Windows 0-day exploited in ongoing attacks, temporary workarounds offered

Microsoft is warning users about a new Windows zero-day vulnerability that is being actively exploited in the wild and is primarily a risk to users on servers and workstations that open documents with embedded OLE objects.

The vulnerability is currently being exploited via PowerPoint files. These specially crafted files contain a malicious OLE (Object Linking and Embedding) object.

“Object Linking & Embedding (OLE) is legitimately used to display parts of a file within another file, e.g. to display a chart from an Excel Spreadsheet within a PowerPoint presentation,” noted Mark Sparshott, EMEA director at Proofpoint.

“This is not the first time that a vulnerability in OLE has been exploited by cybercriminals, however most previous OLE vulnerabilities have been limited to specific older versions of the Windows operating system. What makes this vulnerability dangerous is that it affects the latest fully patched versions of Windows.”

“User interaction is required to exploit this vulnerability,” Microsoft explained in the security advisory. “In an email attack scenario, an attacker could exploit the vulnerability by sending a specially-crafted file to the user. For this attack scenario to be successful, the user must be convinced to open the specially crafted file containing the malicious OLE object. All Microsoft Office file types as well as many other third-party file types could contain a malicious OLE object.”

“In a web-based attack scenario, an attacker would have to host a website that contains a specially crafted Microsoft Office file, such as a PowerPoint file, that is used in an attempt to exploit this vulnerability,” they noted. “In addition, compromised websites (and websites that accept or host user-provided content) could contain specially crafted content that could exploit this vulnerability. An attacker would have no method to force users to visit a malicious website. Instead, an attacker would have to persuade the targeted user to visit the website, typically by getting them to click a hyperlink that directs a web browser to the attacker-controlled website.”

A successful exploitation could lead to the attacker gaining same user rights as the current user, and if that means administrative user rights, the attacker can install programs; access, modify, or delete data; or create new accounts with full user rights.

The vulnerability affects all supported Windows versions, and there is currently no patch for it. Microsoft is still investigating the matter and deciding whether they will issue an out-of-band patch or wait for the next Patch Tuesday to plug the hole.

In the meantime, the company has shared workarounds that help block known attack vectors.

Users can implement a specific Fix It solution; enable User Account Control (UAC) as it displays a prompt before a file containing the exploit is executed; and deploy the Enhanced Mitigation Experience Toolkit 5.0 and configure Attack Surface Reduction (instructions can be found here).

In addition to all this, they would do well not to open Microsoft PowerPoint files, Office files, or any other files received or downloaded from untrusted sources.

“Users should also always be mindful of emails containing links or files even from sources they trust. It’s better to delete and ask the sender to send again than to chance being infected and opening up your whole business network to malware attack,” Mark James, security expert at ESET, pointed out.

“The race is on,” warns Sparshott. “Cybercriminals will use phishing and longlining emails containing URL links to websites hosting malicious files that exploit this vulnerability or attach the malicious file to the email itself. While Microsoft and security vendors rush to close the security hole the best form of defence remains using the latest next generation detection technologies such as sandboxing at the email gateway to prevent the emails reaching users in the first place. Organisations not yet using advanced detection tools will need to fall back to notifying users and relying on them not to click the links and open files, unfortunately Proofpoint’s Human Factor Report highlighted that staff click on 1 in 10 malicious links on average so cybercriminals will see a lot of success before the security gap on this vulnerability is closed.”