Microsoft Zero Day OLE Vuln Being Exploited In Powerpoint

Outsmart Malicious Hackers


So the latest news is, don’t open any .ppt files if you aren’t entirely sure where they came from as there is a Microsoft Zero Day vulnerability in OLE (Object Linking and Embedding) handling in Microsoft Office that is currently being exploited in the wild by malicious Powerpoint slide decks.

Not that anyone reading this would be likely to do that, but yah – just so you know this vector is live and being used out there.

Microsoft Zero Day OLE Vuln Being Exploited In Powerpoint

It’s currently unpatched and it’s not clear right now if Microsoft is likely to release an out of band patch for this or not. It is pretty serious and it is being used in the wild, so if history holds any precendence – it’s likely they will take action before the next scheduled Patch Tuesday on November 11th.

Hackers are exploiting a zero-day vulnerability in Windows using malicious PowerPoint documents, Microsoft and security firms warn.

An advisory from Microsoft warns that the as-yet-unpatched flaw is present in all supported versions of Windows except Windows Server 2003 and has already been abused in “limited, targeted attacks”.

The bug (CVE-2014-6352) can be triggered by sending a specially crafted Microsoft Office files to intended targets before tricking them into opening the booby-trapped files. “Currently, attacks using PowerPoint files are known to exist, but all Office file types can be used to carry out this attack,” Jonathan Leopando, a technical communications staffer at Trend Micro, warns in a blog post.

The specially crafted malicious files would contain a malicious Object Linking and Embedding (OLE) object, a technology used to share data between applications that allows a chart from an Excel Spreadsheet within a PowerPoint presentation, among other functions. Tricking a user into opening a malicious file results in an infected machine but won’t cough admin privileges to the hacker – at least not by itself. Attacks are likely to generate pop-up warnings and under default settings a User Access Control popup would get displayed.

This means that user interaction would be needed to run successful attacks based on CVE-2014-6352 alone, an important limiting factor. Nonetheless the unpatched flaw is bad news for corporate security and a promising potential route into systems for cyberspies and the like. Redmond is investigating.


Technically it seems that this vulnerability can be exploited using any format that Microsoft Office supports (Word documents, Excel spreadsheets etc) – also the vector itself is not a straight pop.

It would likely generate warnings and UAC dialogues meaning that user action is required for the attack to be successful.

The next scheduled Patch Tuesday falls on 11 November. In the meantime, Microsoft is pointing sysadmins towards various defences and workarounds including a OLE packager Shim Workaround fix-it and rolling out Redmond’s Enhanced Mitigation Experience Toolkit, which provides general protection against hack attacks based on Windows security vulnerabilities.

Mark Sparshott, EMEA director at Proofpoint, said similar vulnerabilities have been seen before but this one is particularly nasty because it lends itself to attacks against a wide range of Windows systems. “This is not the first time that a vulnerability in OLE has been exploited by cybercriminals, however most previous OLE vulnerabilities have been limited to specific older versions of the Windows operating system,” Sparshott explained. “What makes this vulnerability dangerous is that it affects the latest fully patched versions of Windows.”

Microsoft credits security researchers at Google and McAfee for help in dealing with the vulnerability.

Is this serious for the average man on the street? Not particularly, but it could be wounding to organisations under constant attack as it gives the malicious parties another vector to work with. Combined with some nifty social engineering, it could be quite effective.

Of course if you’re using Microsoft Enhanced Mitigation Evaluation Toolkit (EMET) – you’d be a lot safer than most.

Source: The Register

Posted in: Exploits/Vulnerabilities, Windows Hacking

, ,


Latest Posts:


Spaghetti Download - Web Application Security Scanner Spaghetti Download – Web Application Security Scanner
Spaghetti is an Open-source Web Application Security Scanner, it is designed to find various default and insecure files, configurations etc.
Taringa Hack - 27 Million User Records Leaked Taringa Hack – 27 Million User Records Leaked
The Taringa hack is actually one of the biggest leaks of the year with 27 million weakly hashed passwords breached, but it's not often covered in the West.
A2SV - Auto Scanning SSL Vulnerability Tool For Poodle & Heartbleed A2SV – Auto Scanning SSL Vulnerability Tool For Poodle & Heartbleed
A2SV is a Python-based SSL Vulnerability focused tool that allows for auto-scanning and detection of the common and well-known SSL Vulnerabilities.
VHostScan - Virtual Host Scanner With Alias & Catch-All Detection VHostScan – Virtual Host Scanner With Alias & Catch-All Detection
VHostScan is a Python-based virtual host scanner that can be used with pivot tools, detect catch-all scenarios, aliases and dynamic default pages.
Equifax Hack Blamed On Single Employee Equifax Hack Blamed On Single Employee
We wrote about the Equifax Hack, Data Breach and Leak last month, which happened due to a flaw in Apache Struts that for some reason hadn't been patched.
LOIC Hivemind - Low Orbit Ion Cannon LOIC Download – Low Orbit Ion Cannon DDoS Booter
LOIC Download below - Low Orbit Ion Cannon is an Open Source Stress Testing and Denial of Service (DoS or DDoS) attack application written in C#.


Comments are closed.