HighCISA KEVExploited in the wildPublic exploit

Remote Code Execution in Microsoft GDI+ TIFF Parsing

IdentifiersCVE-2013-3906CWE-119

CVE-2013-3906 is a remote code execution vulnerability in GDI+ as used by affected Microsoft Windows and Microsoft Office products, including Windows Vista SP2, Windows Server 2008 SP2, Office 2003 SP3, Office 2007 SP3, Office 2010 SP1/SP2, Office Compatibility Pack SP3, and Lync 2010/2013 variants. The flaw can be triggered via a crafted TIFF image, including when the TIFF is embedded in a Microsoft Word document. Successful exploitation allows arbitrary code execution in the context of the user opening or rendering the malicious content. The provided content specifically states that exploitation occurred in the wild in October and November 2013 and that Sandworm Team used crafted TIFF images in Microsoft Word documents to exploit this vulnerability.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation results in arbitrary code execution on the target system. In practical terms, this enables an attacker to run malware payloads delivered through a malicious TIFF image or a lure document containing that image. Based on the supporting content, this vulnerability was used in targeted intrusion activity to drop and execute attacker-selected malware, supporting initial compromise of victim systems.

Mitigation

If you can’t patch tonight, do this now.

Until patching is complete, reduce exposure by blocking or restricting delivery of Office documents and TIFF images from untrusted sources, especially via email spearphishing paths. Use Protected View and attachment sandboxing where available, disable or limit automatic rendering of untrusted document content, and prevent users from opening unsolicited attachments. Network and email security controls should detect and quarantine malicious Office documents carrying embedded TIFF content.

Remediation

Patch, then assume compromise.

Apply Microsoft security updates for CVE-2013-3906 to all affected Windows, Office, Office Compatibility Pack, and Lync installations identified in the vendor advisory. Prioritize systems that open untrusted Office documents or process TIFF content from external sources. Where possible, upgrade from affected legacy Office and Windows versions to supported releases with current security maintenance.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

Microsoft CorporationExcel Viewerapplication

Microsoft CorporationLyncapplication

Microsoft CorporationOfficeapplication

Microsoft CorporationOffice Compatibility Packapplication

Microsoft CorporationPowerpoint Viewerapplication

Microsoft CorporationWindows Server 2008operating_system

Microsoft CorporationWindows Vistaoperating_system

Microsoft CorporationWord Viewerapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app

sentinelone labsNews

Jan 9, 2025

ModifiedElephant APT and a Decade of Fabricating Evidence | SentinelOne

A Microsoft Office exploit used in malicious lure documents by ModifiedElephant to drop and execute malware during spearphishing campaigns.

fireeyeNews

Apr 1, 2015

A New Word Document Exploit Kit | FireEye Inc

A Microsoft Word exploit included in the Microsoft Word Intruder exploit pack.

web archiveNews

Oct 14, 2014

Sandworm Zero Day Vulnerability | iSIGHT Partners

Unknown (the content only notes it was used in targeting; it does not describe the vulnerability type or impact).

web archiveNews

Oct 14, 2014

Sandworm Zero Day Vulnerability | iSIGHT Partners

Unknown (the content only notes it was used against a Polish energy firm; no technical details are provided).

+3 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence3

Every observed campaign linking this CVE to a named adversary.

Associated malware3

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2013-3906

NVD

nvd.nist.gov/vuln/detail/CVE-2013-3906

MITRE CWE · CWE-119

cwe.mitre.org

Patch

technet.microsoft.com/security/advisory/2896666

Patch

docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-096

Third Party Advisory

exploit-db.com/exploits/30011

US Government Resource

cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2013-3906