Video Screencast Help
Give us your opinion and win with Symantec! Please help us by taking this survey to tell us about your experience with Symantec Connect, so that we can continue to grow and improve.  Take the survey.

If SEP daily definition covers exploit CVE-2013-3906

Created: 06 Nov 2013 | 13 comments

In the released public article," Microsoft warned today that attackers are targeting a previously unknown security vulnerability in some versions of Microsoft Office and Windows. The company also has shipped an interim “Fix-It” tool to blunt attacks on the flaw until it has time to develop and release a more comprehensive patch"

would like to check if there is any current or future release that would address the exploit CVE-2013-3906.

Thank you.

Operating Systems:

Comments 13 CommentsJump to latest comment

SMLatCST's picture

I imagine this should come in an update soon, but I cannot find any reference to it just yet.  Just so you know, this exploit is makred with bugtraq ID: 63530

http://www.securityfocus.com/bid/63530

These Bugtraq IDs (BIDs) are sometimes listed alongside the Symantec defs as illustrated in the below link for the current IPS defs:

http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=sep&pvid=sep1213&year=2013&suid=SEP_Jaguar-SU665-20131105.013

I got to this from the IPS Release History here:
http://www.symantec.com/security_response/securityupdates/list.jsp?fid=sep&pvid=sep1213

Cameron_W's picture

Below is a link to our latest blog article regarding this vulnerability.

https://www-secure.symantec.com/connect/blogs/new-...

If I was able to help resolve your issue please mark my post as solution.

Bill_K's picture

Thanks, Cameron - but the posting doesn't say what IPS definitions are required for "Web Attack: Microsoft Office RCE CVE-2013-3906_2" - do you know?

Brɨan's picture

My IPS defs are at Nov 5 2013 r13 and I do not yet have the signature.

Since the post was today I can only assume it will come in the next round of updates.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Cameron_W's picture

The IPS definitions are scheduled to be released later today but this can be subject to change. Once these definitions are officially released there should be a update provided.

If I was able to help resolve your issue please mark my post as solution.

Mithun Sanghavi's picture

Hello,

A zero-day vulnerability in Microsoft Office was reported on November 5th. Microsoft Security Advisory 2896666 provides additional details.

http://technet.microsoft.com/en-us/security/advisory/2896666

Symantec has posted a public blog about the 0-day and the attacks associated with it at

http://www.symantec.com/connect/blogs/new-zero-day-vulnerability-used-operation-hangover-attacks

and check these - 

Trojan.Hangove.B

Trojan.Smackdown.B

IPS Signature 27137 (Web Attack: Microsoft Office RCE CVE-2013-3906_2)

Hope that helps!!

Mithun Sanghavi
Associate Security Architect

MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Mick2009's picture

Fior the most complete protection, do make sure that your AV definitions are "11/6/2013 rev. 25" or higher (appears in some logs as 151106y, sequence number 148747).  Some details on detections added and modified can be found in http://www.symantec.com/security_response/definitions/multipledaily/detail.jsp?mdid=2013-11

For IPS definitions, make sure that you have the very latest (IPS 11/6/2013 r11).

Hope this helps!  Please do update this thread with any additional questions (it is still marked "needs solution.")

With thanks and best regards,

Mick

Bill_K's picture

When you say "IPS definitions", you mean Proactive Threat Protection, correct?  The latest I can seem to get (without going rapid release) is November 1, 2013 r11.  The NTP defs are Nov 7, r 11.

Brɨan's picture

IPS is part of NTP (firewall and IPS). PTP is a different component. NTP defs are what you're after for the download.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mick2009's picture

Brian is correct here. &: )

With thanks and best regards,

Mick

GeoGeo's picture

On Tuesday November 5th, 2013, Microsoft published  Microsoft released Out of Band Security Advisory (2896666)

No patch is currently available, however Microsoft issued a "Fix it" for this.
https://support.microsoft.com/kb/2896666

Reference

Microsoft Security Advisory (2896666)

http://technet.microsoft.com/en-us/security/advisory/2896666

Symantec has confirmed that the targeted emails containing the 0-day are pre-emptively caught by Symantec.Cloud.  Symantec is also creating Bloodhound.Exploit.525 to cover this vulnerability.  Detection may also be seen as Trojan.Hantiff.

IPS Signature 27137 (Web Attack: Microsoft Office RCE CVE-2013-3906_2) will also be released later today to block the network activity associated with this threat.

Reference:

https://www-secure.symantec.com/connect/symantec-blogs/security-response

The use of the 0-day has been confirmed to be linked to Operation Hangover, upon which Security Response reported in May 2013.  A new public blog in relation to our coverage and connection to the Operation Hangover attack has now been released: New Zero-day Vulnerability Used in Operation Hangover Attack

Please review ideas and vote there could be something useful :)

https://www-secure.symantec.com/connect/security/ideas

Brɨan's picture

Symles,

Can this thread be closed out?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.