CVE-2014-6352 : All Windows versions except Windows 2003 vulnerable to a new Sandworm exploitThe vulnerability :Microsoft has given a workaround for the mitigation of the exploit

US-CERT recommends users and administrators review the Microsoft Security Advisory and apply the recommended workarounds. Microsoft says that the Zero-day is not patched yet and hence it is being exploited in the wild and allows the potentials hackers to  perform remote code execution.

The vulnerability :

A zero-day security glitch pertains to the Microsoft OLE (Object Linking and Embedding) technology. The OLE is designed to allow sharing data and functionality between programs and it is present in almost all the components of Microsoft Office, where it can be used to edit and create data with information in multiple formats. The flaw (CVE-2014-6352) is significant because it is present in all versions of the Windows operating system, except for Server 2003, rendering a huge number of machines vulnerable until a patch is provided or unless users exert caution when opening Office files from untrusted sources. Meanwhile in a separate report, McAfee has said that this zero-day exploit is a part of the Sandworm.  Readers will remember the Sandworm which is believed to work of Russian cyber criminals to spy on those involved in the Ukrainian crisis. The Operation Sandworm was discovered by iSIGHT Partners and allocated CVE-2014-4114.  However, Microsoft apparently botched up the patch released for the original Operation Sandworm zero-day exploit, the CVE-2014-4114.  The botch up revealed another zero-day which is now identified as CVE-2014-6352. McAfee blog states that, Microsoft engineers have released a fix for the zero-day exploit, however McAfee says that  the “Fix It” temporary patch. McAfee states that if the zero-day exploit is released in the open, millions of Windows OS users will be at risk.

Microsoft has given a workaround for the mitigation of the exploit

In observed attacks, User Account Control (UAC) displays a consent prompt or an elevation prompt, depending on the privileges of the current user, before a file containing the exploit is executed. UAC is enabled by default on Windows Vista and newer releases of Microsoft Windows. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights. In a web-based attack scenario, an attacker could host a website that contains a webpage that contains a specially crafted Office file that is used to attempt to exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker’s website. Files from the Internet and from other potentially unsafe locations can contain viruses, worms, or other kinds of malware that can harm your computer. To help protect your computer, files from these potentially unsafe locations are opened in Protected View. By using Protected View, you can read a file and see its contents while reducing the risks. Protected View is enabled by default.

Additional workarounds refer to turning on UAC and configuring Enhanced Mitigation Experience Toolkit (EMET) 5.0 to protect against known attack types. Preparing EMET requires adding a new configuration file to the standard one.