CVE-2013-3906

KEV

Published: Nov 06, 2013 Last Modified: Ott 22, 2025

ExploitDB:

Other exploit source:

Google Dorks:

HIGH 7,8

Source: [email protected]

Attack Vector: local

Attack Complexity: low

Privileges Required: none

User Interaction: required

Scope: unchanged

Confidentiality: high

Integrity: high

Availability: high

HIGH 9,3

Source: [email protected]

Access Vector: network

Access Complexity: medium

Authentication: none

Confidentiality: complete

Integrity: complete

Availability: complete

Description

AI Translation Available

GDI+ in Microsoft Windows Vista SP2 and Server 2008 SP2; Office 2003 SP3, 2007 SP3, and 2010 SP1 and SP2; Office Compatibility Pack SP3; and Lync 2010, 2010 Attendee, 2013, and Basic 2013 allows remote attackers to execute arbitrary code via a crafted TIFF image, as demonstrated by an image in a Word document, and exploited in the wild in October and November 2013.

EPSS (Exploit Prediction Scoring System)

Trend Analysis

EPSS (Exploit Prediction Scoring System)

Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.

EPSS Score

0,9258

Percentile

1,0th

Updated

EPSS Score Trend (Last 91 Days)

Improper Control of Generation of Code ('Code Injection')

Draft

Abstraction: Base Structure: Simple

Common Consequences

Security Scopes Affected:

Access Control Integrity Confidentiality Availability Non-Repudiation

Potential Impacts:

Bypass Protection Mechanism Gain Privileges Or Assume Identity Execute Unauthorized Code Or Commands Hide Activities

Applicable Platforms

Languages: Interpreted

Technologies: AI/ML

Likelihood of Exploit: Medium

View CWE Details

Exploit

Microsoft - Tagged Image File Format '.TIFF' Integer …

Verified Metasploit Framework (MSF)

Microsoft - Tagged Image File Format '.TIFF' Integer Overflow (Metasploit)

Author: Metasploit Published: Status: Verified

View Exploit Code →

Application

Office by Microsoft

Product Information

Vendor Microsoft

Product Office

Version 2010

CPE Identifier

View Detailed Analysis


                  cpe:2.3:a:microsoft:office:2010:sp2:*:*:*:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

Application

Lync by Microsoft

Product Information

Vendor Microsoft

Product Lync

Version 2013

CPE Identifier

View Detailed Analysis


                  cpe:2.3:a:microsoft:lync:2013:*:*:*:*:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

Operating System

Windows Server 2008 by Microsoft

Product Information

Vendor Microsoft

Product Windows Server 2008

Version -

CPE Identifier

View Detailed Analysis


                  cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

Application

Lync by Microsoft

Product Information

Vendor Microsoft

Product Lync

Version 2010

CPE Identifier

View Detailed Analysis


                  cpe:2.3:a:microsoft:lync:2010:*:*:*:attendee:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

Application

Office Compatibility Pack by Microsoft

Product Information

Vendor Microsoft

Product Office Compatibility Pack

Version -

CPE Identifier

View Detailed Analysis


                  cpe:2.3:a:microsoft:office_compatibility_pack:-:sp3:*:*:*:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

Application

Word Viewer by Microsoft

Product Information

Vendor Microsoft

Product Word Viewer

Version -

CPE Identifier

View Detailed Analysis


                  cpe:2.3:a:microsoft:word_viewer:-:*:*:*:*:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

Application

Office by Microsoft

Product Information

Vendor Microsoft

Product Office

Version 2010

CPE Identifier

View Detailed Analysis


                  cpe:2.3:a:microsoft:office:2010:sp1:*:*:*:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

Application

Powerpoint Viewer by Microsoft

Product Information

Vendor Microsoft

Product Powerpoint Viewer

Version 2010

CPE Identifier

View Detailed Analysis


                  cpe:2.3:a:microsoft:powerpoint_viewer:2010:sp1:*:*:*:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

Application

Office by Microsoft

Product Information

Vendor Microsoft

Product Office

Version 2003

CPE Identifier

View Detailed Analysis


                  cpe:2.3:a:microsoft:office:2003:sp3:*:*:*:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

Operating System

Windows Vista by Microsoft

Product Information

Vendor Microsoft

Product Windows Vista

Version -

CPE Identifier

View Detailed Analysis


                  cpe:2.3:o:microsoft:windows_vista:-:sp2:*:*:*:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

Application

Excel Viewer by Microsoft

Product Information

Vendor Microsoft

Product Excel Viewer

Version -

CPE Identifier

View Detailed Analysis


                  cpe:2.3:a:microsoft:excel_viewer:-:*:*:*:*:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

Application

Powerpoint Viewer by Microsoft

Product Information

Vendor Microsoft

Product Powerpoint Viewer

Version 2010

CPE Identifier

View Detailed Analysis


                  cpe:2.3:a:microsoft:powerpoint_viewer:2010:sp2:*:*:*:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

Application

Office by Microsoft

Product Information

Vendor Microsoft

Product Office

Version 2007

CPE Identifier

View Detailed Analysis


                  cpe:2.3:a:microsoft:office:2007:sp3:*:*:*:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

https://www.cisa.gov/known-exploited-vulnerabilities-catalo…

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2013…

http://blogs.mcafee.com/mcafee-labs/mcafee-labs-detects-zer…

http://blogs.mcafee.com/mcafee-labs/mcafee-labs-detects-zero-day-exploit-target…

http://blogs.technet.com/b/srd/archive/2013/11/05/cve-2013-…

http://blogs.technet.com/b/srd/archive/2013/11/05/cve-2013-3906-a-graphics-vuln…

https://docs.microsoft.com/en-us/security-updates/securityb…

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-0…

http://technet.microsoft.com/security/advisory/2896666

http://www.exploit-db.com/exploits/30011

http://blogs.mcafee.com/mcafee-labs/mcafee-labs-detects-zer…

http://blogs.mcafee.com/mcafee-labs/mcafee-labs-detects-zero-day-exploit-target…

http://blogs.technet.com/b/srd/archive/2013/11/05/cve-2013-…

http://blogs.technet.com/b/srd/archive/2013/11/05/cve-2013-3906-a-graphics-vuln…

https://docs.microsoft.com/en-us/security-updates/securityb…

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-0…

http://technet.microsoft.com/security/advisory/2896666

http://www.exploit-db.com/exploits/30011

CVE-2013-3906

Description

EPSS (Exploit Prediction Scoring System)

EPSS (Exploit Prediction Scoring System)

EPSS Score Trend (Last 91 Days)

Improper Control of Generation of Code ('Code Injection')

Common Consequences

Applicable Platforms

Microsoft - Tagged Image File Format '.TIFF' Integer …

Office by Microsoft

Product Information

Lync by Microsoft

Product Information

Windows Server 2008 by Microsoft

Product Information

Lync by Microsoft

Product Information

Office Compatibility Pack by Microsoft

Product Information

Word Viewer by Microsoft

Product Information

Office by Microsoft

Product Information

Powerpoint Viewer by Microsoft

Product Information

Office by Microsoft

Product Information

Windows Vista by Microsoft

Product Information

Excel Viewer by Microsoft

Product Information

Powerpoint Viewer by Microsoft

Product Information

Office by Microsoft

Product Information

Iscriviti alla newsletter