Microsoft warns on yet another zero-day security flaw

News by Steve Gold

Microsoft has warned Windows users about a zero-day security issue with malicious PowerPoint documents being emailed to recipients. The software giant is working on a patch for the problem.

The bad news is that the vulnerability affects all versions of Windows from Server 2003 to Windows 8.1. Perhaps worse, the flaw is buried in the code that handles OLE (object linking and embedding) calls, allowing one Microsoft application to directly call another.

Some researchers have pointed out that this zero-day is similar to one patched last week, when Microsoft issued no less than eight updates, including one (Sandworm) known to have been exploited in the wild, pending an update.    

Whilst it creates a patch, Microsoft has created an interim Fixit tool that, when applied, blocks the attacks seen so far. The tool can be downloaded on Microsoft's support pages.

Microsoft has also asked Windows users to pay attention to the User Account Control (UAC) pop-ups, the small alerts that require authorisation before the OS is allowed to perform certain tasks, such as downloading files or running software.

According to Steve Armstrong, technical security director with pen testing specialist Logically Secure, whilst the impact of a MS Zero day is bad, looking at the published workarounds suggests that users who enable UAC by default - and who do not have users with highly privileged accounts - can minimise the risks involved.

"Users should also not open PPT files from untrusted sources or trusted ones at unusual times - again that should be standard practice and this rule should be in effect 24x7. They should also implement the Enhanced Mitigation Experience Toolkit (EMET) 5.0, which is offered as a no-extra-cost security enhancement to Windows.

"While this is an important zero-day that affects the most popular platform on the planet, good housekeeping and IT infrastructure planning and some training of the users will prevent this hitting most organisations. The take away for IT Security people today is: if you don't have these standard protections in place now, use these high levels of media coverage to highlight it to the board and the execs," he said.

Armstrong says, if you are already doing this, take the opportunity to flag to the board what mitigations you are already employing to reduce the impact of such public problems affecting the MS platform.  

"If you have done the tech but not the end user training then look to support at your security training staff and use this as an excellent teaching point on the attack vectors hackers will use to gain access to business and home systems. Also stress the home systems part if you all personal devices (BYOD)," he explained.

Armstrong's pragmatism was echoed by Graham Mann, managing director with Encode UK, who also cautioned that the Microsoft workaround/patches are always going to be a finger-in-the-dyke approach that does not solve the real underlying problem, that is that there are numerous such vulnerabilities, some known to hackers others still to be unearthed.

"What is needed is better application testing, including greater foresight into how specific technology could be used by future hackers. Such vulnerabilities are rarely identified before significant damage is done. Organisations must adopt the position that such vulnerabilities exist in numbers and the only way to protect themselves is to implement a robust security monitoring capability based on use cases and including advanced data analytics and proactive hunting," he explained.

Rich content

Rahul Kashyap, head of security research with Bromium, was also cautious on the security front, noting that OLE was originally designed to provide data linking capabilities to provide rich content experience.

"However, in this case due to the flaw in the OLE Package manager, the attackers can silently download malware from a remote location. The vulnerability is known to exploit almost all Microsoft platforms, except for Windows XP. Given the details of the vulnerability is under active discussion, wider exploitation of this flaw is likely," he said.

Mark Sparshott, EMEA director with Proofpoint, said that OLE technology is legitimately used to display parts of a file within another file - a such as display a chart from an Excel spreadsheet within a PowerPoint presentation.

"This is not the first time that a vulnerability in OLE has been exploited by cyber-criminals, however most previous OLE vulnerabilities have been limited to specific older versions of the Windows operating system. What makes this vulnerability dangerous is that it affects the latest fully patched versions of Windows," he said.

"The race is on. Cyber-criminals will use phishing and long lining emails containing URL links to websites hosting malicious files that exploit this vulnerability or attach the malicious file to the email itself. While Microsoft and security vendors rush to close the security hole the best form of defence remains using the latest next generation detection technologies such as sandboxing at the email gateway to prevent the emails reaching users in the first place," he added.

Sparshott concluded that organisations not yet using advanced detection tools will need to fall back to notifying users and relying on them not to click the links and open files.

"Unfortunately Proofpoint's Human Factor Report highlighted that staff click on 1 in 10 malicious links on average so cyber-criminals will see a lot of success before the security gap on this vulnerability is closed," he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews