Microsoft Fixes Dangerous Sandworm Zero-Days Used in APT Attacks

Microsoft has issued a security update fixing dangerous zero-day vulnerabilities being actively used by cybercriminals in targeted attacks.

The Redmond, Wash.-based software maker issued 14 security bulletins, four rated critical, as part of its November 2014 Patch Tuesday updates. Microsoft issued an update to object, linking and embedding (OLE) in Windows, fixing two zero-day vulnerabilities that have been targeted by a group called Sandworm, using malicious PowerPoint and other Office file attachments.

The OLE vulnerabilities impact all supported versions of Windows and enables an attacker to remotely take complete control of an infected system, according to Microsoft. The group behind the Sandworm attacks targeted people at organizations in the United States, Poland, Ukraine and western Europe. The group is believed to have been targeting individuals since 2009, according to researchers at iSIGHT Partners.

[Related: Attackers Actively Targeting Microsoft Windows Zero-Day]

The research firm has been monitoring the Sandworm APT group, which is believed to be located in Russia. The aim was to target government agencies, defense contractors and energy sector firms, iSIGHT said in its report.

The Microsoft update repairs OLE in Windows and a second flaw in the way Internet Explorer accesses objects in memory. The company also issued a broader critical security update for Internet Explorer that addresses 17 vulnerabilities in the browser, including those that can be targeted by attackers remotely.

"The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer," Microsoft said in its security bulletin. "If the current user is logged on with administrative user rights, an attacker could then install programs; view, change or delete data; or create new accounts with full user rights."

An attacker can also host a malicious website targeting the Internet Explorer vulnerability in drive-by attacks, Microsoft said. Victims would typically receive a malicious link embedded in an email forwarding them to the attack website. Microsoft is also urging its customers to deploy and use the Enhanced Mitigation Experience Toolkit version 5.0 which helps prevent attackers from bypassing fixes.

"Do not open Microsoft PowerPoint files that you receive from untrusted sources or that you receive unexpectedly from trusted sources. This vulnerability could be exploited when a user opens a specially crafted file," Microsoft said.

Solution providers urged IT administrators to test and deploy the patches immediately to protect critical systems and endpoint machines. Once the information is in the wild, financially motivated attackers can take advantage of the vulnerability before patches are deployed.

Attacks from Russia, eastern Europe and China are common and include a mixture of financially motivated cybercriminal gangs and nation-state sponsored cyberespionage attackers.

Organizations need to get serious about addressing vulnerabilities and configuration weaknesses, said Jeremy MacBean, director of business development at IT Weapons, a Brampton, Ontario-based solution provider. Some attackers choose the low-hanging fruit, but well-funded attack campaigns are more sophisticated and can last for years before researchers uncover the custom malware used in the targeted attacks, MacBean said.

"I worry that as more people talk about these kinds of attacks and data breaches that people get desensitized to it and it becomes background noise," MacBean said. "All organizations, including small businesses are caught up in these attacks and a more proactive strategy is needed by everyone."

Microsoft also issued an update to repair a critical flaw in Microsoft Secure Channel, an encryption mechanism in Windows to enable support for SSL and TLS. A critical vulnerability in Microsoft XML Core Services was also addressed by the software maker. The repair prevents an attacker from targeting the vulnerability in drive-by attacks using a malicious website.

Other patches for systems and software were rated less critical by Microsoft and address flaws that enable attackers to elevate privileges, a secondary measure used by cybercriminals once they gain system access. Flaws were addressed in SharePoint, Active Directory, .NET and Windows Audio Service.

PUBLISHED NOV. 11, 2014