Endpoint Protection

 View Only
Expand all | Collapse all

If SEP daily definition covers exploit CVE-2013-3906

Mick2009

Mick2009Nov 08, 2013 10:43 AM

ℬrίαη

ℬrίαηFeb 02, 2014 03:58 PM

  • 1.  If SEP daily definition covers exploit CVE-2013-3906

    Posted Nov 06, 2013 02:32 AM

    In the released public article," Microsoft warned today that attackers are targeting a previously unknown security vulnerability in some versions of Microsoft Office and Windows. The company also has shipped an interim “Fix-It” tool to blunt attacks on the flaw until it has time to develop and release a more comprehensive patch"

    would like to check if there is any current or future release that would address the exploit CVE-2013-3906.

    Thank you.



  • 2.  RE: If SEP daily definition covers exploit CVE-2013-3906

    Posted Nov 06, 2013 03:50 AM

    I imagine this should come in an update soon, but I cannot find any reference to it just yet.  Just so you know, this exploit is makred with bugtraq ID: 63530

    http://www.securityfocus.com/bid/63530

    These Bugtraq IDs (BIDs) are sometimes listed alongside the Symantec defs as illustrated in the below link for the current IPS defs:

    http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=sep&pvid=sep1213&year=2013&suid=SEP_Jaguar-SU665-20131105.013

    I got to this from the IPS Release History here:
    http://www.symantec.com/security_response/securityupdates/list.jsp?fid=sep&pvid=sep1213



  • 3.  RE: If SEP daily definition covers exploit CVE-2013-3906

    Posted Nov 06, 2013 11:26 AM

    Below is a link to our latest blog article regarding this vulnerability.

     

    https://www-secure.symantec.com/connect/blogs/new-zero-day-vulnerability-used-operation-hangover-attacks



  • 4.  RE: If SEP daily definition covers exploit CVE-2013-3906

    Posted Nov 06, 2013 12:50 PM

    Thanks, Cameron - but the posting doesn't say what IPS definitions are required for "Web Attack: Microsoft Office RCE CVE-2013-3906_2" - do you know?



  • 5.  RE: If SEP daily definition covers exploit CVE-2013-3906

    Posted Nov 06, 2013 12:57 PM

    My IPS defs are at Nov 5 2013 r13 and I do not yet have the signature.

    Since the post was today I can only assume it will come in the next round of updates.



  • 6.  RE: If SEP daily definition covers exploit CVE-2013-3906

    Posted Nov 06, 2013 01:34 PM

    The IPS definitions are scheduled to be released later today but this can be subject to change. Once these definitions are officially released there should be a update provided.



  • 7.  RE: If SEP daily definition covers exploit CVE-2013-3906

    Trusted Advisor
    Posted Nov 06, 2013 03:40 PM

    Hello,

    A zero-day vulnerability in Microsoft Office was reported on November 5th. Microsoft Security Advisory 2896666 provides additional details.

    http://technet.microsoft.com/en-us/security/advisory/2896666

    Symantec has posted a public blog about the 0-day and the attacks associated with it at

    http://www.symantec.com/connect/blogs/new-zero-day-vulnerability-used-operation-hangover-attacks

    and check these - 

    Trojan.Hangove.B

    Trojan.Smackdown.B

    IPS Signature 27137 (Web Attack: Microsoft Office RCE CVE-2013-3906_2)

    Hope that helps!!



  • 8.  RE: If SEP daily definition covers exploit CVE-2013-3906

    Posted Nov 07, 2013 03:54 AM

    It does appear as if the latest IPS Sigs dated 2013-11-06 Rev.1 now add protection against this attack:

    http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=sep&pvid=sep1213&year=2013&suid=SEP_Jaguar-SU666-20131106.011



  • 9.  RE: If SEP daily definition covers exploit CVE-2013-3906

    Posted Nov 07, 2013 05:19 AM

    Fior the most complete protection, do make sure that your AV definitions are "11/6/2013 rev. 25" or higher (appears in some logs as 151106y, sequence number 148747).  Some details on detections added and modified can be found in http://www.symantec.com/security_response/definitions/multipledaily/detail.jsp?mdid=2013-11

    For IPS definitions, make sure that you have the very latest (IPS 11/6/2013 r11).

    Hope this helps!  Please do update this thread with any additional questions (it is still marked "needs solution.")



  • 10.  RE: If SEP daily definition covers exploit CVE-2013-3906

    Trusted Advisor
    Posted Nov 07, 2013 06:10 AM

    On Tuesday November 5th, 2013, Microsoft published  Microsoft released Out of Band Security Advisory (2896666)

    No patch is currently available, however Microsoft issued a "Fix it" for this.
    https://support.microsoft.com/kb/2896666

    Reference

    Microsoft Security Advisory (2896666)

    http://technet.microsoft.com/en-us/security/advisory/2896666

    Symantec has confirmed that the targeted emails containing the 0-day are pre-emptively caught by Symantec.Cloud.  Symantec is also creating Bloodhound.Exploit.525 to cover this vulnerability.  Detection may also be seen as Trojan.Hantiff.

    IPS Signature 27137 (Web Attack: Microsoft Office RCE CVE-2013-3906_2) will also be released later today to block the network activity associated with this threat.

    Reference:

    https://www-secure.symantec.com/connect/symantec-blogs/security-response

    The use of the 0-day has been confirmed to be linked to Operation Hangover, upon which Security Response reported in May 2013.  A new public blog in relation to our coverage and connection to the Operation Hangover attack has now been released: New Zero-day Vulnerability Used in Operation Hangover Attack

     



  • 11.  RE: If SEP daily definition covers exploit CVE-2013-3906

    Posted Nov 08, 2013 10:26 AM

    When you say "IPS definitions", you mean Proactive Threat Protection, correct?  The latest I can seem to get (without going rapid release) is November 1, 2013 r11.  The NTP defs are Nov 7, r 11.

     



  • 12.  RE: If SEP daily definition covers exploit CVE-2013-3906

    Posted Nov 08, 2013 10:28 AM

    IPS is part of NTP (firewall and IPS). PTP is a different component. NTP defs are what you're after for the download.



  • 13.  RE: If SEP daily definition covers exploit CVE-2013-3906

    Posted Nov 08, 2013 10:43 AM

    Brian is correct here. &: )

     



  • 14.  RE: If SEP daily definition covers exploit CVE-2013-3906

    Posted Feb 02, 2014 03:58 PM

    Symles,

    Can this thread be closed out?