Microsoft Security Advisory 3010060: Vulnerability in Microsoft OLE Could Allow Remote Code Exec.

Discussion in 'other security issues & news' started by MrBrian, Oct 21, 2014.

  1. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From http://blogs.technet.com/b/msrc/archive/2014/10/21/security-advisory-3010060-released.aspx:
     
  2. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    163,032
    Location:
    Texas
  3. siljaline

    siljaline Registered Member

    Joined:
    Jun 29, 2003
    Posts:
    6,618
    Microsoft discloses zero-day flaw, publishes quick fix
    http://www.cso.com.au/article/557948/microsoft-discloses-zero-day-flaw-publishes-quick-fix/

    The contained MS FixIt is released until Microsoft decides what it's going to do next. An out-of-band patch may be in the works.
     
  4. 142395

    142395 Guest

    EMET rules they made as a mitigation for this attack is interesting.
     
  5. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    So, what is this infected OLE file?

    Attackers circumvent patch for Windows Sandworm vulnerability
    Created: 22 Oct 2014 17:15:56 GMT
    http://www.symantec.com/connect/blogs/attackers-circumvent-patch-windows-sandworm-vulnerability
    A trojan dropper can drop any type of executable file, so nothing is new here, even the social engineering trickery.

    I'm reminded of a previous exploit five years ago of packager.exe, using a specially crafted RTF file with an embedded OLE object. See:

    Targeted e-mail attacks asking to verify wire transfer details
    Published: 2009-06-04
    https://isc.sans.edu/diary/Targeted e-mail attacks asking to verify wire transfer details/6511

    I was able to get a copy of the RTF file to see how it works. When the user clicks on the embedded icon, packager.exe attempts to execute a malicious SCR file:

    ae-alert.gif

    One may wonder why targeted attacks today still use the tried and true email with trojan dropper link, when all sorts of esoteric stuff is being flaunted in security discussions. The answers are simple:

    1) It works because many businesses have no effective solution to the continuing social engineering trickery. Bogus emails still result in the Click.

    2) It works because many businesses don't have proper protection (and there are many solutions) in place to stop the malicious code, and/or catch these payloads.


    ----
    rich
     
  6. siljaline

    siljaline Registered Member

    Joined:
    Jun 29, 2003
    Posts:
    6,618
  7. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  8. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    163,032
    Location:
    Texas
    http://www.kb.cert.org/vuls/id/158647
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.