Microsoft Zero Day OLE Vuln Being Exploited In Powerpoint

The New Acunetix V12 Engine


So the latest news is, don’t open any .ppt files if you aren’t entirely sure where they came from as there is a Microsoft Zero Day vulnerability in OLE (Object Linking and Embedding) handling in Microsoft Office that is currently being exploited in the wild by malicious Powerpoint slide decks.

Not that anyone reading this would be likely to do that, but yah – just so you know this vector is live and being used out there.

Microsoft Zero Day OLE Vuln Being Exploited In Powerpoint

It’s currently unpatched and it’s not clear right now if Microsoft is likely to release an out of band patch for this or not. It is pretty serious and it is being used in the wild, so if history holds any precendence – it’s likely they will take action before the next scheduled Patch Tuesday on November 11th.

Hackers are exploiting a zero-day vulnerability in Windows using malicious PowerPoint documents, Microsoft and security firms warn.

An advisory from Microsoft warns that the as-yet-unpatched flaw is present in all supported versions of Windows except Windows Server 2003 and has already been abused in “limited, targeted attacks”.

The bug (CVE-2014-6352) can be triggered by sending a specially crafted Microsoft Office files to intended targets before tricking them into opening the booby-trapped files. “Currently, attacks using PowerPoint files are known to exist, but all Office file types can be used to carry out this attack,” Jonathan Leopando, a technical communications staffer at Trend Micro, warns in a blog post.

The specially crafted malicious files would contain a malicious Object Linking and Embedding (OLE) object, a technology used to share data between applications that allows a chart from an Excel Spreadsheet within a PowerPoint presentation, among other functions. Tricking a user into opening a malicious file results in an infected machine but won’t cough admin privileges to the hacker – at least not by itself. Attacks are likely to generate pop-up warnings and under default settings a User Access Control popup would get displayed.

This means that user interaction would be needed to run successful attacks based on CVE-2014-6352 alone, an important limiting factor. Nonetheless the unpatched flaw is bad news for corporate security and a promising potential route into systems for cyberspies and the like. Redmond is investigating.


Technically it seems that this vulnerability can be exploited using any format that Microsoft Office supports (Word documents, Excel spreadsheets etc) – also the vector itself is not a straight pop.

It would likely generate warnings and UAC dialogues meaning that user action is required for the attack to be successful.

The next scheduled Patch Tuesday falls on 11 November. In the meantime, Microsoft is pointing sysadmins towards various defences and workarounds including a OLE packager Shim Workaround fix-it and rolling out Redmond’s Enhanced Mitigation Experience Toolkit, which provides general protection against hack attacks based on Windows security vulnerabilities.

Mark Sparshott, EMEA director at Proofpoint, said similar vulnerabilities have been seen before but this one is particularly nasty because it lends itself to attacks against a wide range of Windows systems. “This is not the first time that a vulnerability in OLE has been exploited by cybercriminals, however most previous OLE vulnerabilities have been limited to specific older versions of the Windows operating system,” Sparshott explained. “What makes this vulnerability dangerous is that it affects the latest fully patched versions of Windows.”

Microsoft credits security researchers at Google and McAfee for help in dealing with the vulnerability.

Is this serious for the average man on the street? Not particularly, but it could be wounding to organisations under constant attack as it gives the malicious parties another vector to work with. Combined with some nifty social engineering, it could be quite effective.

Of course if you’re using Microsoft Enhanced Mitigation Evaluation Toolkit (EMET) – you’d be a lot safer than most.

Source: The Register

Posted in: Exploits/Vulnerabilities, Windows Hacking

, ,


Latest Posts:


Eraser - Windows Secure Erase Hard Drive Wiper Eraser – Windows Secure Erase Hard Drive Wiper
Eraser is a hard drive wiper for Windows which allows you to run a secure erase and completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns.
Insecure software versions are a problem Web Security Stats Show XSS & Outdated Software Are Major Problems
Netsparker just published some anonymized Web Security Stats about the security vulnerabilities their online solution identified on their users’ web applications and web services during the last 3 years.
CTFR - Abuse Certificate Transparency Logs For HTTPS Subdomains CTFR – Abuse Certificate Transparency Logs For HTTPS Subdomains
CTFR is a Python-based tool to Abuse Certificate Transparency Logs to get subdomains from a HTTPS website in a few seconds.
testssl.sh - Test SSL Security Including Ciphers, Protocols & Detect Flaws testssl.sh – Test SSL Security Including Ciphers, Protocols & Detect Flaws
testssl.sh is a free command line tool to test SSL security, it checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as recent cryptographic flaws and more.
Four Year Old libSSH Bug Leaves Servers Wide Open Four Year Old libssh Bug Leaves Servers Wide Open
A fairly serious 4-year old libssh bug has left servers vulnerable to remote compromise, fortunately, the attack surface isn't that big as neither OpenSSH or the GitHub implementation are affected.
CHIPSEC - Platform Security Assessment Framework CHIPSEC – Platform Security Assessment Framework For Firmware Hacking
CHIPSEC is a platform security assessment framework for PCs including hardware, system firmware (BIOS/UEFI), and platform components for firmware hacking.


Comments are closed.