Microsoft Zero Day OLE Vuln Being Exploited In Powerpoint


So the latest news is, don’t open any .ppt files if you aren’t entirely sure where they came from as there is a Microsoft Zero Day vulnerability in OLE (Object Linking and Embedding) handling in Microsoft Office that is currently being exploited in the wild by malicious Powerpoint slide decks.

Not that anyone reading this would be likely to do that, but yah – just so you know this vector is live and being used out there.

Microsoft Zero Day OLE Vuln Being Exploited In Powerpoint

It’s currently unpatched and it’s not clear right now if Microsoft is likely to release an out of band patch for this or not. It is pretty serious and it is being used in the wild, so if history holds any precendence – it’s likely they will take action before the next scheduled Patch Tuesday on November 11th.

Hackers are exploiting a zero-day vulnerability in Windows using malicious PowerPoint documents, Microsoft and security firms warn.

An advisory from Microsoft warns that the as-yet-unpatched flaw is present in all supported versions of Windows except Windows Server 2003 and has already been abused in “limited, targeted attacks”.

The bug (CVE-2014-6352) can be triggered by sending a specially crafted Microsoft Office files to intended targets before tricking them into opening the booby-trapped files. “Currently, attacks using PowerPoint files are known to exist, but all Office file types can be used to carry out this attack,” Jonathan Leopando, a technical communications staffer at Trend Micro, warns in a blog post.

The specially crafted malicious files would contain a malicious Object Linking and Embedding (OLE) object, a technology used to share data between applications that allows a chart from an Excel Spreadsheet within a PowerPoint presentation, among other functions. Tricking a user into opening a malicious file results in an infected machine but won’t cough admin privileges to the hacker – at least not by itself. Attacks are likely to generate pop-up warnings and under default settings a User Access Control popup would get displayed.

This means that user interaction would be needed to run successful attacks based on CVE-2014-6352 alone, an important limiting factor. Nonetheless the unpatched flaw is bad news for corporate security and a promising potential route into systems for cyberspies and the like. Redmond is investigating.


Technically it seems that this vulnerability can be exploited using any format that Microsoft Office supports (Word documents, Excel spreadsheets etc) – also the vector itself is not a straight pop.

It would likely generate warnings and UAC dialogues meaning that user action is required for the attack to be successful.

The next scheduled Patch Tuesday falls on 11 November. In the meantime, Microsoft is pointing sysadmins towards various defences and workarounds including a OLE packager Shim Workaround fix-it and rolling out Redmond’s Enhanced Mitigation Experience Toolkit, which provides general protection against hack attacks based on Windows security vulnerabilities.

Mark Sparshott, EMEA director at Proofpoint, said similar vulnerabilities have been seen before but this one is particularly nasty because it lends itself to attacks against a wide range of Windows systems. “This is not the first time that a vulnerability in OLE has been exploited by cybercriminals, however most previous OLE vulnerabilities have been limited to specific older versions of the Windows operating system,” Sparshott explained. “What makes this vulnerability dangerous is that it affects the latest fully patched versions of Windows.”

Microsoft credits security researchers at Google and McAfee for help in dealing with the vulnerability.

Is this serious for the average man on the street? Not particularly, but it could be wounding to organisations under constant attack as it gives the malicious parties another vector to work with. Combined with some nifty social engineering, it could be quite effective.

Of course if you’re using Microsoft Enhanced Mitigation Evaluation Toolkit (EMET) – you’d be a lot safer than most.

Source: The Register

Posted in: Exploits/Vulnerabilities, Windows Hacking

, ,


Latest Posts:


Axiom - Pen-Testing Server For Collecting Bug Bounties Axiom – Pen-Testing Server For Collecting Bug Bounties
Project Axiom is a set of utilities for managing a small dynamic infrastructure setup for bug bounty, basically a pen-testing server out of the box with 1-line.
Quasar RAT - Windows Remote Administration Tool Quasar RAT – Windows Remote Administration Tool
Quasar is a fast and light-weight Windows remote administration tool coded in C#. Used for user support through day-to-day administrative work to monitoring.
Pingcastle - Active Directory Security Assessment Tool Pingcastle – Active Directory Security Assessment Tool
PingCastle is a Active Directory Security Assessment Tool designed to quickly assess the Active Directory security level based on a risk and maturity framework.
Second Order - Subdomain Takeover Scanner Tool Second Order – Subdomain Takeover Scanner Tool
Second Order Subdomain Takeover Scanner Tool scans web apps for second-order subdomain takeover by crawling the application and collecting URLs (and other data)
Binwalk - Firmware Security Analysis & Extraction Tool Binwalk – Firmware Security Analysis & Extraction Tool
Binwalk is a fast and easy to use Python-based firmware security analysis tool that allows for firmware analysis, reverse engineering & extracting of firmware.
zBang - Privileged Account Threat Detection Tool zBang – Privileged Account Threat Detection Tool
zBang is a risk assessment tool for Privileged Account Threat Detection on a scanned network, organizations & red teams can use it to identify attack vectors


Comments are closed.