Microsoft Scrambles to Fix Zero-Day Flaw in OLE
A Sandworm variant gets a "Fix it" update, but not yet a full patch. The flaw abuses the same OLE technology that enables the Sandworm bug.Microsoft is once again scrambling to contain a zero-day vulnerability in a software component that it has recently patched. Microsoft's Oct. 4 Patch Tuesday update included fixes for 24 Common Vulnerabilities and Exposures (CVEs), including CVE-2014-4114, also known as Sandworm. On Oct. 21, Microsoft first began to warn its users about a flaw identified as CVE-2014-6352, which abuses the same Microsoft Object Linking and Embedding (OLE) technology that enables the Sandworm vulnerability. OLE is Microsoft's Object Linking and Embedding technology that enables content to be linked inside of documents. "In an email attack scenario, an attacker could exploit the vulnerability by sending a specially crafted file to the user," Microsoft warns in its advisory. "All Microsoft Office file types as well as many other third-party file types could contain a malicious OLE object."
Security firm Symantec is warning that attackers are already exploiting the new OLE vulnerability. "While the original vulnerability [CVE-2014-4114] involved embedded OLE files linking to external files, the newer vulnerability [CVE-2014-6352] relates to OLE files that have the executable payloads embedded within them," Symantec warned in a blog post.