configured to help protect the affected software installed on your system. No additional steps are required. Configure EMET 3.0 for affected software from the EMET user interface Office applications: To add an Office application to the list of applications using EMET 3.0, perform the following steps. You need to perform these steps for each of the following Office application executables: Word.exe, Excel.exe, PowerPoint.exe, InfoPath.exe, Outlook.exe, Publisher.exe, OneNote.exe, wordview.exe, Pptview.exe, Lync.exe Click Start, All Programs, Enhanced Mitigation Experience Toolkit, and EMET 3.0. Click Yes on the UAC prompt, click Configure Apps, then select Add. Select and add the above mentioned executables into EMET configuration from Office installation folder: For 32-bit versions of Microsoft Office software and Lync 2013: For Office 2003 %ProgramFiles(x86)%\Microsoft Office\Office11\ For Office 2007 %ProgramFiles(x86)%\Microsoft Office\Office12\ For Office 2010 %ProgramFiles(x86)%\Microsoft Office\Office14\ OR For Office 2003 %ProgramFiles%\Microsoft Office\Office11\ For Office 2007 %ProgramFiles%\Microsoft Office\Office12\ For Office 2010 %ProgramFiles%\Microsoft Office\Office14\ For 64-bit versions of Microsoft Office software and Lync 2013: For Office 2003 %ProgramFiles%\Microsoft Office\Office11\ For Office 2007 %ProgramFiles%\Microsoft Office\Office12\ For Office 2010 %ProgramFiles%\Microsoft Office\Office14\ Click OK and exit EMET. Lync 2010 application: To add the Lync 2010 application to the list of applications using EMET 3.0, perform the following steps: Click Start, All Programs, Enhanced Mitigation Experience Toolkit, and EMET 3.0. Click Yes on the UAC prompt, click Configure Apps, then select Add. Type the following entry: *\Microsoft Lync\communicator.exe Click OK and exit EMET. Configure EMET 3.0 for affected software from a command line Office applications and Lync 2013: Opt in the following Office application executables to all EMET 3.0 mitigations: Word.exe, Excel.exe, PowerPoint.exe, InfoPath.exe, Outlook.exe, Publisher.exe, OneNote.exe, wordview.exe, Pptview.exe, Lync.exe Run the following from an elevated command prompt: For 32-bit versions of Microsoft Office software and Lync 2013: "C:\Program Files\EMET\EMET_Conf.exe" --set "*\Microsoft Office\Office1*\.exe" OR "C:\Program Files(x86)\EMET\EMET_Conf.exe" --set "*\Microsoft Office\Office1*\.exe" For 64-bit versions of Microsoft Office software and Lync 2013: "C:\Program Files\EMET\EMET_Conf.exe" --set "*\Microsoft Office\Office1*\.exe" If you have completed this successfully, the following message appears: "The changes you have made may require restarting one or more applications" Lync 2010 application: Run the following from an elevated command prompt: For 32-bit versions of Lync 2010: "C:\Program Files\EMET\EMET_Conf.exe" --set "*\Microsoft Lync\communicator.exe" OR "C:\Program Files(x86)\EMET\EMET_Conf.exe" --set "*\Microsoft Lync\communicator.exe" For 64-bit versions of Lync 2010: "C:\Program Files\EMET\EMET_Conf.exe" --set "*\Microsoft Lync\communicator.exe" If you have completed this successfully, the following message appears: "The changes you have made may require restarting one or more applications" For more information regarding running EMET_Conf.exe, see the command line help by running the following from a command prompt. On 32-bit systems: "C:\Program Files\EMET\EMET_Conf.exe" /? On 64-bit systems: "C:\Program Files(x86)\EMET\EMET_Conf.exe" /? Configure EMET for affected software using Group Policy EMET can be configured using Group Policy. For information about configuring EMET using Group Policy, see the EMET User's Guide: For EMET 4.0: On 32-bit systems the EMET User's Guide is located in C:\Program Files\EMET 4.0\EMET User's Guide.pdf On 64-bit systems the EMET User's Guide is located in C:\Program Files (x86)\EMET 4.0\EMET User's Guide.pdf For EMET 3.0: On 32-bit systems the EMET User's Guide is located in C:\Program Files\EMET\EMET User's Guide.pdf On 64-bit systems the EMET User's Guide is located in C:\Program Files (x86)\EMET\EMET User's Guide.pdf Note For more information about Group Policy, see Group Policy collection. Acknowledgments Microsoft thanks the following for working with us to help protect customers: Haifei Li of McAfee Labs IPS Team for reporting the Microsoft Graphics Component Memory Corruption Vulnerability (CVE-2013-3906) ========================================================= Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================