(CVE-2014-6352) Zero-day vulnerability found in OLE PowerPoint


Object Linking and Embedding (OLE) is nothing new and it is not even a week since the last vulnerability (CVE-2014-4114) was discovered by iSight which unveiled a Cyber Espionage Campaign attributed to the Russian hacking group labelled “Sandworm” which was successfully targeting Windows OS from Vista SP2 and up but this has not stopped the newest member of the family coming to light utilising Microsoft PowerPoint as an attack vector this time.

CVE-2014-6352 is on a phishing trip and once again in the age old “don’t click on that email you weren’t expecting” security awareness words of wisdom just don’t click on it. If you receive an email and it has a PowerPoint OR ANYTHING for the matter that you did not expect DO NOT, I REPEAT, DO NOT click on it as you may be on the fast track to infecting yourself with a nice zero-day flaw that is being actively exploited by hackers in the wild.

In a web-based attack scenario, an attacker would have to host a website that contains a specially crafted Microsoft Office file, such as a PowerPoint file, that is used in an attempt to exploit this vulnerability. In addition, compromised websites (and websites that accept or host user-provided content) could contain specially crafted content that could exploit this vulnerability. An attacker would have no method to force users to visit a malicious website. Instead, an attacker would have to persuade the targeted user to visit the website, typically by getting them to click a hyperlink that directs a web browser to the attacker-controlled website. The Microsoft Advisory states.

OLE is a tried and tested attack vector and has proven to be very successful when used in conjunction with Social Engineering technique’s, let’s face it if people keep clicking on things that they shouldn’t then this will continue into the future.

One thought I had though while writing this is that of a bad actor who has already compromised a standard user system but is having difficulty gaining administrative privileges and is already aware that the admin/s access certain documents on a server every so often, all they would have to do is modify the file and once clicked they are in and access has been granted so to speak, I know there are many other methods that would work before this but an interesting attack vector nonetheless.


Leave a Reply