With this month’s Patch Tuesday, Microsoft has provided patches for several critical vulnerabilities that allow remote code execution, some of which have been or are actively exploited in the wild.
We have already written about the SandWorm (CVE-2014-4114), which was used by the eponymous cyber espionage group for targeting NATO, the EU, Ukrainian and Polish government organizations, and European companies in the telecommunications and energy sectors.
The vulnerability could allow remote code execution if a user opens a Microsoft Office file that contains a specially crafted OLE (Object Linking and Embedding) object.
Another critical update is that for two privately reported vulnerabilities in Microsoft Windows, and the more severe of the two (CVE-2014-4148) also “allows remote code execution if an attacker convinces a user to open a specially crafted document or to visit an untrusted website that contains embedded TrueType fonts.”
The second one is an elevation of privilege vulnerability (CVE-2014-4113) that is triggered when the Windows kernel-mode driver improperly handles objects in memory. To exploit this vulnerability, an attacker must have valid logon credentials and be able to log on locally, Microsoft noted in the bulletin.
Microsoft is aware of “limited attacks” trying to exploit these two vulnerabilities, but has not named the attackers. According to Symantec, there are reports that CVE-2014-4148 is being used to gain remote access into an international organization.
The vulnerability is exploited through a document with a malicious TrueType Font, and delivers a “somewhat sophisticated remote access Trojan (RAT) that would run from memory” onto the targeted computer.
CrowdStrike reports that the CVE-2014-4113 vulnerability, which affects all Windows operating systems from Windows 2000 through Windows 7, has been leveraged by Hurricane Panda, “a highly advanced adversary believed to be of Chinese origin and known to be targeting infrastructure companies.” For more technical details, check out their blog post.