A total of 24 software vulnerabilities in Microsoft products received attention this Patch Tuesday, including three zero-day flaws.
The tech giant released eight patches – three deemed “critical,” and the remaining rated “important,” – during its monthly security update. Only one of the critical bulletins, MS14-058, remediated bugs that had been used in zero-day attacks against customers.
The two zero-day flaws, discovered by FireEye, were used in separate, unrelated attacks involving exploitation of Windows kernel. Such an attack could allow hackers to access a victim's entire system, researchers said.
Bulletin MS14-060, rated important, resolved the remaining zero-day bug, a remote code execution (RCE) vulnerability in Windows that had been taken up by a Russian cyber espionage group to target NATO, European telecommunications firms, academic organizations in the U.S. and other entities across the globe.
The other critical patches in the monthly release include a fix for 14 privately reported bugs in Internet Explorer, MS14-056 – a cumulative security update for the popular browser. The most severe of the flaws could allow RCE “if a user views a specially crafted webpage” using IE, the tech giant warned.
MS14-057, the remaining critical bulletin, plugged three vulnerabilities in Microsoft.NET Framework that could also allow RCE, but if a saboteur sends a malicious URI request containing international characters to a .NET web application, Microsoft explained.
Alongside the “important” fix for the Windows zero-day were four other bulletins with the same threat ranking – patches for a bug in ASP.NET MVC allowing security feature bypass; a vulnerability in Microsoft Office allowing RCE; and two elevation of privilege issues affecting Windows.
In a Tuesday blog post, Karl Sigler, manager of threat intelligence at Trustwave, highlighted the zero-day vulnerability in Windows OLE, CVE-2014-4114, which was used by a Russian espionage group, dubbed the “Sandworm Team.”
“In this specific case the gang was caught targeting organizations with a spear-fishing attack,” Sigler wrote. “The malicious document involved, a PowerPoint slide deck, exploited a previously unknown vulnerability in OLE. The vulnerability allows the attacker to execute any command. In the case of the Sandworm campaign, the criminals were dropping at least two variants of the BlackEnergy malware. BlackEnergy is bot based malware with a plugin architecture that lets it adapt to a variety of uses like DDoS, credential theft, or spam distribution,” he said.
The security firm iSIGHT Partners, which uncovered the operation, released a technical report on the threat Tuesday. That day, FireEye also unveiled an in-depth analysis of the two zero-days it uncovered.