Trendmicro AV signature for CVE-2014-6352 Windows zero-day flaw in targeted PowerPoint attacks

Is there a Trendmicro's Officescan AV signature for the following exploits?
So far, Trend Support said they're still checking.

what's the likelihood of being attacked/hacked if we don't have
Powerpoint but only Web Software Components (ie MS Access,
MS Excel) ?

Hackers exploit Windows zero-day flaw in targeted PowerPoint attacks
Hackers are exploiting a zero-day vulnerability in Windows using malicious PowerPoint documents, Microsoft and security firms warn.

An advisory from Microsoft warns that the as-yet-unpatched flaw is present in all supported versions of Windows except Windows Server 2003 and has already been abused in "limited, targeted attacks".

The bug (CVE-2014-6352) can be triggered by sending a specially crafted Microsoft Office files to intended targets before tricking them into opening the booby-trapped files.

The specially crafted malicious files would contain a malicious Object Linking and Embedding (OLE) object, a technology used to share data between applications that allows a chart from an Excel Spreadsheet within a PowerPoint presentation, among other functions. Tricking a user into opening a malicious file results in an infected machine but won't cough admin privileges to the hacker – at least not by itself. Attacks are likely to generate pop-up warnings and under default settings a User Access Control popup would get displayed.

An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

In a web-based attack scenario, an attacker could host a website that contains a webpage that contains a specially crafted Office file that is used to attempt to exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker's website.

Potential Impact

·         Remote Code Execution

·         Privilege Escalation

·         Data Exfiltration

·         Lateral spread in Malware


Below are some suggested best practices and solutions to prevent remote code execution within your organization.

·         Ensure all operating systems and public facing machines have the latest versions and security patches, and antivirus software and definitions up to date.

·         Be aware of Spear phishing emails that may trick you into opening a malicious document or click a link to a malicious landing page.

·         Ensure systems have a running firewall, unnecessary ports are closed/blocked, and unused services are disabled.

·         Ensure that users’ privileges are issued according to their level. This has less impact than those who have administrative rights.

·         To reduce the impact of latent vulnerabilities, always run non-administrative software as an unprivileged user with minimal access rights.

·         Educate your users to practise safe computing.

·         Ensure that relevant personnel are versed in follow up actions of IT security incidents and recovery procedures.

·         Do continue to be vigilant and work closely with your ITSO/ITSM for any escalated security events from the EDMS SOC. Please ensure your contact list for EDMS SOC escalation is up-to-date. In the event of any security incident, please inform EDMS SOC or your ITSO/ITSM immediately.

Microsoft has released workaround and “Fix It” solutions:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

dbruntonQuid, Me Anxius Sum?  Illegitimi non carborundum.Commented:
Is there a Trendmicro's Officescan AV signature for the following exploits?
So far, Trend Support said they're still checking.

One will turn up eventually.  As will a Microsoft fix.

What's the likelihood of being attacked/hacked if we don't have Powerpoint but only Web Software Components (ie MS Access, MS Excel) ?

It is unlikely that that any attacker will know what you have.  Unless they have insider knowledge and you are being deliberately targeted.  It is more likely to be a blind attack working on the assumption that many users will have Microsoft Office installed on their computers (including Powerpoint) and they will strike one silly enough to open a suspicious file.


How to avoid being a victim.  Read the Recommendations in your question.  Best practice is for users to have minimal rights when working on a computer and to be educated as what to do with unknown emails.  If an email prompts for UAC rights (see the note in the Recommendations) then there is something terribly wrong with that email.
btanExec ConsultantCommented:
1. They should be coming up but meanwhile they have below DS solutions that protect against Sandworm also protect against these more recent attacks. The original CVE that is not fully patched. The following DPI rules cover these threats. Hear out from the support then.

1006290 - Microsoft Windows OLE Remote Code Execution Vulnerability (CVE-2014-4114)
1006291 - Microsoft Windows OLE Remote Code Execution Vulnerability (CVE-2014-4114) – 1

Having said that, even if the threat vector such as ppt landed on machine, the exploit may still be detected by TM if known threat are re-used or common anomalous threat behaviour can still trigger as another layer detection - though it is in later stage. It is worst if there is not even an AV/FW in the machine.

Just like when CVE 4114 came in, new evasion tech evolved but can still be detected

2. Note the difference btw the two CVEs e.g. while the original vulnerability (CVE-2014-4114) involved embedded OLE files linking to external files, the newer vulnerability (CVE-2014-6352) relates to OLE files that have the executable payloads embedded within them. As long as there is a threat carrier that can embed OLE, it can still comes into the machine e.g. servers or workstations that open documents with embedded OLE objects are primarily at risk.

So by blocking only ppt is just reactive means, though attack surface is minimised but it still not remediated. For insecure machine and not harden minimally to disable unnecessary service, interface and account, it is already open up to any threat vector (not necessary to this CVE). Also OLE object (such as XLS) can be contained in a compound Microsoft Word document, the latter is also another threat carrier. In other words, blocking all MS suite is going to be a knee jerk response for now... and usr is unlikely to live with that block in place.

Note also user interaction is required to exploit this vulnerability, so education can be useful of existence of this. Some scenario can include for awareness - so be wary and not open untrusted, or go to untrusted site or download untrusted etc
In an email attack scenario, an attacker could exploit the vulnerability by sending a specially-crafted file to the user. For this attack scenario to be successful, the user must be convinced to open the specially crafted file containing the malicious OLE object. All Microsoft Office file types as well as many other third-party file types could contain a malicious OLE object.

