In the released public article," Microsoft warned today that attackers are targeting a previously unknown security vulnerability in some versions of Microsoft Office and Windows. The company also has shipped an interim “Fix-It” tool to blunt attacks on the flaw until it has time to develop and release a more comprehensive patch"
would like to check if there is any current or future release that would address the exploit CVE-2013-3906.
I imagine this should come in an update soon, but I cannot find any reference to it just yet. Just so you know, this exploit is makred with bugtraq ID: 63530
These Bugtraq IDs (BIDs) are sometimes listed alongside the Symantec defs as illustrated in the below link for the current IPS defs:
I got to this from the IPS Release History here:
Below is a link to our latest blog article regarding this vulnerability.
Thanks, Cameron - but the posting doesn't say what IPS definitions are required for "Web Attack: Microsoft Office RCE CVE-2013-3906_2" - do you know?
My IPS defs are at Nov 5 2013 r13 and I do not yet have the signature.
Since the post was today I can only assume it will come in the next round of updates.
The IPS definitions are scheduled to be released later today but this can be subject to change. Once these definitions are officially released there should be a update provided.
A zero-day vulnerability in Microsoft Office was reported on November 5th. Microsoft Security Advisory 2896666 provides additional details.
Symantec has posted a public blog about the 0-day and the attacks associated with it at
and check these -
IPS Signature 27137 (Web Attack: Microsoft Office RCE CVE-2013-3906_2)
Hope that helps!!
It does appear as if the latest IPS Sigs dated 2013-11-06 Rev.1 now add protection against this attack:
Fior the most complete protection, do make sure that your AV definitions are "11/6/2013 rev. 25" or higher (appears in some logs as 151106y, sequence number 148747). Some details on detections added and modified can be found in http://www.symantec.com/security_response/definitions/multipledaily/detail.jsp?mdid=2013-11
For IPS definitions, make sure that you have the very latest (IPS 11/6/2013 r11).
Hope this helps! Please do update this thread with any additional questions (it is still marked "needs solution.")
On Tuesday November 5th, 2013, Microsoft published Microsoft released Out of Band Security Advisory (2896666)
No patch is currently available, however Microsoft issued a "Fix it" for this.
Microsoft Security Advisory (2896666)
Symantec has confirmed that the targeted emails containing the 0-day are pre-emptively caught by Symantec.Cloud. Symantec is also creating Bloodhound.Exploit.525 to cover this vulnerability. Detection may also be seen as Trojan.Hantiff.
IPS Signature 27137 (Web Attack: Microsoft Office RCE CVE-2013-3906_2) will also be released later today to block the network activity associated with this threat.
The use of the 0-day has been confirmed to be linked to Operation Hangover, upon which Security Response reported in May 2013. A new public blog in relation to our coverage and connection to the Operation Hangover attack has now been released: New Zero-day Vulnerability Used in Operation Hangover Attack
When you say "IPS definitions", you mean Proactive Threat Protection, correct? The latest I can seem to get (without going rapid release) is November 1, 2013 r11. The NTP defs are Nov 7, r 11.
IPS is part of NTP (firewall and IPS). PTP is a different component. NTP defs are what you're after for the download.
Brian is correct here. &: )
Can this thread be closed out?