On November 5, Microsoft issued an advisory and a blog post to report a new zero-day vulnerability in the Microsoft Graphics component that affects Windows, Microsoft Office and Microsoft Lync: the Multiple Microsoft Products Remote Code Execution Vulnerability (CVE-2013-3906). The advisory states that the vulnerability exists in the way that certain components handle specially crafted TIFF images, potentially allowing an attacker to remotely execute code on the affected computer.
While Microsoft has yet to release a patch for this vulnerability, it has provided a temporary "Fix It” tool as a workaround until a security update is made available. To ensure that Symantec customers are protected from attacks using this zero-day vulnerability, the following protection is being released:
Antivirus
- Trojan.Hantiff
- Bloodhound.Exploit.525
Intrusion Prevention System
- Web Attack: Microsoft Office RCE CVE-2013-3906_2
The Microsoft blog post states that this vulnerability is being actively exploited in targeted attacks using crafted Word documents sent in emails. Symantec’s research into the exploitation of this zero-day flaw in the wild has shown that our Symantec.Cloud service preemptively blocks emails sent as part of this attack. Here are some examples of the email subject headings and the attached files’ names seen in the attack:
File name: Details_Letter of Credit.doc
Email subject: Illegal Authorization for Funds Transfer
File name: Missing MT103 Confirmation.docx
Email subject: Problem with Credit September 26th 2013
File name: Illegality_Supply details.docx
Email subject: Illegal Authorization for Funds Transfer
After analyzing the payloads being used in this attack, we have identified that the targeted emails are part of an attack campaign known as Operation Hangover, which we covered back in May 2013 in the blog post: Operation Hangover: Q&A on Attacks. At that time, the group behind these attacks was known to have used multiple vulnerabilities, but was not known to have used any zero-day flaws in the attacks. As predicted in our previous blog post, the exposure of Operation Hangover would not adversely affect the activities of the group orchestrating the campaign, which can be clearly seen now with these latest activities involving the zero-day vulnerability.
Symantec has protection in place for the threats used in this latest wave of the Operation Hangover campaign as Trojan.Mdropper, Downloader and Infostealer. To allow customers to identify this attack, we are mapping the latest components of the Operation Hangover campaign to Trojan.Smackdown.B and Trojan.Hangove.B.
Symantec will continue to investigate this attack to ensure that the best possible protection is in place. As always, we recommend that users keep their systems up-to-date with the latest software patches and refrain from opening any suspicious emails. We also advise customers to use the latest Symantec technologies and incorporate the latest Symantec consumer and enterprise solutions to best protect against attacks of this kind.