In a web-based attack scenario, an attacker would have to host a website that contains a specially crafted Microsoft Office file, such as a PowerPoint file, that is used in an attempt to exploit this vulnerability. In addition, compromised websites (and websites that accept or host user-provided content) could contain specially crafted content that could exploit this vulnerability. An attacker would have no method to force users to visit a malicious website. Instead, an attacker would have to persuade the targeted user to visit the website, typically by getting them to click a hyperlink that directs a web browser to the attacker-controlled website.

There is still no patch for this second one, but Microsoft has offered a Fix It and workarounds for blocking known attack vectors. So have the workaround for the  time being and EMET v5 Attack Surface Reduction will be another layer as well

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
sunhuxAuthor Commented:
Thanks chaps,

I've got the MS workaround msi installer for the team, just that the
governance & our local IT authority are raising queries.

Though we are applying the MS workaround, being paranoid, the
governance will always want us to have the dpi rule as well as the
Officescan AV signature updated, thus I'm specifically looking for
Officescan signature that deals with this.

Both TippingPoint & Trendmicro IPS support told me they are still
working on the signatures for TippingPoint & DeepSecurity so I'll
just wait for them.  

However, for Officescan, the Trend support team I'm dealing with
told me they don't cover Officescan, so was hoping if anyone knows
anything on Officescan signature that deals with this CVE-2014-6352
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

btanExec ConsultantCommented:
no signature per se for any AV in best knowledge. But as mentioned, such attacks are likely to generate pop-up warnings and under default settings a User Access Control popup would get displayed. This means that user interaction would be needed to run successful attacks based on CVE-2014-6352 alone, an important limiting factor.

The closest for TM officescan is in its Real-time Scan which already include OLE scanning and if there are some "foul" play (as shared carrying known exploits), it is likely to trigger but that is not just targeting this CVE-2014-6532 per se.
Scan OLE objects: When a file contains multiple Object Linking and Embedding (OLE) layers, OfficeScan scans up to the number of layers you specify and skips the remaining layers.

Detect exploit code in OLE files: OLE Exploit Detection heuristically identifies malware by checking Microsoft Office files for exploit code.
David Johnson, CD, MVPOwnerCommented:
1. Follow the instructions available here

2/ Download and install EMET 5.0

Apply the xml file from #1
<EMET Version="5.0.5324.31801">
  <Settings />
    <AppConfig Path="*" Executable="dllhost.exe">
      <Mitigation Name="DEP" Enabled="false" />
      <Mitigation Name="SEHOP" Enabled="false" />
      <Mitigation Name="NullPage" Enabled="false" />
      <Mitigation Name="HeapSpray" Enabled="false" />
      <Mitigation Name="EAF" Enabled="false" />
      <Mitigation Name="EAF+" Enabled="false" />
      <Mitigation Name="MandatoryASLR" Enabled="false" />
      <Mitigation Name="BottomUpASLR" Enabled="false" />
      <Mitigation Name="LoadLib" Enabled="false" />
      <Mitigation Name="MemProt" Enabled="false" />
      <Mitigation Name="Caller" Enabled="false" />
      <Mitigation Name="SimExecFlow" Enabled="false" />
      <Mitigation Name="StackPivot" Enabled="false" />
      <Mitigation Name="ASR" Enabled="true">
    <AppConfig Path="*\OFFICE1*" Executable="POWERPNT.EXE">
      <Mitigation Name="DEP" Enabled="true" />
      <Mitigation Name="SEHOP" Enabled="true" />
      <Mitigation Name="NullPage" Enabled="true" />
      <Mitigation Name="HeapSpray" Enabled="true" />
      <Mitigation Name="EAF" Enabled="true" />
      <Mitigation Name="EAF+" Enabled="false" />
      <Mitigation Name="MandatoryASLR" Enabled="true" />
      <Mitigation Name="BottomUpASLR" Enabled="true" />
      <Mitigation Name="LoadLib" Enabled="true" />
      <Mitigation Name="MemProt" Enabled="true" />
      <Mitigation Name="Caller" Enabled="true" />
      <Mitigation Name="SimExecFlow" Enabled="true" />
      <Mitigation Name="StackPivot" Enabled="true" />
      <Mitigation Name="ASR" Enabled="true">

Open in new window

btanExec ConsultantCommented:
If using emet you will need v5.0 as it comes with ASR as in the MS advisory. This is rather similar to the TM Real-time Scan plugin scan/block. ASR lock the usage of a specific modules or plug-ins within an application. From MS article, it shared example.

For ASR, ti covers the winword.exe/excel.exe/powerpnt.exe
 (1) you can configure EMET to prevent Microsoft Word from loading the Adobe Flash Player plug-in, or, with the support of security zones, you can use EMET to prevent Internet Explorer from loading the Java plug-in on an Internet Zone website while continuing to allow Java on Intranet Zone websites.

(2) Preventing Microsoft Word from launching an Adobe Flash Player file embedded in the document. By default, EMET 5.0 Technical Preview comes pre-configured to block certain plug-ins from being loaded by Internet Explorer, Microsoft Word and Microsoft Excel.

But do some testing in the staging with TM and EMET to see if there is any apps break or any IE anomalies (hangs etc), we do not want to crash ourselve by overdoing it...
btanExec ConsultantCommented:
Note that the EMETv5 from MS config is using the ASR (for flash*.ocx;packager.dll) - it disabled EAF, EAF+ & Stack Pivot for "dllhost.exe" but enabled them for the "POWERPNT.EXE". Hence better to test out with the TM running currently to ensure they do not "crash" one another.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.