CVE-2013-3906

Published: Nov 6, 2013Modified: Apr 22, 2026CISA KEV

7.8

Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 1.8 / Impact: 5.9

Source: NVD

Description

GDI+ in Microsoft Windows Vista SP2 and Server 2008 SP2; Office 2003 SP3, 2007 SP3, and 2010 SP1 and SP2; Office Compatibility Pack SP3; and Lync 2010, 2010 Attendee, 2013, and Basic 2013 allows remote attackers to execute arbitrary code via a crafted TIFF image, as demonstrated by an image in a Word document, and exploited in the wild in October and November 2013.

Affected (13)

Products: Microsoft: Excel Viewer, Lync, Office, Office Compatibility Pack, Powerpoint Viewer, Windows Server 2008, Windows Vista, Word Viewer

8 products

Office Compatibility Pack

Powerpoint Viewer

Windows Server 2008

Configuration A

13 vulnerable

Vulnerable Software	Affected Versions
Microsoft Excel Viewer	All versions
Microsoft Lync	Version 2010
Microsoft Lync	Version 2013
Microsoft Office	Version 2003 sp3
Microsoft Office	Version 2007 sp3
Microsoft Office	Version 2010 sp1
Microsoft Office	Version 2010 sp2
Microsoft Office Compatibility Pack	All versions
Microsoft Powerpoint Viewer	Version 2010 sp1
Microsoft Powerpoint Viewer	Version 2010 sp2
Microsoft Windows Server 2008	All versions
Microsoft Windows Vista	All versions
Microsoft Word Viewer	All versions

Related CWEs

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (11)

http://blogs.mcafee.com/mcafee-labs/mcafee-labs-detects-zero-day-exploit-targeting-microsoft-office-2

Source: secure@microsoft.com

Broken LinkExploit

http://blogs.technet.com/b/srd/archive/2013/11/05/cve-2013-3906-a-graphics-vulnerability-exploited-through-word-documents.aspx

Source: secure@microsoft.com

Broken LinkExploit

http://technet.microsoft.com/security/advisory/2896666

Source: secure@microsoft.com

PatchVendor Advisory

http://www.exploit-db.com/exploits/30011

Source: secure@microsoft.com

ExploitThird Party AdvisoryVDB Entry

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-096

Source: secure@microsoft.com

PatchVendor Advisory

http://blogs.mcafee.com/mcafee-labs/mcafee-labs-detects-zero-day-exploit-targeting-microsoft-office-2

Source: af854a3a-2127-422b-91ae-364da2661108

Broken LinkExploit

http://blogs.technet.com/b/srd/archive/2013/11/05/cve-2013-3906-a-graphics-vulnerability-exploited-through-word-documents.aspx

Source: af854a3a-2127-422b-91ae-364da2661108

Broken LinkExploit

http://technet.microsoft.com/security/advisory/2896666

Source: af854a3a-2127-422b-91ae-364da2661108

PatchVendor Advisory

http://www.exploit-db.com/exploits/30011

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party AdvisoryVDB Entry

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-096

Source: af854a3a-2127-422b-91ae-364da2661108

PatchVendor Advisory

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2013-3906

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

US Government Resource

Timeline

No history available yet.