You’ve probably heard of Sandworm.
That’s the somewhat sneakily misnamed vulnerability (it’s not actually a worm) that made headlines mid-way through October 2014.
Technically, Sandworm was a zero-day, because it was apparently seen in a real-world targeted attack before it was fixed by Microsoft.
Officially, it was dubbed CVE-2014-4114, and patched in Bulletin MS14-060 of Microsoft’s October 2014 Patch Tuesday.
How Sandworm worked
The attack relied on .PPTX (PowerPoint) files that contained embedded OLE content.
OLE, short for Object Linking and Embedding, is a long-serving Microsoft technology for packaging files such as text, images and even programs into a container file, a bit like a special-purpose ZIP file or tarball.
In the attack, the .PPTX file was used to deliver an OLE container that linked to what seemed to be a .GIF image and an .INF file.
INF is the Windows extension given to a special sort of information file used during software setup.
The .GIF file was, in fact, an .EXE (program) file renamed to make it look like a harmless image, something you you might expect to find referenced in a presentation.
The exploit tricked PowerPoint into delivering these files onto your hard disk without warning.
As undesirable as this might sound, there should have been no immediate danger: the .GIF ought simply to have sat there as a harmlessly inert BLOB of data.
But the attackers found that they could “execute” the .INF file, too. (INFs act as scripts, though without the general power of batch files or PowerShell programs.)
They couldn’t launch the malware directly, but they could get it to run indirectly.
Using the .INF file, they renamed the .GIF as a regular program, and set a special entry called RunOnce in the registry that would fire up the malware next time you logged on.
A bit of a roundabout route, to be sure, but perfectly effective for an attacker with a modicum of patience.
If you followed the original Sandworm story, you probably noticed that Microsoft published Security Advisory 3010060 on 21 October 2014 for a vulnerability called CVE-2014-6352.
This advisory is entitled “Vulnerability in Microsoft OLE Could Allow Remote Code Execution,” just like the Sandworm bulletin issued on Patch Tuesday.
This raises the question, “Isn’t this the same thing that was already patched?”
The answer, if you will pardon what sounds like prevarication, is, “Yes and no.”
It seems that the MS14-060 patch doesn’t close all possible ways of devising a “Sandworm” attack, so Microsoft’s new advisory provides additional protection against Powerpoint-INF-and-GIF cocktail attacks.
You can apply the extra protection by means of what Microsoft calls a Fix it, a temporary patch that can be added (and removed, just in case you have problems with it) simply by clicking a button on the relevant web page.
Unfortunately, the Fix it doesn’t work if you have the 64-bit version of PowerPoint on Windows 8 or Windows 8.1, but all other combinations are protected.
→ Strictly speaking, 64-bit Powerpoint on 64-bit Server 2012 versions can’t be protected this way either. But that’s a moot point, because you don’t have Office installed on your servers, do you?
As far as we can tell, Sophos products will block many, if not most, Sandworm-based attacks proactively, detecting them as Troj/20144114-A.
That detection identity was released around the time of the October 2014 Patch Tuesday.
We have also published additional protection as Troj/20146352-A to deal with possible modifications of the original attack that might sneak past both MS14-060 and Troj/20144114-A.
What to do?
In point form, here is what you need to know:
- The “Sandworm” hole is mostly patched by Microsoft, but the new Fix it will provide additional safety for many users.
- Anti-malware products should be able to block PowerPoint files that are crafted to exploit this vulnerability.
- Email and web filtering products can help you protect your users from PowerPoint files from unexpected or untrusted sources.
- Don’t blindly trust PowerPoint files from people you don’t know, even if they sound important because they claim to be undelivered courier items or wrongly-billed invoices.
- Consider using Application Control to minimise the software that can be installed and used on your servers, in order to limit your attack surface area.
3 comments on “Has the “Sandworm” zero-day exploit burrowed back to the surface?”
If I don’t have powerpoint installed do I need to be concerned
In theory, yes, because the bug seems to be in a part of Windows that applies to a special sort of file that might be embedded in lots of other file types, not just PowerPoint presentations.
In practice, as far as I am aware, the crooks only know how to deliver a warhead by embedding the danger-file inside PowerPoints, so you can relax a bit.
Of course: if you apply the Patch Tuesday update and the Fix it, you can relax anyway.
Unless…tell me it’s not true…you are running XP (if so, you need to be concerned :-).
About installing MS-Office on servers, I can think of two reasonable scenarios where that could happen: (1) terminal servers and (2) power users that have a server class OS for their desktop/notebook machine.