Vulnerability affects all Windows versions save Server 2003

Oct 22, 2014 09:17 GMT  ·  By

A zero-day security glitch in Microsoft OLE (Object Linking and Embedding) technology is currently exploited in the wild, allowing attackers remote code execution.

OLE is designed to allow sharing data and functionality between programs and it is present in the components of Microsoft Office, where it can be used to edit and create data with information in multiple formats.

The flaw (CVE-2014-6352) is significant because it is present in all versions of the Windows operating system, except for Server 2003, rendering a huge number of machines vulnerable until a patch is provided or unless users exert caution when opening Office files from untrusted sources.

An update is expected from Microsoft, although there is no information if this will come through the regular monthly updates or an out-of-band fix.

UAC and Protected View come in handy if enabled

At the moment, Microsoft is aware of limited, targeted attacks, which suggests an active cyber espionage campaign. The company says that the threat actors exploit the vulnerability through PowerPoint documents.

In an attack scenario taking advantage of this weakness, the victim is sent a malicious Office document with an OLE object. Once opened, the attackers gain the same rights on the system as the logged in user.

Signs of suspicious activity are present when executing the file containing the exploit because the action triggers a User Account Control (UAC) warning for granting or consenting to elevated privileges.

UAC is enabled by default on Windows Vista and above, making the attack attempt visible to the user. However, if the security feature is turned off, which is the case with many administrative accounts, the exploit can be executed without warning.

If the attack is web-based, Office 2010 and above opens the file in Protected View, a mode enabled by default that only allows reading the file and restricts writing. This feature is not available in Office 2007 and below, versions that are still used in many public and private organizations.

Solution to mitigate the risk

Microsoft has prepared a Fix It solution (OLE packager Shim Workaround) that tackles the PowerPoint attack on most Office suites; it does not cover the 64-bit PowerPoint on Windows 8, 8.1, Windows Server 2012, and Windows Server 2012 R2, though.

Additional workarounds refer to turning on UAC and configuring Enhanced Mitigation Experience Toolkit (EMET) 5.0 to protect against known attack types. Preparing EMET requires adding a new configuration file to the standard one. Instructions are provided in the advisory from Microsoft.

The company acknowledged the effort of Drew Hintz, Shane Huntley, and Matty Pellegrino of the Google Security Team and Haifei Li and Bing Sun of the McAfee Security Team for their contribution in helping protect Microsoft customers.

[UPDATE]: The CVE-2014-6352 vulnerability is the result of a botched patch for a different zero-day flaw, CVE-2014-4114, discovered by iSIGHT Partners and reported to Microsoft; this was used in a cyber espionage campaign hailing from Russia and dubbed "Operation Sandworm."

McAfee analyzed the initial fix, and found that attackers could still exploit the OLE packager weakness to deliver their attacks. As a result, a second zero-day, CVE-2014-6352, appeared, and was leveraged by the threat actors the same way as the previous one.