Microsoft issued an update with the October Patch Tuesday security bulletins to address a zero day vulnerability in Windows used by the Sandworm cyber espionage campaign (MS14-060). Apparently the fix doesn’t fully address the flaws in the vulnerable OLE component, though, because a new, very similar zero day has now been uncovered as well.
I wrote a post about the new vulnerability, and the guidance and Fix It update from Microsoft to mitigate the issue pending a more comprehensive patch:
Microsoft issued a security advisory this week with details of a zero day vulnerability that affects every supported version of the Windows operating system with the exception of Windows Server 2003. The flaw is very similar to the OLE vulnerability patched earlier this month, which was linked to the Sandworm cyber espionage campaign.
Like the vulnerability in MS14-060, this new flaw is exploited through the use of a malicious Microsoft Office file that contains an OLE object. If successfully exploited, the flaw could allow an attacker to execute malicious code remotely on the vulnerable system, with the rights and privileges of the currently logged in user.
McAfee is credited with helping to identify the new vulnerability while investigating Sandworm. A McAfee blog post explains, “During our investigation, we found that the Microsoft’s official patch is not robust enough. In other words, attackers might still be able to exploit the vulnerability even after the patch is applied. Users who have installed the official patch are still at risk.”
Read the full story at PCWorld: What you need to know about new zero day that hits most supported Windows versions.