CVE-2013-3906

What is Microsoft Graphics Component (GDI+)?

The Microsoft Graphics Component — specifically GDI+ (gdiplus.dll) — is the Windows graphics rendering subsystem that handles image decoding and rendering across Office, Internet Explorer, Outlook, and many other applications. When any of these applications encounters an image (embedded in an Office document, displayed in a web page, or included in an email), GDI+ processes the image data. TIFF (Tagged Image File Format) is a complex raster image format with extensive metadata fields and multiple compression types; GDI+'s TIFF parser was the site of this vulnerability.

Overview

CVE-2013-3906 is a memory corruption vulnerability in the Microsoft Graphics Component (GDI+) TIFF image parser. A specially crafted TIFF image triggers memory corruption when processed by GDI+, enabling arbitrary code execution. The attack surface is broad: any application that uses GDI+ to render TIFF images is vulnerable, including Microsoft Office (Word, Excel, PowerPoint), Outlook, Internet Explorer, and Lync. This was a zero-day actively exploited in targeted attacks before Microsoft patched it.

Microsoft released a Fix-It workaround via Security Advisory 2896666 on November 5, 2013, and the full patch via MS13-096 on December 10, 2013.

Affected Versions

Note: Windows 7 and later were not affected due to changes in how GDI+ processes TIFF in those OS versions.

Technical Details

TIFF is a tag-based image format where each tag contains a type, count, and data value or offset. The GDI+ TIFF parser reads these tags sequentially to reconstruct image properties and pixel data. The memory corruption in CVE-2013-3906 occurs during TIFF parsing when a malformed tag value causes GDI+ to process image data in a way that writes beyond the bounds of an allocated buffer.

Attack delivery: The zero-day was delivered via:

• Spear-phishing emails: Microsoft Office documents (Word .doc/.docx, RTF) embedding a malicious TIFF image. Opening the document triggers GDI+ TIFF parsing.
• Outlook preview: Outlook uses GDI+ to render embedded images in email preview — in some configurations, simply previewing an email with a malicious TIFF could trigger exploitation without the user opening an attachment.
• Web-based delivery: IE rendering TIFF images from web pages also exposed the GDI+ parser.

Fix-It workaround: Because patching a December Patch Tuesday-level vulnerability discovered in November required a month's wait, Microsoft released a Fix-It tool (KB2896666) that disabled TIFF rendering in GDI+ system-wide as an interim mitigation. This broke some image viewing functionality but eliminated the attack surface.

Discovery

Discovered through analysis of active targeted attacks. Microsoft acknowledged the zero-day exploitation in Security Advisory 2896666 on November 5, 2013 — before the patch was available. Active exploitation was observed in targeted campaigns against specific organizations.

Exploitation Context

CISA confirmed exploitation in the wild. The zero-day was used in targeted spear-phishing campaigns against high-value organizations. The broad attack surface through Outlook (preview-pane triggering without opening attachments) made this particularly dangerous — a user did not need to actively open a malicious document; previewing the email was sufficient in some mail client configurations.

Remediation

1. Apply MS13-096 (December 2013) — the full patch for the GDI+ TIFF parsing vulnerability
2. Apply the interim Fix-It (KB2896666) if MS13-096 cannot be applied immediately — it disables TIFF rendering in GDI+
3. Keep Microsoft Office and Windows fully patched via Windows Update
4. Configure Outlook to read email in plain text to prevent image auto-rendering in the preview pane
5. Deploy email security that scans Office document attachments in a sandbox before delivery