Microsoft misses Windows bug, hackers slip past patch

Microsoft patched one bug in Windows last week, but missed another that hackers continue to exploit.

Microsoft patched one bug in Windows last week, but missed another that hackers continue to exploit, according to security researchers at McAfee.

On Tuesday, Microsoft confirmed that cyber criminals are targeting victims using tricked-out PowerPoint files that exploit a "zero-day" vulnerability, or a bug that has not been patched.

"Microsoft is aware of a vulnerability affecting all supported releases of Microsoft Windows, excluding Windows Server 2003," the company said in a security advisory yesterday. "At this time, we are aware of limited, targeted attacks that attempt to exploit the vulnerability through Microsoft PowerPoint."

What was interesting about the latest Windows zero-day was that it was similar to, if not related to, a vulnerability Microsoft patched last week. In bulletin MS14-060 of Oct. 14, Microsoft fixed a flaw identified as CVE-2014-4114, which was also in the OLE code within Windows.

Like the latest vulnerability, CVE-2014-4114 had been exploited using malicious PowerPoint files. When the rogue files were opened -- attackers attached them to email messages, using the presentations as bait to get users to open them -- the malware payload executed. The same process is being used by the hackers to exploit the zero-day.

Microsoft also used the same description of "limited, targeted attacks" to describe the ongoing attacks leveraging CVE-2014-4114.

McAfee, whose team was one of two that reported the zero-day to Microsoft, was politic, but implied Microsoft should have caught the latest bug during its code review and patch creation for last week's CVE-2014-4114.

"During our investigation, we found that the Microsoft's official patch (MS14-060, KB3000869) is not robust enough>," wrote Haifei Li on McAfee's blog (emphasis added). "In other words, attackers might still be able to exploit the vulnerability even after the patch is applied. Users who have installed the official patch are still at risk."

Li was one of the two McAfee researchers Microsoft credited with reporting the zero-day. Three members of Google's security team were also thanked for filing a bug report.

McAfee's title for Li's blog post -- "New Exploit of Sandworm Zero-Day Could Bypass Official Patch" -- also gave weight to Microsoft's oversight, as did the speed with which Li and his colleague, Bing Sun, were able to come up with a proof-of-concept exploit. Li and Sun wrapped up their investigation on Oct. 17, just three days after Microsoft patched CVE-2014-4114.

There are differences between the exploits of the two vulnerabilities. According to Symantec, attacks leveraging CVE-2014-4114 are stealthier, as the exploits sidestep UAC (user account control), the pop-up alerts that require user authorization before Windows is allowed to perform certain chores, like running software.

By Microsoft's account, some, although not all, attacks exploiting the zero-day do trigger UAC.

Symantec also claimed that there was evidence that at least two hacker groups were exploiting the zero day: The gang dubbed "Sandworm," allegedly based in Russia, and another named "Taidoor," which has previously targeted Taiwanese businesses and government agencies.

Both CVE-2014-4114 and the latest vulnerability -- which is tagged CVE-2014-6352 -- may have been recent discoveries by the criminals, as the former was first seen exploited in August while the latter popped up on Symantec's radar last month.

In its advisory, Microsoft recommended that customers apply an automated "Fixit" tool to block known attacks, and if necessary, take other steps, including using EMET 5.0 (Enhanced Mitigation Experience Toolkit) to harden PowerPoint's defenses.

Join the CSO newsletter!

Error: Please check your email address.

Tags Malware & VulnerabilitiesmcafeeantispamMicrosoftsecurity

More about GoogleMicrosoftSymantecToolkitUAC

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place