Windows Warning: Zero-Day Attack

New Exploit Linked to Russian 'Sandworm' Hackers
Windows Warning: Zero-Day Attack

Microsoft is warning Windows users that they're vulnerable to a new zero-day flaw that attackers have been exploiting to remotely execute arbitrary code.

See Also: Bank Payment Clearance Vulnerabilities: Faster Payments, Faster Fraud?

"At this time, we are aware of limited, targeted attacks that attempt to exploit the vulnerability through Microsoft PowerPoint," Microsoft says in a security advisory issued late on Oct. 21. It says the flaw in Microsoft OLE is present in all versions of Windows except for Windows Server 2003.

The alert follows Microsoft's warning last week about a separate zero-day vulnerability, which also exists in almost every supported version of the Windows operating system. That vulnerability came to light following its use for in-the-wild attacks by the "Sandwork Team" of hackers against Ukrainian targets, among others (see "Russians Suspected in Ukraine Hack").

The new flaw is reportedly being actively exploited by the same hackers. Threat-intelligence firm iSight Partners, which discovered the attacks, says the hackers appear to have Russian connections, and that attacks targeting these zero-day flaws appear to have begun in June and persisted through this month. But the group has also been tied to other attacks. "There have been several confirmed incidents in Ukraine, Poland, Western Europe and the United States since at least 2009," according to a report published Oct. 14 by iSight Partners, which was released the same day that Microsoft issued a related Windows fix. "NATO, the public sector and private firms in energy and telecommunications have been targeted."

Attackers used the newly discovered zero-day vulnerability in conjunction with the other vulnerability that Microsoft patched last week, says Sagie Dulce, a security research engineer at security firm Imperva. "This vulnerability was used for the initial compromise. Using social engineering, this group gained [an] initial foothold on machines, by convincing the victim to open a PowerPoint document," he says. "The victim also had to click 'allow' when opening the file, to allow [the] malicious code to be executed."

Malicious PowerPoint Documents

Jonathan Leopando, a technical communications specialist at anti-virus firm Trend Micro, says in a blog post: "The vulnerability - designated as CVE-2014-6352 - is triggered by an attacker sending a specially crafted Microsoft Office file to the user. Currently, attacks using PowerPoint files are known to exist, but all Office file types can be used to carry out this attack."

Microsoft explains: "An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."

The vulnerability exists in Windows' Object Linking and Embedding, or OLE, a proprietary Microsoft technology that enables users to create compound documents, for example, to embed information from one document into another, while retaining the ability to edit it without having to go back to the source document. The technology underpins Windows' ability, for example, to insert a Microsoft Word document into a Microsoft Excel spreadsheet, or an Excel chart into a PowerPoint presentation.

Microsoft says the flaw can be exploited by e-mailing malicious Office attachments to targets. But it also says there's a risk that attackers could exploit the flaw via the Web, for example, via watering-hole attacks, by creating "a Web page that contains a specially crafted Office file that is used to attempt to exploit this vulnerability," provided the user could be tricked into allowing the file to run.

Flaw: Widespread, Serious

As with the other recently discovered zero-day flaw, the new flaw is widespread, and reportedly serious. "The latest [Microsoft] zero day - which affects popular Office files and enables the execution of arbitrary code - is a bad one, but can be mitigated, or at least its impact reduced, by following security basics," says Gavin Millard, a technical director in London for the network monitoring firm Tenable Network Security.

Microsoft has yet to release a related patch. "Currently, Microsoft has not indicated whether a patch to solve this issue will be sent outside of the regular Patch Tuesday cycle," Trend Micro's Leopando says.

But Microsoft has detailed several workarounds. One is a "Fix it" solution - "OLE packager Shim Workaround" - that will prevent the vulnerability from being exploited. "Until Microsoft releases the official patch, the Fix-it patch they've provided in the advisory should be deployed today to reduce the risk of exploitation and exposure," Tenable's Millard says.

Other workarounds detailed by Microsoft that will block related attacks include enabling user access control and deploying its Enhanced Mitigation Experience Toolkit. Microsoft also recommends users beware of all Office files of unknown origin: "Do not open Microsoft PowerPoint files, or other files, from untrusted sources."

Of course, there's still a risk that attackers might use the vulnerability for targeted attacks, and disguise their e-mail address so that malicious documents appear to have originated from an e-mail address with which the target normally corresponds.

Going forward, Millard recommends that all Windows-using enterprises follow Microsoft's attack-mitigation advice all of the time, and not just when there's a new zero-day vulnerability on the loose. "Using good best practices for user access control, educating the users on running files from unknown sources, and the deployment of Microsoft EMET to reduce the ability of attackers to extend their reach past the initial compromise is something that should be standard in all organizations," he says.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network