Trendmicro AV signature for CVE-2014-6352 Windows zero-day flaw in targeted PowerPoint attacks

Posted on 2014-10-24
Medium Priority
Last Modified: 2014-11-11
Is there a Trendmicro's Officescan AV signature for the following exploits?
So far, Trend Support said they're still checking.

what's the likelihood of being attacked/hacked if we don't have
Powerpoint but only Web Software Components (ie MS Access,
MS Excel) ?

Hackers exploit Windows zero-day flaw in targeted PowerPoint attacks
Hackers are exploiting a zero-day vulnerability in Windows using malicious PowerPoint documents, Microsoft and security firms warn.

An advisory from Microsoft warns that the as-yet-unpatched flaw is present in all supported versions of Windows except Windows Server 2003 and has already been abused in "limited, targeted attacks".

The bug (CVE-2014-6352) can be triggered by sending a specially crafted Microsoft Office files to intended targets before tricking them into opening the booby-trapped files.

The specially crafted malicious files would contain a malicious Object Linking and Embedding (OLE) object, a technology used to share data between applications that allows a chart from an Excel Spreadsheet within a PowerPoint presentation, among other functions. Tricking a user into opening a malicious file results in an infected machine but won't cough admin privileges to the hacker – at least not by itself. Attacks are likely to generate pop-up warnings and under default settings a User Access Control popup would get displayed.

An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

In a web-based attack scenario, an attacker could host a website that contains a webpage that contains a specially crafted Office file that is used to attempt to exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker's website.

Potential Impact

·         Remote Code Execution

·         Privilege Escalation

·         Data Exfiltration

·         Lateral spread in Malware


Below are some suggested best practices and solutions to prevent remote code execution within your organization.

·         Ensure all operating systems and public facing machines have the latest versions and security patches, and antivirus software and definitions up to date.

·         Be aware of Spear phishing emails that may trick you into opening a malicious document or click a link to a malicious landing page.

·         Ensure systems have a running firewall, unnecessary ports are closed/blocked, and unused services are disabled.

·         Ensure that users’ privileges are issued according to their level. This has less impact than those who have administrative rights.

·         To reduce the impact of latent vulnerabilities, always run non-administrative software as an unprivileged user with minimal access rights.

·         Educate your users to practise safe computing.

·         Ensure that relevant personnel are versed in follow up actions of IT security incidents and recovery procedures.

·         Do continue to be vigilant and work closely with your ITSO/ITSM for any escalated security events from the EDMS SOC. Please ensure your contact list for EDMS SOC escalation is up-to-date. In the event of any security incident, please inform EDMS SOC or your ITSO/ITSM immediately.

Microsoft has released workaround and “Fix It” solutions: https://technet.microsoft.com/library/security/3010060#ID0EPG
Question by:sunhux
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 49

Assisted Solution

dbrunton earned 480 total points
ID: 40403340
Is there a Trendmicro's Officescan AV signature for the following exploits?
So far, Trend Support said they're still checking.

One will turn up eventually.  As will a Microsoft fix.

What's the likelihood of being attacked/hacked if we don't have Powerpoint but only Web Software Components (ie MS Access, MS Excel) ?

It is unlikely that that any attacker will know what you have.  Unless they have insider knowledge and you are being deliberately targeted.  It is more likely to be a blind attack working on the assumption that many users will have Microsoft Office installed on their computers (including Powerpoint) and they will strike one silly enough to open a suspicious file.


How to avoid being a victim.  Read the Recommendations in your question.  Best practice is for users to have minimal rights when working on a computer and to be educated as what to do with unknown emails.  If an email prompts for UAC rights (see the note in the Recommendations) then there is something terribly wrong with that email.
LVL 64

Accepted Solution

btan earned 1200 total points
ID: 40403370
1. They should be coming up but meanwhile they have below DS solutions that protect against Sandworm also protect against these more recent attacks. The original CVE that is not fully patched. The following DPI rules cover these threats. Hear out from the support then.

