Microsoft patches SandWorm 0-day

Microsoft is back in fine form this month with eight upcoming advisories affecting Internet Explorer, the entire Microsoft range of supported operating systems, plus Office, SharePoint Server and a very specific add on module to their development tools called “ASP .NET MVC”.

Originally nine advisories were listed in the advance notice, but one of the vulnerabilities affecting Office and the Japanese language IME was dropped for reasons unknown (the dropped advisory was bulletin #4 in the advance notice).

The big headline this month seems to be SandWorm, another vulnerability being marketed with a clever name. SandWorm, a.k.a. CVE-2014-4114 is addressed by MS14-060. Why is it called SandWorm? Apparently the exploit code was written by a fan of Frank Herbert’s classic science fiction epic, Dune. The code and command and control URLs contain references to the books. That’s it. Note, SandWorm is not a “worm” in the sense of computer virus that can self-propagate.

The average system administrator or home users should not panic about SandWorm. While the reach is pretty broad because the vulnerability in question affects all versions of the Windows operating system from Vista SP2 to Windows 8.1, and Windows Server editions 2008 and 2012, we have to emphasize that this is a local file format exploit. They’re a fairly common class of issue and Microsoft patches these kinds of things routinely. It’s not what we consider to be truly remotely exploitable.

It’s not like Heartbleed or ShellShock, where an attacker could just “do” this to a vulnerable system. An attacker needs to launch a multi-stage attack to take advantage of this vulnerability; they need to have already achieved initial compromise through some other method, possibly social engineering.

Once they do that, the bug is nasty as it allows an attacker to take complete control of the compromised system, but the steps required to get there limit the impact of this vulnerability. It’s worth noting that in the advance notification, Microsoft only called this issue “Important” and patching priority 2, that is, one step down from their most severe ratings and patch urgency.

Of the issues in this month’s patch that are not SandWorm, three of the advisories, MS14-056, MS14-057, and MS14-058, are rated “Critical”, Microsoft’s most severe designation based on the impact of exploitation and the likelihood of an exploit emerging, including the IE issue and two issues affecting virtually every supported Operating System. These will be the top patching priorities, probably with the IE issue being the most at risk for exploitation.

Behind the three critical, there are four issues marked as Important (including the SandWorm vulnerability, MS14-060), enabling either remote code execution or elevation of privilege. Again, most Windows versions are affected, plus in one case, Office and SharePoint. These will be the second patching priority. In the case of MS14-062, the affected the Message Queuing component is not installed by default and there are no known active attacks.

It is worth mentioning that the FAT32 issue, MS14-063, requires physical access to exploit. The most likely scenario here is the passing of a malicious USB device.

The issue in ASP .NET MVC, identified by Microsoft as MS14-059, is a security feature bypass and due to the relatively limited exposure of that feature should be addressed on an “if and when” basis.

As usual, we recommend updating your Microsoft systems with these patches as soon as possible.

Author: Ross Barrett, Senior Manager, Security Engineering, Rapid7.

Don't miss