One of the zero days fixed in the October 2014 Patch Tuesday had been used in attacks against NATO and others, while FireEye discovered two more being used in targeted attacks.
Microsoft today delivered a total of eight security bulletins addressing 24 unique vulnerabilities as part of its October 2014 Patch Tuesday release, with the most notable updates aimed at four zero-day exploits that were recently discovered in the wild.
The first of the zero-day vulnerabilities, CVE-2014-4114, was discovered in August by threat intelligence vendor iSIGHT Partners, which worked with Microsoft in the following weeks to share technical information on the threat.
The flaw, which affects all supported versions of Windows as well as Windows Server 2008 and 2012, stems from Windows’ willingness to allow the OLE packager to download and execute INF files. Attackers seized on that technical facet to deliver PowerPoint files that reference external, malicious INF files, according to a blog post on the iSIGHT Partners website. Once the exploit is triggered, they gain the ability to execute code remotely on a victim’s machine.
The firm said the flaw was being actively exploited by Russia-based hacker squad “Sandworm Team” — previously referred to by Finland-based F-Secure as “Quedach” — in a campaign dating back to at least December 2013 against the NATO Alliance, the Ukrainian government, and other organizations involved in the recent military conflict in Ukraine.
Bulletin MS14-060 resolves the high-profile zero day, but was only rated as an “Important” update by Microsoft because users must still be tricked into opening a malicious file. Still, Wolfgang Kandek, CTO for Qualys Inc., based in Redwood City, Calif., warned administrators that they shouldn’t put off applying the patch.
“The vulnerability seems to be very straightforward to exploit,” said Kandek, “which means as soon as the patch is out, we can expect the number of attacks against that vulnerability to go up quickly.”
Critical bulletin MS14-058 patched two more zero-day vulnerabilities, CVE 2014-2014-4148 and CVE-2014-4113, that were found in all supported versions of Windows and Windows Server. Advanced threat detection vendor FireEye first spotted the flaws being exploited in the wild, but the company’s researchers did not provide further clarification in a blog post on the targets of the attacks, only noting that the flaws may have been used in unrelated incidents by different attackers.
CVE-2014-4148 is a Microsoft TrueType Font vulnerability that FireEye said was embedded in Microsoft Office documents delivered to victim organizations. The embedded file is processed in kernel mode, meaning a successful exploit of the flaw granted attackers kernel-mode access. FireEye said the vulnerability was akin to a previous exploited flaw, CVE-2011-3401, which was used as part of browser-based attacks.
CVE-2014-4113 is the less severe bug of the two FireEye discovered because it cannot be used on its own to compromise a system. If exploited, the vulnerability can be used as part of a local elevation-of-privilege attack, but to do that, FireEye’s researchers said an attacker would first have to gain access to a remote system running a vulnerable operating system.
The final of the four zero-day vulnerabilities reported this month, CVE-2014-4123, is another elevation-of-privilege flaw that relies on an Internet Explorer sandbox bypass. Microsoft said it is aware of limited attacks using the vulnerability — patched as part of the critical bulletin MS14-056 that quashed a total of 14 vulnerabilities in Internet Explorer — but no further information on the targets was made available.
The other notable bulletin this month, MS14-057, may not have featured a zero-day fix, but it was the only other update rated as critical by Microsoft. The bulletin resolved three privately reported vulnerabilities in Microsoft’s .NET framework, the most severe of which could be triggered by sending malicious URI requests to a .NET application allowing attackers to remotely execute code.
Ross Barret, senior manager of security engineering at Rapid7, said that while the Sandworm vulnerability uncovered by iSIGHT may affect all supported versions of Windows, system administrators and users shouldn’t panic, because it isn’t remotely exploitable like some of the flaws covered in this month’s critical bulletins. Instead, they should rely on Microsoft’s guidance when determining which fixes to apply first.
“These [critical bulletins] will be the top patching priorities,” said Barret, “probably with the IE issue being the most at risk for exploitation.”
The remaining four bulletins in the October 2014 Patch Tuesday release were all rated important by Microsoft, and addressed a variety of vulnerabilities across various versions of Microsoft Office, Windows, ASP.NET and Windows Server. Notably, the number of bulletins included in the final release was one short of the total that Microsoft initially planned to deliver.
“Last week’s prerelease mentioned nine bulletins, which means one has been pulled, presumably for quality issues or lack of [an] adequate fix,” said Tyler Reguly, manager of security research at Tripwire, based in Portland, Ore. “It’d be nice to know why there’s a variance between the prerelease and the final patch drop but I doubt that’s something we’ll ever learn.”