1006290 - Microsoft Windows OLE Remote Code Execution Vulnerability (CVE-2014-4114)
1006291 - Microsoft Windows OLE Remote Code Execution Vulnerability (CVE-2014-4114) – 1

Having said that, even if the threat vector such as ppt landed on machine, the exploit may still be detected by TM if known threat are re-used or common anomalous threat behaviour can still trigger as another layer detection - though it is in later stage. It is worst if there is not even an AV/FW in the machine.

Just like when CVE 4114 came in, new evasion tech evolved but can still be detected http://blog.trendmicro.com/trendlabs-security-intelligence/new-cve-2014-4114-attacks-seen-one-week-after-fix/

2. Note the difference btw the two CVEs e.g. while the original vulnerability (CVE-2014-4114) involved embedded OLE files linking to external files, the newer vulnerability (CVE-2014-6352) relates to OLE files that have the executable payloads embedded within them. As long as there is a threat carrier that can embed OLE, it can still comes into the machine e.g. servers or workstations that open documents with embedded OLE objects are primarily at risk.

So by blocking only ppt is just reactive means, though attack surface is minimised but it still not remediated. For insecure machine and not harden minimally to disable unnecessary service, interface and account, it is already open up to any threat vector (not necessary to this CVE). Also OLE object (such as XLS) can be contained in a compound Microsoft Word document, the latter is also another threat carrier. In other words, blocking all MS suite is going to be a knee jerk response for now... and usr is unlikely to live with that block in place.

Note also user interaction is required to exploit this vulnerability, so education can be useful of existence of this. Some scenario can include for awareness - so be wary and not open untrusted, or go to untrusted site or download untrusted etc
In an email attack scenario, an attacker could exploit the vulnerability by sending a specially-crafted file to the user. For this attack scenario to be successful, the user must be convinced to open the specially crafted file containing the malicious OLE object. All Microsoft Office file types as well as many other third-party file types could contain a malicious OLE object.

In a web-based attack scenario, an attacker would have to host a website that contains a specially crafted Microsoft Office file, such as a PowerPoint file, that is used in an attempt to exploit this vulnerability. In addition, compromised websites (and websites that accept or host user-provided content) could contain specially crafted content that could exploit this vulnerability. An attacker would have no method to force users to visit a malicious website. Instead, an attacker would have to persuade the targeted user to visit the website, typically by getting them to click a hyperlink that directs a web browser to the attacker-controlled website.

There is still no patch for this second one, but Microsoft has offered a Fix It and workarounds for blocking known attack vectors. So have the workaround for the  time being and EMET v5 Attack Surface Reduction will be another layer as well

Author Comment

ID: 40403591
Thanks chaps,

I've got the MS workaround msi installer for the team, just that the
governance & our local IT authority are raising queries.

Though we are applying the MS workaround, being paranoid, the
governance will always want us to have the dpi rule as well as the
Officescan AV signature updated, thus I'm specifically looking for
Officescan signature that deals with this.

Both TippingPoint & Trendmicro IPS support told me they are still
working on the signatures for TippingPoint & DeepSecurity so I'll
just wait for them.  

However, for Officescan, the Trend support team I'm dealing with
told me they don't cover Officescan, so was hoping if anyone knows
anything on Officescan signature that deals with this CVE-2014-6352
Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

LVL 64

Assisted Solution

btan earned 1200 total points
ID: 40403640
no signature per se for any AV in best knowledge. But as mentioned, such attacks are likely to generate pop-up warnings and under default settings a User Access Control popup would get displayed. This means that user interaction would be needed to run successful attacks based on CVE-2014-6352 alone, an important limiting factor.

The closest for TM officescan is in its Real-time Scan which already include OLE scanning and if there are some "foul" play (as shared carrying known exploits), it is likely to trigger but that is not just targeting this CVE-2014-6532 per se.
Scan OLE objects: When a file contains multiple Object Linking and Embedding (OLE) layers, OfficeScan scans up to the number of layers you specify and skips the remaining layers.

