Microsoft Warns of SandWorm and Other Zero-Day Vulnerabilities

Microsoft Warns of SandWorm and Other Zero-Day Vulnerabilities

CVE-2014-4114


Microsoft Windows Zero-Day Vulnerabilities CVE-2014-4114, 

Three new Microsoft Windows zero-day vulnerabilities have recently been announced. Vulnerabilities (CVE-2014-4114) “SandWorm” and (CVE-2014-4148) allow for the execution of remote code while CVE-2014-4113 allows for local privilege escalation.

The SandWorm vulnerability (CVE-2014-4114) is in the Windows Object Linking and Embedding (OLE) package manager, where the exploitation involves malicious embedded OLE objects in specially crafted Microsoft Office Power Point files that can lead to an attacker being able to perform remote code execution.

The TrueType font (TTF) parsing remote code execution vulnerability (CVE-2014-4148) is exploited through Microsoft Office documents designed to deliver a malicious TTF. The vulnerability resides with how the kernel handles the embedded TrueType font (TTF) files.

The third vulnerability (CVE-2014-4113) is caused by how the Win32k.sys kernel driver deals with the null page and memory access allowing the attacker to spawn a process with escalated privileges.

Support Information:

https://technet.microsoft.com/library/security/ms14-058

https://technet.microsoft.com/library/security/ms14-060

http://msisac.cisecurity.org/advisories/2014/2014-086.cfm

http://msisac.cisecurity.org/advisories/2014/2014-084.cfm

Recommendations:

Systems Affected:

  • SandWorm vulnerability (CVE-2014-4114) affects both 32-bit and 64-bit Windows Vista, Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows 8, Windows 8.1, Windows RT and Windows RT 8.1
  • Vulnerability CVE-2014-4148 affects both 32-bit and 64-bit operating systems on Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows 8.1, Windows Server 2012 & Windows Server 2012 R2, Windows RT and Windows RT 8.1
  • Vulnerability CVE-2014-4113 affects 32-bit systems on Microsoft Windows 7, Vista, XP, Windows 2000, Windows Server 2003/R2, and Windows Server 2008/R2

Alert Detection:

BD:SANDWORM-DL1
Possible SandWorm INF Download. A Russian APT group was observed in late 2014 using a new zero day exploit (CVE-2014-4114) against targets via a social engineering campaign. CVE-2014-4114 is a vulnerability impacting all versions of Windows from Vista SP2 to Windows 8.1 in the Windows Object Linking and Embedding (OLE) package manager that could allow an attacker to perform remote code execution. An attacker can exploit this vulnerability via a specially crafted Microsoft Office file containing embedded OLE files referencing a remote location. Since Windows allows the OLE package manager to download and execute remote INF files, the attacker is able to execute code on the target’s system.

BD:SANDWORM-DL2
Possible SandWorm INF Download (UNICODE). A Russian APT group was observed in late 2014 using a new zero day exploit (CVE-2014-4114) against targets via a social engineering campaign. CVE-2014-4114 is a vulnerability impacting all versions of Windows from Vista SP2 to Windows 8.1 in the Windows Object Linking and Embedding (OLE) package manager that could allow an attacker to perform remote code execution. An attacker can exploit this vulnerability via a specially crafted Microsoft Office file containing embedded OLE files referencing a remote location. Since Windows allows the OLE package manager to download and execute remote INF files, the attacker is able to execute code on the target’s system.

BD:SANDWORM-SMB-DL1
Possible SandWorm INF Download (SMB). A Russian APT group was observed in late 2014 using a new zero day exploit (CVE-2014-4114) against targets via a social engineering campaign. CVE-2014-4114 is a vulnerability impacting all versions of Windows from Vista SP2 to Windows 8.1 in the Windows Object Linking and Embedding (OLE) package manager that could allow an attacker to perform remote code execution. An attacker can exploit this vulnerability via a specially crafted Microsoft Office file containing embedded OLE files referencing a remote location. Since Windows allows the OLE package manager to download and execute remote INF files, the attacker is able to execute code on the target’s system.

