Mark Sparshott, EMEA director at Proofpoint, said similar vulnerabilities have been seen before but this one is particularly nasty because it lends itself to attacks against a wide range of Windows systems. "This is not the first time that a vulnerability in OLE has been exploited by cybercriminals, however most previous OLE vulnerabilities have been limited to specific older versions of the Windows operating system," Sparshott explained. "What makes this vulnerability dangerous is that it affects the latest fully patched versions of Windows."
Microsoft Zero Day OLE Vuln Being Exploited In Powerpoint
The CVE-2014-6352 flaw is similar but distinct from the recently patched SandWorm zero-day vulnerability in Microsoft Windows (CVE-2014-4114) abused by Russians hackers to hijack and snoop on PCs and servers used by NATO and the European Union.
This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a Microsoft Office file that contains a specially crafted OLE object. An attacker who successfully exploited this vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
A vulnerability exists in Windows OLE that could allow remote code execution if a user opens a file that contains a specially crafted OLE object. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If the current user is logged on with administrative user rights, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
What might an attacker use the vulnerability to do?An attacker who successfully exploited this vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?Yes. We are aware of limited, targeted attacks involving Microsoft PowerPoint 2007 files. Both Microsoft PowerPoint Presentation (.PPTX or .PPT file extensions) and PowerPoint Show (.PPSX or .PPS file extensions) data files could be used in an attack scenario; if PowerPoint Show files are used in an attack scenario, arbitrary code may be installed without User Account Control (UAC) security prompts.
As per Microsoft, there are 2 zero-day vulnerabilities fixed and 1 Actively Exploited as part of September 2022 Patch Tuesday. CVE-2022-37969 (Windows Common Log File System Driver Elevation of Privilege Vulnerability) and CVE-2022-23960, Cache Speculation Restriction Vulnerability, are the two zero-day vulnerabilities.
One of the update is specifically in addressing the zero-day flaw that is reportedly is already being exploited by Russion hacking groups. The vulnerability could have been used by attackers since early September, if not earlier than that, where the attackers infect victims with malicious attachments primarily PowerPoint files.
Currently, exploiting the zero-day vulnerability requires the execution of attachments such as PowerPoint. Attackers use social engineering tactics to engage victims to execute the malicious code thus resulting in an attack
Attacks were spreading via a massive spam campaign where emails contain Microsoft Word documents with malicious attachments that exploited a vulnerability in the way Microsoft handles OLE2Link objects. According to researchers, the attacks were effective at bypassing most mitigation efforts.
A zero-day (0day) exploit is a cyber attack targeting a software vulnerability which is unknown to the software vendor or to antivirus vendors. The attacker spots the software vulnerability before any parties interested in mitigating it, quickly creates an exploit, and uses it for an attack. Such attacks are highly likely to succeed because defenses are not in place. This makes zero-day attacks a severe security threat.
By definition, no patches or antivirus signatures exist yet for zero-day exploits, making them difficult to detect. However, there are several ways to detect previously unknown software vulnerabilities.
Vulnerability scanning can detect some zero-day exploits. Security vendors who offer vulnerability scanning solutions can simulate attacks on software code, conduct code reviews, and attempt to find new vulnerabilities that may have been introduced after a software update.
Another strategy is to deploy software patches as soon as possible for newly discovered software vulnerabilities. While this cannot prevent zero-day attacks, quickly applying patches and software upgrades can significantly reduce the risk of an attack.
However, there are three factors that can delay the deployment of security patches. Software vendors take time to discover vulnerabilities, develop a patch and distribute it to users. It can also take time for the patch to be applied on organizational systems. The longer this process takes, the higher the risk of a zero-day attack.
One of the most effective ways to prevent zero-day attacks is deploying a web application firewall (WAF) on the network edge. A WAF reviews all incoming traffic and filters out malicious inputs that might target security vulnerabilities.
Vulnerability scanning and patch management are partial solutions to zero-day attacks. And they create a large window of vulnerability, due to the time it takes to develop and apply patches and code fixes.
The chart above shows a steady increase in the number of vulnerabilities reported to NVD from 2011 through 2016, followed by an exponential increase in 2017 and then a continued increase every year thereafter. The surge in 2017 may have come from a more extensive collection of software products being catalogued in NVD. However, it is significant to note that web application exploits have dominated the decade as seen in the chart below (See Figure 2).
We expect Internet of Things (IoT) vulnerabilities to be a significant player the coming decade, so it was only proper to highlight vulnerabilities that affected IoT in the decade under review. In June 2020, JSOF publicly disclosed a set of 19 vulnerabilities. The vulnerabilities were collectively called Ripple20 to illustrate the "ripple effect" these security defects will have on connected devices for years to come. The vulnerabilities were present in the Treck networking stack, used by more than 50 vendors and millions of devices, including mission-critical devices in healthcare, data centers, power grids and critical infrastructure. When properly exploited, an attacker could gain total control over an internal network device from outside the network perimeter through the Internet-facing gateway. The Ripple20 vulnerabilities also made the term supply chain vulnerabilities popular.
As you have read throughout this report, most of these vulnerabilities were discovered almost a decade ago. Unfortunately, even with fixes and patches being made available, attackers still exploited them in the wild. Our previous report on active state of vulnerabilities showed the same trend for newer and popular vulnerabilities, as well.
With 2021 opening on a grand note with the Exchange Server RCE bugs and ending with the Log4j exploit, we see a sharp increase in the number of zero-day vulnerabilities. This zero-day tracking project shows the number of zero-days increased two-fold compared to 2020. More than 59 zero-days were logged in 2021. These zero-day vulnerabilities created a cybersecurity nightmare for organizations incurring about $6 trillion in damages. Making matters worse for cybersecurity teams is the fact that as Proof of Concepts (POCs) have become publicly available major threat actors and even hobbyists have joined in on hunting and exploiting vulnerable instances adding to more logging woes.
The group using Taidoor is a well-established threat actor that has been in operation since at least 2008. It has a track record of exploiting recently discovered zero-day vulnerabilities in its attacks. Most recently, in March, it exploited a Microsoft Word zero-day bug in attacks against government agencies and an educational institute in Taiwan.
Microsoft is aware of the vulnerability and has issued a new security advisory Opens a new window warning users of possible attacks. The company has yet to release a patch for this latest issue, which is being tracked as the Microsoft Windows OLE Remote Code Execution Vulnerability Opens a new window (CVE-2014-6352).
It is hardly surprising that some of the most infamous targeted attacks that we have spotted in the past used conventional attack vectors and infection techniques to penetrate their target organizations. Multiple attacks using lure documents have been uncovered by the security community over the last year. Since attackers using this technique to execute phishing attacks would most likely deliver the weaponized exploit documents to the target, it becomes a pressing need for any perimeter security solution to investigate these file formats a little deeper for signs of maliciousness. Network and endpoint security solutions have the capability to look deeper into several file formats, but seemingly have limited detection capability of weaponized documents exploiting zero-day vulnerabilities. Modern sandboxing solutions also support analysis of multiple file formats, but often do not provide complete behaviour visibility. It is critical to augment the exploit detection capability of these solutions with an engine that can perform static inspection of files and classify documents based on the characteristics of the embedded binary content. 2ff7e9595c
Comentarios