November 7, 2013

Up to 37% of Enterprise Computers Vulnerable to Microsoft Office Zero-day CVE-2013-3906

Ran Mosessco Principal Security Researcher

A new vulnerability related to the parsing of TIFF images was found in the Microsoft Graphics component that affects Microsoft Windows, Microsoft Office, and Microsoft Lync. Microsoft published Security Advisory 2896666 explaining the details. Microsoft Fix it 51004 is available to alleviate the problem until an update is available.

Our initial research of the exploit indicates that this vulnerability is capable of affecting Microsoft Office versions 2003, 2007, and 2010 (Office 2010 vulnerability is limited to Windows XP and Server 2003 operating systems) and that it will fail on machines viewing the documents in protected mode (ActiveX support in documents disabled). While it is not easy to determine if computers have ActiveX enabled for Office documents, it is possible to profile vulnerable combinations of Microsoft Windows and Office to help understand the attack surface. Our telemetry feeds indicate the following breakdown of Microsoft Office versions deployed in enterprise environments:

  • Office 2003 - 5%
  • Office 2007 - 30%
  • Office 2010 - 41%
  • Office 2013 - 14%

Of the computers observed running Office 2010 (41%), only 2% of the computers were running Windows XP or Windows Server 2003. This leaves a representative attack surface of up to 37% of enterprise computers that are running both Microsoft Windows and Office.  

The vulnerability allows attackers to execute remote code, and has been observed in targeted email attacks against Middle East and South Asia victims. 


Executive Summary

  • Zero-day exploits discovered mostly affecting older Office versions and older Windows OS
  • While attacks have been limited to date, up to 37% of enterprise computers running both Microsoft Windows and Office are vulnerable to CVE-2013-3906 (according to our telemetry feeds)
  • We have observed this vulnerability being used in targeted email attacks via Microsoft Word (.docx) attachments
  • Microsoft Fix it 51004 is available to alleviate the problem until an update is available
  • Websense customers have been protected from known samples at multiple stages of the attack cycle
  • We predict seeing various threat actors adopting this exploit for both targeted and large-scale campaigns within the next few months due to the large attack surface
  • Due to the fact that the exploit is based on Microsoft Office documents, it is less likely that this exploit will be quickly incorporated into Web-based exploit kits such as Neutrino, Styx and Magnitude

Zero-day Exploit Details

The affected Office versions are 2003, 2007, and 2010 (only on Windows XP and Windows Server 2003). Office 2013 users are not affected according to Microsoft.

The exploit works by performing a large memory heap-spray using ActiveX controls, and using hardcoded ROP gadgets to allocate executable pages.

ROP (Return Oriented Program) is a technique that allows an attacker to execute code despite security defenses. The attacker hijacks program control flow and then executes carefully chosen machine instruction sequences, called "gadgets". Chained together, these gadgets allow an attacker to perform arbitrary operations on a machine employing defenses that thwart simpler attacks. For further info on ROP read here.

Malware Behavior

As we can see in the sample below, the remote download location for a dropper (hxxp://myflatnet.com/ralph_3/winword.exe) is embedded in the malicious Word document:

After successful exploitation, the exploit downloads an executable from the location above and saves it to C:\Documents and Settings\<username>\Local Settings\Temp\winword.exe.

Observed dropper download locations include:

  • hxxp://myflatnet.com/bruce_2/winword.exe
  • hxxp://myflatnet.com/new_red/winword.exe
  • hxxp://myflatnet.com/ralph_3/winword.exe

The downloaded file Winword.exe (SHA1 373038c199efffd7c35d624e374af32ab1cd3f04) is actually a RAR SFX containing an executable and a fake Word document.

After being run, Winword.exe decompresses another executable (Updates.exe) to the following location and subsequently executes it:

  • C:\Documents and Settings\<username>\Updates.exe

Updates.exe is a backdoor allowing attacker to gain control of the victim’s computer.

The fake document included in the Winword.exe RAR is saved to the same user folder. Two examples:

  • C:\Documents and Settings\<username>\Shanti.doc
  • C:\Documents and Settings\<username>\ISI.doc 

The document is opened after exploitation to pacify the potential victim.

When examining the contents of the fake documents, the attacks seem to be targeting Pakistan. However, we have seen these emails sent to recipients in UAE, India, and other South Asian countries, in industries such as Finance, Manufacturing, Software, and Travel. We observed sender domains appearing to be mostly from India and UAE (but those could be spoofed).

Malware Domain Registration Info 

The domain hosting the "winword.exe" executable listed above was created on 5/28/2013 and updated on 5/29/2013.

Domain: myflatnet.com

Contact email: arlenlloyd@outlook.com
Registrant location: L'viv, Ukraine

Created: 2013/5/28

Updated: 2013/5/29

Two Different Campaigns - Similar Exploits

On October 28, 2013 a malicious email-based campaign was using two separate attachments, leveraging both the CVE-2013-3906 vulnerability in a Microsoft Word Docx attachment, as well as the more common CVE-2012-0158 (patched by Microsoft in 2012) in a Doc (rich-text-format RTF) attachment.

The Subject of the email was "SWIFT $142,000 $89,000". The Websense ThreatSeeker network has detected a few hundred of these messages being sent to a company in the financial industry based out of the UAE. The originating IP for the messages, is located in Romania.

Attachment named $142,000.docx exploits CVE-2013-3906 SHA1 4a9de2fcc949df54d608339c339f4cc4bc0738fd

This file does not use the exact same code as the previous sample mentioned, but has an active X component with similar entropy.

The other attachment $89,000.doc is an older exploit CVE-2012-0158, SHA1 1739c6f4e2075e676bab5334630e4696dc859e1f, connects to hxxp://switchmaster.co.in/simples/disk.exe

Websense Protection

Websense customers are protected with ACE™, our Advanced Classification Engine, and Websense ThreatScope™. According to Websense telemetry, attacks using this exploit have been very limited to date, but ACE is able to protect from all known samples at multiple stages of the attack chain as detailed below:

  • Stage 4 (Exploit kit) - ACE has detection for the malicious .DOC file, as well as for the URLs it contacts.
  • Stage 5 (Dropper Files) - ACE has detection for the self extracting RAR delivered by the exploit. In addition, ThreatScope's behavioral analysis engine classifies its behavior as suspicious.
  • ACE also has detection for the Backdoor executable packed in the RAR archive, and ThreatScope classifies it as suspicious.



Beyond practicing due diligence in opening any attachments arriving by email, it is recommended that all users of the affected Office versions install Microsoft Fix it 51004. Websense will continue to monitor any developments related to the use of this vulnerability in future attacks.

Update: 10 Dec 2013

Microsoft has released a patch for CVE-2013-3906.  Details are available in Microsoft Security Bulletin MS13


As this vulnerability could allow remote code execution we strongly recommend that you consider applying the patch at your earliest convenience.


Ran Mosessco

Principal Security Researcher

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.