BD:SANDWORM-SMB-DL2
Possible SandWorm INF Download (SMB UNICODE). A Russian APT group was observed in late 2014 using a new zero day exploit (CVE-2014-4114) against targets via a social engineering campaign. CVE-2014-4114 is a vulnerability impacting all versions of Windows from Vista SP2 to Windows 8.1 in the Windows Object Linking and Embedding (OLE) package manager that could allow an attacker to perform remote code execution. An attacker can exploit this vulnerability via a specially crafted Microsoft Office file containing embedded OLE files referencing a remote location. Since Windows allows the OLE package manager to download and execute remote INF files, the attacker is able to execute code on the target’s system.

EXP:CVE-2014-4113-DL
Possible download of a privilege escalation tool used by Hurricane Panda. Hurricane Panda is a Chinese APT group that primarily targets infrastructure companies. In 2014 Hurricane Panda was observed to a new zero day exploit (CVE-2014-4113) to escalate their privileges to administrator level. CVE-2014-4113 is a privilege escalation vulnerability impacting Windows Vista SP2 through Windows Server 8.1 in the win32k.sys kernel-mode driver caused by the driver improperly handling objects in memory.

EXP:CVE-2014-4113-DL2
Possible download of a privilege escalation tool used by Hurricane Panda. Hurricane Panda is a Chinese APT group that primarily targets infrastructure companies. In 2014 Hurricane Panda was observed to a new zero day exploit (CVE-2014-4113) to escalate their privileges to administrator level. CVE-2014-4113 is a privilege escalation vulnerability impacting Windows Vista SP2 through Windows Server 8.1 in the win32k.sys kernel-mode driver caused by the driver improperly handling objects in memory.

BD:BLACKENERGY-CNC3
Possible check-in of a 2014 variant of the BlackEnergy malware. BlackEnergy is a trojan authored by a Russian hacker which has recently been utilized by the Sandworm APT group. BlackEnergy is a very long-lived malware with its origin dating back to 2010.

SMTP:PPT-OLE1
Inbound email attachment containing a PowerPoint presentation file with an Embedded OLE Object. The Sandworm APT group discovered a zero day vulnerability (CVE-2014-4114) which allowed remote code execution though a PowerPoint presentation containing a specially craft OLE object which downloaded and executed a malicious INF file.

SMTP:PPT-OLE2
Inbound email attachment containing a PowerPoint presentation file with an Embedded OLE Object. The Sandworm APT group discovered a zero day vulnerability (CVE-2014-4114) which allowed remote code execution though a PowerPoint presentation containing a specially craft OLE object which downloaded and executed a malicious INF file.

SMTP:PPT-OLE3
Inbound email attachment containing a PowerPoint presentation file with an Embedded OLE Object. The Sandworm APT group discovered a zero day vulnerability (CVE-2014-4114) which allowed remote code execution though a PowerPoint presentation containing a specially craft OLE object which downloaded and executed a malicious INF file.

SMTP:PPT-OLE4
Inbound email attachment containing a PowerPoint presentation file with an Embedded OLE Object. The Sandworm APT group discovered a zero day vulnerability (CVE-2014-4114) which allowed remote code execution though a PowerPoint presentation containing a specially craft OLE object which downloaded and executed a malicious INF file.

SMTP:PPT-OLE5
Inbound email attachment containing a PowerPoint presentation file with an Embedded OLE Object. The Sandworm APT group discovered a zero day vulnerability (CVE-2014-4114) which allowed remote code execution though a PowerPoint presentation containing a specially craft OLE object which downloaded and executed a malicious INF file.

SMTP:PPT-OLE6
Inbound email attachment containing a PowerPoint presentation file with an Embedded OLE Object. The Sandworm APT group discovered a zero day vulnerability (CVE-2014-4114) which allowed remote code execution though a PowerPoint presentation containing a specially craft OLE object which downloaded and executed a malicious INF file.

The Masergy Threat Intelligence Team will continue to release alerts for these vulnerabilities to all Masergy Unified Enterprise Security (UES) customers as they become available for IDS/IPS Detection + Prevention Modules (DPM). We will also update the Vulnerability Scanning Modules (VSM) with the capability to scan for this vulnerability as updates become available. Learn more about Masergy’s managed security services.

We've updated our privacy policy. We use cookies to improve the experience of our users, better understand how our website is used, and personalize advertising. By continuing to use this site you are giving us your consent to do this. You can read more and make cookie choices by visiting our privacy policy.