Threat Intelligence, Incident Response, Patch/Configuration Management, TDR, Vulnerability Management

Patch for Windows flaw can be bypassed, prompts temporary fix from Microsoft

Researchers warn that a patch addressing a Windows zero-day flaw could still be bypassed by attackers – a development that prompted Microsoft to release a temporary fix for the ongoing issue.

The bug causing the threat was initially identified as CVE-2014-4114, but has been given a new ID, CVE-2014-6352, as Microsoft continues to track the issue, analysts at McAfee explained Tuesday.

Exactly a week prior, on Patch Tuesday, Microsoft dispatched MS14-060 to plug the zero-day, a remote code execution (RCE) vulnerability in Windows that had been taken up by a Russian cyberespionage group to target NATO, European telecommunications firms, academic organizations in the U.S. and other entities across the globe. Cyber threat intelligence firm iSIGHT Partners dubbed the group “Sandworm Team.”

In a Tuesday advisory, Microsoft provided a workaround for the issue, calling the temporary solution the “OLE packager Shim Workaround.”

The tech giant said that the bug affects all supported versions of Windows, except Windows Server 2003, and could lead to RCE if a user opens a malicious Microsoft Office file containing an OLE (Object Linking and Embedding) object.

“The attack requires user interaction to succeed on Windows clients with a default configuration, as User Account Control (UAC) is enabled and a consent prompt is displayed,” the Microsoft advisory said. “At this time, we are aware of limited, targeted attacks that attempt to exploit the vulnerability through Microsoft PowerPoint.”

In a Tuesday blog post, Haifei Li, a McAfee researcher who worked with Microsoft to address the issue, said simply that the Patch Tuesday fix was “not robust enough,” to mitigate the threat.

"Users who have installed the official patch are still at risk," Li warned.

Kenneth Bechtel, a malware expert and product marketing manager at Tenable, told SCMagazine.com in a Wednesday interview that, to prevent exploitation (particularly in the event that a patch fails to prevent attacks) that enterprises must consistently monitor network traffic for “abnormal” activities to remain vigilant.

News of the ongoing Windows issue surfaces during a busy week for Microsoft.

Last Friday, the tech giant recommended that customers uninstall a buggy SHA-2 patch (Advisory 2949927), which was made available just days earlier on Patch Tuesday.

UPDATE: On Wednesday, security firms Symantec and Trend Micro alerted the community to new attacks where the bypass allowed further exploitation. Symantec noted in a blog post that the "original" Sandworm vulnerability (CVE-2014-4114) "relates to how Windows handles OLE, a Microsoft technology that allows rich data from one document to be embedded in another or a link to a document to be embedded in another."

But exploitation bypassing Microsoft's patch (where CVE-2014-6352 is targeted), "involves OLE files that have the executable payloads embedded within them." CVE-2014-4114, on the other hand, involved embedded OLE files linking to external files, the firm explained.

Symantec observed that new attacks led to the installation of remote access trojan (RAT) Poison Ivy and Taidoor, malware which opens a backdoor on compromised systems.

Trend Micro shared its findings on the new attack, as well, saying, "the malicious .EXE and .INF files are already embedded into the OLE object, rather than downloading the malware in a remote location," a blog post said. "One advantage of this approach is that it will not require the computer to connect to the download location, thus preventing any detection from the Network Intrusion Prevention System (NIPS)."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.