Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Windows RCE Vulnerability Exploited in the Wild

Security companies have started detecting attacks that leverage a critical remote code execution (RCE) vulnerability in Windows, which Microsoft patched last week.

Security companies have started detecting attacks that leverage a critical remote code execution (RCE) vulnerability in Windows, which Microsoft patched last week.

Of the 14 security bulletins released by Microsoft on November 11, MS14-064 is one of the most important. The bulletin addresses a Windows Object Linking and Embedding (OLE) automation array RCE flaw (CVE-2014-6332), and a Windows OLE RCE bug (CVE-2014-6352).

CVE-2014-6352 had already been exploited in limited attacks when Microsoft released the patch, and experts have found that CVE-2014-6332 is also being exploited in the wild.

CVE-2014-6332 Used in Active AttacksThe CVE-2014-6332 vulnerability was reported to Microsoft in May by researchers from IBM. The company says the issue affects all versions of Microsoft’s operating system starting with Windows 95. The vulnerability, which has been dubbed “Unicorn,” has existed for at least 19 years, and it has been remotely exploitable since the introduction of Internet Explorer 3.0, which relies on the code affected by the bug.

“The bug can be used by an attacker for drive-by attacks to reliably run code remotely and take over the user’s machine — even sidestepping the Enhanced Protected Mode (EPM) sandbox in IE 11 as well as the highly regarded Enhanced Mitigation Experience Toolkit (EMET) anti-exploitation tool Microsoft offers for free,” IBM explained.

A Chinese researcher released proof-of-concept (PoC) code for the vulnerability on the same day that Microsoft made the patch available. A Metasploit module for the bug was created the next day. On November 17, NSS Labs observed attacks exploiting CVE-2014-6332.

NSS Labs researchers spotted the exploit on a South Korean website. The site hosts a piece of JavaScript that’s designed to determine what type of device is used by visitors. If a mobile device running Android is detected, an APK file is served. If a PC is detected, a piece of malware is dropped via the exploit published by the Chinese researcher.

“The malware is a little different to that which is typically dropped from regular exploit kits and malware campaigns. The difference lies in the way in which this malware is packaged, and in its method of operation,” NSS Labs wrote in a Nov. 20 blog post.

Researchers at ESET have also spotted an attack leveraging the Windows RCE vulnerability. The security firm detected exploitation attempts on the website of a major news agency in Bulgaria. The attackers planted an invisible iframe that points to a Russian website hosting an exploit based on the PoC released by the Chinese researcher.

“The downloaded binary is detected by ESET as Win32/IRCBot.NHR. This malware has numerous capabilities, as launching DDoS attacks, or opening remote shells for the miscreants,” ESET said in a blog post.

Experts believe it’s just a matter of time until the exploit is included into a mainstream exploit kit.

On Tuesday, Microsoft released an out-of-band update to address another serious vulnerability that has been exploited in limited, targeted attacks. The flaw exists in Microsoft Windows Kerberos KDC and it can be leveraged to elevate unprivileged domain user account privileges to those of the domain administrator account.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.