DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides

Might put out patch in update, might chuck it out sooner


Hackers are exploiting a zero-day vulnerability in Windows using malicious PowerPoint documents, Microsoft and security firms warn.

An advisory from Microsoft warns that the as-yet-unpatched flaw is present in all supported versions of Windows except Windows Server 2003 and has already been abused in "limited, targeted attacks".

The bug (CVE-2014-6352) can be triggered by sending a specially crafted Microsoft Office files to intended targets before tricking them into opening the booby-trapped files. "Currently, attacks using PowerPoint files are known to exist, but all Office file types can be used to carry out this attack," Jonathan Leopando, a technical communications staffer at Trend Micro, warns in a blog post.

The specially crafted malicious files would contain a malicious Object Linking and Embedding (OLE) object, a technology used to share data between applications that allows a chart from an Excel Spreadsheet within a PowerPoint presentation, among other functions. Tricking a user into opening a malicious file results in an infected machine but won't cough admin privileges to the hacker – at least not by itself. Attacks are likely to generate pop-up warnings and under default settings a User Access Control popup would get displayed.

This means that user interaction would be needed to run successful attacks based on CVE-2014-6352 alone, an important limiting factor.

Nonetheless the unpatched flaw is bad news for corporate security and a promising potential route into systems for cyberspies and the like.

Redmond is investigating.

History suggests a patch sooner rather than later is the most likely option but all options remain on the table, as Microsoft's advisory explains.

On completion of our investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs.

The next scheduled Patch Tuesday falls on 11 November. In the meantime, Microsoft is pointing sysadmins towards various defences and workarounds including a OLE packager Shim Workaround fix-it and rolling out Redmond's Enhanced Mitigation Experience Toolkit, which provides general protection against hack attacks based on Windows security vulnerabilities.

Mark Sparshott, EMEA director at Proofpoint, said similar vulnerabilities have been seen before but this one is particularly nasty because it lends itself to attacks against a wide range of Windows systems. "This is not the first time that a vulnerability in OLE has been exploited by cybercriminals, however most previous OLE vulnerabilities have been limited to specific older versions of the Windows operating system," Sparshott explained. "What makes this vulnerability dangerous is that it affects the latest fully patched versions of Windows."

Microsoft credits security researchers at Google and McAfee for help in dealing with the vulnerability. ®

Bootnote

The CVE-2014-6352 flaw is similar but distinct from the recently patched SandWorm zero-day vulnerability in Microsoft Windows (CVE-2014-4114) abused by Russians hackers to hijack and snoop on PCs and servers used by NATO and the European Union.

This also involved the OLE package manager and attacks involving PowerPoint but it was discovered by different security researchers (iSight) and has a different CVE number.

More to the point, CVE-2014-4114 was patched a week ago as part of the October edition of Patch Tuesday – while CVE-2014-6352 is still very much in play.

Broader topics


Other stories you might like

  • FabricScape: Microsoft warns of vuln in Service Fabric
    Not trying to spin this as a Linux security hole, surely?

    Microsoft is flagging up a security hole in its Service Fabric technology when using containerized Linux workloads, and urged customers to upgrade their clusters to the most recent release.

    The flaw is tracked as CVE-2022-30137, an elevation-of-privilege vulnerability in Microsoft's Service Fabric. An attacker would need read/write access to the cluster as well as the ability to execute code within a Linux container granted access to the Service Fabric runtime in order to wreak havoc.

    Through a compromised container, for instance, a miscreant could gain control of the resource's host Service Fabric node and potentially the entire cluster.

    Continue reading
  • Microsoft continues cyber security spending spree with Miburo buy
    Brains to be added to the Customer Security and Trust in defense against 'foreign adversaries'

    Microsoft has opened its wallet once more to pick up New York-based cyber-threat analyst Miburo.

    Founded by Clint Watts in 2011, Miburo is all about the detection of and response to foreign (in the context of the US) information operations. The team is to be folded into Microsoft's Customer Security and Trust organization and the work of its analysts is to be fed into the Windows giants' threat detection and analysis capabilities.

    "Miburo," said Microsoft, "has become a leading expert in identification of foreign information operations." Its research teams have hunted out some nasty influence campaigns over 16 languages.

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading

Biting the hand that feeds IT © 1998–2022