Security firm iSight Partners has announced discovery of a major zero-day vuln - apparently used in Russian attacks on NATO and the EU - that impacts desktop and server versions of Windows, from Vista and Server 2008 to current versions:
http://www.isightpartners.com/2014/10/cve-2014-4114/The firm has dubbed vulnerability CVE-2014-4114 “SandWorm” and this one looks to be as terrible as Shai-Hulud in full cry, as iSight says it was “used in [a] Russian cyber-espionage campaign targeting NATO, European Union, Telecommunications and Energy sectors”:
http://en.wikipedia.org/wiki/Sandworm_(Dune)
The zero-day is “An exposed dangerous method vulnerability exists in the OLE package manager in Microsoft Windows and Server” that “allows an attacker to remotely execute arbitrary code.”
“The vulnerability exists because Windows allows the OLE packager (packager .dll) to download and execute INF files,” iSight writes. “In the case of the observed exploit, specifically when handling Microsoft PowerPoint files, the packagers allows a Package OLE object to reference arbitrary external files, such as INF files, from untrusted sources.”
“This will cause the referenced files to be downloaded in the case of INF files, to be executed with specific commands”.
iSight says it spotted the flaw while analysing “Tsar Team”, a group of chaps suspected of being Russian cyber-espionage operatives, and in late August “discovered a spear-phishing campaign targeting the Ukrainian government and at least one United States organization” during the NATO summit on the Ukraine crisis staged in Wales.
“On September 3rd, our research and labs teams discovered that the spear-phishing attacks relied on the exploitation of a zero-day vulnerability impacting all supported versions of Microsoft Windows (XP is not impacted) and Windows Server 2008 and 2012,” iSight writes.
“A weaponized PowerPoint document was observed in these attacks.”
“Though we have not observed details on what data was exfiltrated in this campaign, the use of this zero-day vulnerability virtually guarantees that all of those entities targeted fell victim to some degree.”
iSight says it contacted all the impacted parties and has since worked with Microsoft on a fix that should land today.
And in case you're wondering about the name and the Dune reference in the logo, iSight says the exploit's code contains several references to Frank Herbert's classic.
(ElReg)