| Severity | Critical |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE ID | CVE-2013-3906 |
| CVSSv3 |
8.9 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C] |
| CWE ID |
CWE-119 |
| Exploitation vector | Network |
| Public exploit | This vulnerability is being exploited in the wild. |
| Vulnerable software |
Windows Server Windows Microsoft Office Microsoft PowerPoint Microsoft Lync Microsoft Excel |
| Vulnerable software versions |
Windows Server 2008 Windows Vista Microsoft Office 2010 Microsoft Office 2007 Microsoft Office 2003 Microsoft PowerPoint 2010 Microsoft Lync 2013 Microsoft Lync 2010 Microsoft Excel Viewer |
| Vendor URL | Microsoft |
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to boundary error when handling malicious images. A remote attacker can create specially crafted TIFF image file, trick the victim into opening it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Install update from vendor's website.
https://technet.microsoft.com/en-us/library/security/ms13-096