Detect exploit code in OLE files: OLE Exploit Detection heuristically identifies malware by checking Microsoft Office files for exploit code.
LVL 82

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 320 total points
ID: 40404488
1. Follow the instructions available here

2/ Download and install EMET 5.0

Apply the xml file from #1
<EMET Version="5.0.5324.31801">
  <Settings />
    <AppConfig Path="*" Executable="dllhost.exe">
      <Mitigation Name="DEP" Enabled="false" />
      <Mitigation Name="SEHOP" Enabled="false" />
      <Mitigation Name="NullPage" Enabled="false" />
      <Mitigation Name="HeapSpray" Enabled="false" />
      <Mitigation Name="EAF" Enabled="false" />
      <Mitigation Name="EAF+" Enabled="false" />
      <Mitigation Name="MandatoryASLR" Enabled="false" />
      <Mitigation Name="BottomUpASLR" Enabled="false" />
      <Mitigation Name="LoadLib" Enabled="false" />
      <Mitigation Name="MemProt" Enabled="false" />
      <Mitigation Name="Caller" Enabled="false" />
      <Mitigation Name="SimExecFlow" Enabled="false" />
      <Mitigation Name="StackPivot" Enabled="false" />
      <Mitigation Name="ASR" Enabled="true">
    <AppConfig Path="*\OFFICE1*" Executable="POWERPNT.EXE">
      <Mitigation Name="DEP" Enabled="true" />
      <Mitigation Name="SEHOP" Enabled="true" />
      <Mitigation Name="NullPage" Enabled="true" />
      <Mitigation Name="HeapSpray" Enabled="true" />
      <Mitigation Name="EAF" Enabled="true" />
      <Mitigation Name="EAF+" Enabled="false" />
      <Mitigation Name="MandatoryASLR" Enabled="true" />
      <Mitigation Name="BottomUpASLR" Enabled="true" />
      <Mitigation Name="LoadLib" Enabled="true" />
      <Mitigation Name="MemProt" Enabled="true" />
      <Mitigation Name="Caller" Enabled="true" />
      <Mitigation Name="SimExecFlow" Enabled="true" />
      <Mitigation Name="StackPivot" Enabled="true" />
      <Mitigation Name="ASR" Enabled="true">

Open in new window

LVL 64

Assisted Solution

btan earned 1200 total points
ID: 40404516
If using emet you will need v5.0 as it comes with ASR as in the MS advisory. This is rather similar to the TM Real-time Scan plugin scan/block. ASR lock the usage of a specific modules or plug-ins within an application. From MS article, it shared example.

For ASR, ti covers the winword.exe/excel.exe/powerpnt.exe
 (1) you can configure EMET to prevent Microsoft Word from loading the Adobe Flash Player plug-in, or, with the support of security zones, you can use EMET to prevent Internet Explorer from loading the Java plug-in on an Internet Zone website while continuing to allow Java on Intranet Zone websites.

(2) Preventing Microsoft Word from launching an Adobe Flash Player file embedded in the document. By default, EMET 5.0 Technical Preview comes pre-configured to block certain plug-ins from being loaded by Internet Explorer, Microsoft Word and Microsoft Excel.

But do some testing in the staging with TM and EMET to see if there is any apps break or any IE anomalies (hangs etc), we do not want to crash ourselve by overdoing it...
LVL 64

Expert Comment

ID: 40405530
Note that the EMETv5 from MS config is using the ASR (for flash*.ocx;packager.dll) - it disabled EAF, EAF+ & Stack Pivot for "dllhost.exe" but enabled them for the "POWERPNT.EXE". Hence better to test out with the TM running currently to ensure they do not "crash" one another.

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
If you are looking at this article, you have most likely been hit by some version of ransomware and are trying to find out if there is anything you can do, or what way you should react - READ ON!
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question