Microsoft Security Advisory 3010060: Vulnerability in Microsoft OLE Could Allow Remote Code Exec.

Discussion in 'other security issues & news' started by MrBrian, Oct 21, 2014.

  1. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From http://blogs.technet.com/b/msrc/archive/2014/10/21/security-advisory-3010060-released.aspx:
     
  2. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,794
    Location:
    Texas
  3. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    Microsoft discloses zero-day flaw, publishes quick fix
    http://www.cso.com.au/article/557948/microsoft-discloses-zero-day-flaw-publishes-quick-fix/

    The contained MS FixIt is released until Microsoft decides what it's going to do next. An out-of-band patch may be in the works.
     
  4. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    EMET rules they made as a mitigation for this attack is interesting.
     
  5. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    So, what is this infected OLE file?

    Attackers circumvent patch for Windows Sandworm vulnerability
    Created: 22 Oct 2014 17:15:56 GMT
    http://www.symantec.com/connect/blogs/attackers-circumvent-patch-windows-sandworm-vulnerability
    A trojan dropper can drop any type of executable file, so nothing is new here, even the social engineering trickery.

    I'm reminded of a previous exploit five years ago of packager.exe, using a specially crafted RTF file with an embedded OLE object. See:

    Targeted e-mail attacks asking to verify wire transfer details
    Published: 2009-06-04
    https://isc.sans.edu/diary/Targeted e-mail attacks asking to verify wire transfer details/6511

    I was able to get a copy of the RTF file to see how it works. When the user clicks on the embedded icon, packager.exe attempts to execute a malicious SCR file:

    ae-alert.gif

    One may wonder why targeted attacks today still use the tried and true email with trojan dropper link, when all sorts of esoteric stuff is being flaunted in security discussions. The answers are simple:

    1) It works because many businesses have no effective solution to the continuing social engineering trickery. Bogus emails still result in the Click.

    2) It works because many businesses don't have proper protection (and there are many solutions) in place to stop the malicious code, and/or catch these payloads.


    ----
    rich
     
  6. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
  7. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  8. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,794
    Location:
    Texas
    http://www.kb.cert.org/vuls/id/158647
     
Loading...