Microsoft October Patch Tuesday Tackles Zero-Day Vulnerabilities

Sandworm is just one of multiple zero-day flaws that have been actively exploited that Microsoft is patching.

software flaws

Microsoft is out with one of its October Patch Tuesday releases, which includes eight different security advisories patching 24 Common Vulnerabilities and Exposures (CVEs), including several zero-day flaws that have been actively exploited.

Among the zero-day flaws patched is CVE-2014-4114, which has been dubbed "Sandworm" and has already been used in attacks against NATO and the European Union. Microsoft is providing a patch for CVE-2014-4114 with it MS14-060 update.

"A vulnerability exists in Windows OLE that could allow remote code execution if a user opens a file that contains a specially crafted OLE object," Microsoft warns in its advisory. "An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user." OLE is Microsoft's Object Linking and Embedding technology that enables content to be linked inside of documents.

iSight Partners first found evidence of the CVE-2014-4114 issue on Sept. 3 with an attack that leveraged the exploit in a malicious PowerPoint presentation. The vulnerability is being dubbed Sandworm by iSight due to references in the code to the classic Dune science fiction series, where sandworms play a pivotal role.

Another zero-day flaw fixed in the October Patch Tuesday update is CVE-2014-4113, which is a privilege escalation vulnerability. This flaw too has been actively exploiting users. Security firm Crowdstrike is attributing attacks leveraging CVE-2014-4113 to a Chinese malware group that it refers to as Hurricane Panda.

Crowdstrike isn't the only security vendor that detected CVE-2014-4113, as FireEye also reported the issue to Microsoft, along with an additional flaw identified as CVE-2014-4148. The CVE-2014-4148 flaw is a TrueType font parsing remote code execution vulnerability.

Microsoft is patching both CVE-2014-4113 and CVE-2014-4148 in MS14-058, which is titled "Vulnerabilities in Kernel-Mode Driver Could Allow Remote Code Execution."

Dan Caselden, senior malware researcher at FireEye, explained to eWEEK that in the case of CVE-2014-4148, an attacker creates a custom malicious font and embeds the font in some media (e.g., a Web page or a document). The malicious media is then delivered to a victim with the hope that he or she opens the document or Web page.

"The program that parses the media (in this case, Microsoft Word) passes the font on to the Windows kernel," Caselden said. "The Windows kernel incorrectly parses the font, resulting in an exploitable state."

As has been the case throughout 2014, Microsoft is including a cumulative security update for its Internet Explorer browser as part of the Patch Tuesday update. For October, the MS14-056 IE update patches 14 security vulnerabilities in Microsoft's Web browser. The majority of the vulnerabilities are memory corruption issues that could lead to arbitrary code execution. Microsoft credits Context Information Security, Palo Alto Networks, VeriSign iDefense Labs, Hewlett-Packard's Zero Day Initiative and Qihoo 360 for reporting the IE vulnerabilities.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.