DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
Hackers are exploiting a zero-day vulnerability in Windows using malicious PowerPoint documents, Microsoft and security firms warn.
An advisory from Microsoft warns that the as-yet-unpatched flaw is present in all supported versions of Windows except Windows Server 2003 and has already been abused in "limited, targeted attacks".
The bug (CVE-2014-6352) can be triggered by sending a specially crafted Microsoft Office files to intended targets before tricking them into opening the booby-trapped files. "Currently, attacks using PowerPoint files are known to exist, but all Office file types can be used to carry out this attack," Jonathan Leopando, a technical communications staffer at Trend Micro, warns in a blog post.
The specially crafted malicious files would contain a malicious Object Linking and Embedding (OLE) object, a technology used to share data between applications that allows a chart from an Excel Spreadsheet within a PowerPoint presentation, among other functions. Tricking a user into opening a malicious file results in an infected machine but won't cough admin privileges to the hacker – at least not by itself. Attacks are likely to generate pop-up warnings and under default settings a User Access Control popup would get displayed.
This means that user interaction would be needed to run successful attacks based on CVE-2014-6352 alone, an important limiting factor.
Nonetheless the unpatched flaw is bad news for corporate security and a promising potential route into systems for cyberspies and the like.
Redmond is investigating.
History suggests a patch sooner rather than later is the most likely option but all options remain on the table, as Microsoft's advisory explains.
On completion of our investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs.
The next scheduled Patch Tuesday falls on 11 November. In the meantime, Microsoft is pointing sysadmins towards various defences and workarounds including a OLE packager Shim Workaround fix-it and rolling out Redmond's Enhanced Mitigation Experience Toolkit, which provides general protection against hack attacks based on Windows security vulnerabilities.
Mark Sparshott, EMEA director at Proofpoint, said similar vulnerabilities have been seen before but this one is particularly nasty because it lends itself to attacks against a wide range of Windows systems. "This is not the first time that a vulnerability in OLE has been exploited by cybercriminals, however most previous OLE vulnerabilities have been limited to specific older versions of the Windows operating system," Sparshott explained. "What makes this vulnerability dangerous is that it affects the latest fully patched versions of Windows."
Microsoft credits security researchers at Google and McAfee for help in dealing with the vulnerability. ®
The CVE-2014-6352 flaw is similar but distinct from the recently patched SandWorm zero-day vulnerability in Microsoft Windows (CVE-2014-4114) abused by Russians hackers to hijack and snoop on PCs and servers used by NATO and the European Union.
This also involved the OLE package manager and attacks involving PowerPoint but it was discovered by different security researchers (iSight) and has a different CVE number.
More to the point, CVE-2014-4114 was patched a week ago as part of the October edition of Patch Tuesday – while CVE-2014-6352 is still very much in play.