sunhux
asked on
Trendmicro AV signature for CVE-2014-6352 Windows zero-day flaw in targeted PowerPoint attacks
Q1:
Is there a Trendmicro's Officescan AV signature for the following exploits?
So far, Trend Support said they're still checking.
Q2:
what's the likelihood of being attacked/hacked if we don't have
Powerpoint but only Web Software Components (ie MS Access,
MS Excel) ?
Hackers exploit Windows zero-day flaw in targeted PowerPoint attacks
Hackers are exploiting a zero-day vulnerability in Windows using malicious PowerPoint documents, Microsoft and security firms warn.
An advisory from Microsoft warns that the as-yet-unpatched flaw is present in all supported versions of Windows except Windows Server 2003 and has already been abused in "limited, targeted attacks".
The bug (CVE-2014-6352) can be triggered by sending a specially crafted Microsoft Office files to intended targets before tricking them into opening the booby-trapped files.
The specially crafted malicious files would contain a malicious Object Linking and Embedding (OLE) object, a technology used to share data between applications that allows a chart from an Excel Spreadsheet within a PowerPoint presentation, among other functions. Tricking a user into opening a malicious file results in an infected machine but won't cough admin privileges to the hacker – at least not by itself. Attacks are likely to generate pop-up warnings and under default settings a User Access Control popup would get displayed.
An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
In a web-based attack scenario, an attacker could host a website that contains a webpage that contains a specially crafted Office file that is used to attempt to exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker's website.
Potential Impact
· Remote Code Execution
· Privilege Escalation
· Data Exfiltration
· Lateral spread in Malware
Recommendations
Below are some suggested best practices and solutions to prevent remote code execution within your organization.
· Ensure all operating systems and public facing machines have the latest versions and security patches, and antivirus software and definitions up to date.
· Be aware of Spear phishing emails that may trick you into opening a malicious document or click a link to a malicious landing page.
· Ensure systems have a running firewall, unnecessary ports are closed/blocked, and unused services are disabled.
· Ensure that users’ privileges are issued according to their level. This has less impact than those who have administrative rights.
· To reduce the impact of latent vulnerabilities, always run non-administrative software as an unprivileged user with minimal access rights.
· Educate your users to practise safe computing.
· Ensure that relevant personnel are versed in follow up actions of IT security incidents and recovery procedures.
· Do continue to be vigilant and work closely with your ITSO/ITSM for any escalated security events from the EDMS SOC. Please ensure your contact list for EDMS SOC escalation is up-to-date. In the event of any security incident, please inform EDMS SOC or your ITSO/ITSM immediately.
Microsoft has released workaround and “Fix It” solutions: https://technet.microsoft.com/library/security/3010060#ID0EPG
Is there a Trendmicro's Officescan AV signature for the following exploits?
So far, Trend Support said they're still checking.
Q2:
what's the likelihood of being attacked/hacked if we don't have
Powerpoint but only Web Software Components (ie MS Access,
MS Excel) ?
Hackers exploit Windows zero-day flaw in targeted PowerPoint attacks
Hackers are exploiting a zero-day vulnerability in Windows using malicious PowerPoint documents, Microsoft and security firms warn.
An advisory from Microsoft warns that the as-yet-unpatched flaw is present in all supported versions of Windows except Windows Server 2003 and has already been abused in "limited, targeted attacks".
The bug (CVE-2014-6352) can be triggered by sending a specially crafted Microsoft Office files to intended targets before tricking them into opening the booby-trapped files.
The specially crafted malicious files would contain a malicious Object Linking and Embedding (OLE) object, a technology used to share data between applications that allows a chart from an Excel Spreadsheet within a PowerPoint presentation, among other functions. Tricking a user into opening a malicious file results in an infected machine but won't cough admin privileges to the hacker – at least not by itself. Attacks are likely to generate pop-up warnings and under default settings a User Access Control popup would get displayed.
An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
In a web-based attack scenario, an attacker could host a website that contains a webpage that contains a specially crafted Office file that is used to attempt to exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker's website.
Potential Impact
· Remote Code Execution
· Privilege Escalation
· Data Exfiltration
· Lateral spread in Malware
Recommendations
Below are some suggested best practices and solutions to prevent remote code execution within your organization.
· Ensure all operating systems and public facing machines have the latest versions and security patches, and antivirus software and definitions up to date.
· Be aware of Spear phishing emails that may trick you into opening a malicious document or click a link to a malicious landing page.
· Ensure systems have a running firewall, unnecessary ports are closed/blocked, and unused services are disabled.
· Ensure that users’ privileges are issued according to their level. This has less impact than those who have administrative rights.
· To reduce the impact of latent vulnerabilities, always run non-administrative software as an unprivileged user with minimal access rights.
· Educate your users to practise safe computing.
· Ensure that relevant personnel are versed in follow up actions of IT security incidents and recovery procedures.
· Do continue to be vigilant and work closely with your ITSO/ITSM for any escalated security events from the EDMS SOC. Please ensure your contact list for EDMS SOC escalation is up-to-date. In the event of any security incident, please inform EDMS SOC or your ITSO/ITSM immediately.
Microsoft has released workaround and “Fix It” solutions: https://technet.microsoft.com/library/security/3010060#ID0EPG
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Note that the EMETv5 from MS config is using the ASR (for flash*.ocx;packager.dll) - it disabled EAF, EAF+ & Stack Pivot for "dllhost.exe" but enabled them for the "POWERPNT.EXE". Hence better to test out with the TM running currently to ensure they do not "crash" one another.
ASKER
I've got the MS workaround msi installer for the team, just that the
governance & our local IT authority are raising queries.
Though we are applying the MS workaround, being paranoid, the
governance will always want us to have the dpi rule as well as the
Officescan AV signature updated, thus I'm specifically looking for
Officescan signature that deals with this.
Both TippingPoint & Trendmicro IPS support told me they are still
working on the signatures for TippingPoint & DeepSecurity so I'll
just wait for them.
However, for Officescan, the Trend support team I'm dealing with
told me they don't cover Officescan, so was hoping if anyone knows
anything on Officescan signature that deals with this CVE-2014-6352