CVE-2014-6352 : All Windows versions except Windows 2003 vulnerable to a new Sandworm exploit
The United States premier cyber watchdog, US Computer Emergency Response Team US-CERT today released a advisory for a unpatched exploit CVE-2014-6352. The full advisory is quoted below :
Microsoft has released a security advisory to provide recommended mitigations for an unpatched vulnerability, (CVE-2014-6352) which affects all Microsoft Windows releases except Windows Server 2003. This vulnerability could allow an attacker to take control of an affected system if a user opens a specially crafted Microsoft Office file.
US-CERT recommends users and administrators review the Microsoft Security Advisory and apply the recommended workarounds.
Microsoft says that the Zero-day is not patched yet and hence it is being exploited in the wild and allows the potentials hackers to perform remote code execution.
The vulnerability :
A zero-day security glitch pertains to the Microsoft OLE (Object Linking and Embedding) technology. The OLE is designed to allow sharing data and functionality between programs and it is present in almost all the components of Microsoft Office, where it can be used to edit and create data with information in multiple formats.
The flaw (CVE-2014-6352) is significant because it is present in all versions of the Windows operating system, except for Server 2003, rendering a huge number of machines vulnerable until a patch is provided or unless users exert caution when opening Office files from untrusted sources.
Meanwhile in a separate report, McAfee has said that this zero-day exploit is a part of the Sandworm. Readers will remember the Sandworm which is believed to work of Russian cyber criminals to spy on those involved in the Ukrainian crisis. The Operation Sandworm was discovered by iSIGHT Partners and allocated CVE-2014-4114. However, Microsoft apparently botched up the patch released for the original Operation Sandworm zero-day exploit, the CVE-2014-4114. The botch up revealed another zero-day which is now identified as CVE-2014-6352.
McAfee blog states that,
During the last few days researchers at McAfee Labs have been actively investigating Sandworm, the Windows packager zero-day attack (CVE-2014-4114). McAfee has already released various updates through our products to protect our customers, and we continue to analyze this attack.
During our investigation, we found that the Microsoft’s official patch (MS14-060, KB3000869) is not robust enough. In other words, attackers might still be able to exploit the vulnerability even after the patch is applied. Users who have installed the official patch are still at risk.
This finding has significant impact because attacks leveraging the vulnerability are still very active. We reported our findings to the Microsoft Security Response Center immediately after we successfully developed a proof of concept on October 17. Since then we have actively worked with Microsoft to resolve this issue.
Microsoft engineers have released a fix for the zero-day exploit, however McAfee says that the “Fix It” temporary patch. McAfee states that if the zero-day exploit is released in the open, millions of Windows OS users will be at risk.
To protect hundreds of millions of Windows users, we are not sharing any of the details until a permanent patch from Microsoft is available to the public.
Microsoft has given a workaround for the mitigation of the exploit
- In observed attacks, User Account Control (UAC) displays a consent prompt or an elevation prompt, depending on the privileges of the current user, before a file containing the exploit is executed. UAC is enabled by default on Windows Vista and newer releases of Microsoft Windows.
- An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
- In a web-based attack scenario, an attacker could host a website that contains a webpage that contains a specially crafted Office file that is used to attempt to exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker’s website.
- Files from the Internet and from other potentially unsafe locations can contain viruses, worms, or other kinds of malware that can harm your computer. To help protect your computer, files from these potentially unsafe locations are opened in Protected View. By using Protected View, you can read a file and see its contents while reducing the risks. Protected View is enabled by default.
Additional workarounds refer to turning on UAC and configuring Enhanced Mitigation Experience Toolkit (EMET) 5.0 to protect against known attack types. Preparing EMET requires adding a new configuration file to the standard one.