Microsoft has disclosed that a new zero-day vulnerability is present in Windows, and is exploited via Microsoft Office files. According to Microsoft Security Advistory 3010060, the vulnerability is present in all supported versions of Windows except Windows Server 2003.
The vulnerability (designated as CVE-2014-6352) is triggered by an attacker sending a specially crafted Microsoft Office file to the user. Currently, attacks using PowerPoint files are known to exist, but all Office file types can be used to carry out this attack.
The specially crafted files contain a malicious Object Linking and Embedding (OLE) object. This technology is used to share data between various applications; it is in this component of Windows where this vulnerability may be found. Exploiting it allows for malicious code to run with the privileges of the user. To get administrator access, a separate exploit must be used. In addition, under default settings a User Access Control popup is displayed, which may alert the user that something unusual is going on.
Currently, Microsoft has not indicated whether a patch to solve this issue will be sent outside of the regular Patch Tuesday cycle. Until more definitive information becomes available, we advise users to be careful about opening Office documents that they have been sent, particularly if they come from parties that have not sent you documents beforehand. The Microsoft bulletin also includes several workarounds and temporary fixes, including settings for users of the Enhanced Mitigation Experience Toolkit (EMET) utility.
Update as of October 24, 2014, 7:30 P.M. PDT
Currently available information suggests that this vulnerability is essentially identical to the Sandworm vulnerability, which was reported and patched more than a week ago. The patch first put in place by Microsoft did not completely resolve the problem, allowing new exploits to target the same underlying flaw.
Deep Security solutions that protect against Sandworm also protect against these more recent attacks. The following DPI rules cover these threats:
- 1006290 - Microsoft Windows OLE Remote Code Execution Vulnerability (CVE-2014-4114)
- 1006291 - Microsoft Windows OLE Remote Code Execution Vulnerability (CVE-2014-4114) – 1