New Windows Zero Day

Wednesday, October 22, 2014 @ 12:10 PM gHale

Fresh off patching three Zero Days, Microsoft is warning about a new Windows Zero Day that bad guys are exploiting and is a risk to users on servers and workstations that open documents with embedded OLE objects.

PowerPoint files are the current attack vector for the vulnerability. The files contain a malicious OLE (Object Linking and Embedding) object.

Microsoft Mulls a Patch for The Patch
Patch Tuesday Fixes 3 Zero Days
Chrome 38 Fixes 159 Security Bugs
Patch Tuesday: IE Zero Day Fixed

OLE sees use to display parts of a file within another file; like displaying a graphic from an Excel Spreadsheet within a PowerPoint presentation.

OLE vulnerabilities have occurred before, however, most previous vulnerabilities ended up limited to specific older versions of the Windows operating system. What makes this vulnerability intriguing is it affects the latest fully patched versions of Windows.

“User interaction is required to exploit this vulnerability,” Microsoft explained in the security advisory. “In an email attack scenario, an attacker could exploit the vulnerability by sending a specially-crafted file to the user. For this attack scenario to be successful, the user must be convinced to open the specially crafted file containing the malicious OLE object. All Microsoft Office file types as well as many other third-party file types could contain a malicious OLE object.”

“In a web-based attack scenario, an attacker would have to host a website that contains a specially crafted Microsoft Office file, such as a PowerPoint file, that is used in an attempt to exploit this vulnerability,” Microsoft researches said. “In addition, compromised websites (and websites that accept or host user-provided content) could contain specially crafted content that could exploit this vulnerability. An attacker would have no method to force users to visit a malicious website. Instead, an attacker would have to persuade the targeted user to visit the website, typically by getting them to click a hyperlink that directs a web browser to the attacker-controlled website.”

A successful exploitation could lead to the attacker gaining same user rights as the current user, and if that means administrative user rights, the attacker can install programs; access, modify, or delete data; or create new accounts with full user rights.

The vulnerability affects all supported Windows versions, and there is currently no patch for it. Microsoft is still investigating the matter and deciding whether they will issue an out-of-band patch or wait for the next Patch Tuesday to plug the hole.

In the meantime, the company shared workarounds that help block known attack vectors.

Users can implement a specific Fix It solution; enable User Account Control (UAC) as it displays a prompt before a file containing the exploit executes; and deploy the Enhanced Mitigation Experience Toolkit 5.0 and configure Attack Surface Reduction.

In addition to all this, they should be wary of opening Microsoft PowerPoint files, Office files, or any other files received or downloaded from untrusted sources.

Leave a Reply

You must be logged in to post a comment.