On October 21, 2014, Microsoft’s Security Advisory team alerted its customers to a recent zero-day attack, which has left all releases of Windows, outside of the 2003 server, vulnerable to remote code execution that hinges on user interaction. Execution is achieved after a user unknowingly opens a Microsoft Office file containing an OLE object and accordingly enables User Account Control, wherein a consent prompt is displayed. OLE stands for Object Linking and Embedding, a technology that, according to Microsoft, “allows applications to share data and functionality, such as the ability to create and edit compound data.”
The attack itself can originate through a distinct email or a link to a larger web page and, to date, such vulnerability has only been discovered in a “limited” number of PowerPoint documents. Nevertheless, successful implementation of the code would allow attackers free reign over user rights associated with the product, a reality especially detrimental to those with administrative rights. As per Microsoft, “an attacker could then install programs; view, change, or delete data; or create new accounts.”
Upon the eventual completion of its investigation, Microsoft notes that it will likely supply a solution within its monthly security update or through an out-of-cycle update, to be determined by customer preference. However, the company does advise users to proactively apply workarounds in order block “known attack vectors,” including a fix it solution entitled “OLE packager Shim Workaround” that supposedly safeguards against exploitation of the vulnerability. Additionally, Microsoft recommends checking User Account Control settings, deploying the Enhanced Mitigation Experience Toolkit 5.0, and configuring Attack Surface Reduction. For full details, visit Microsoft’s Security Advisory.