Windows RCE Vulnerability Exploited in the Wild

Security companies have started detecting attacks that leverage a critical remote code execution (RCE) vulnerability in Windows, which Microsoft patched last week.

Of the 14 security bulletins released by Microsoft on November 11, MS14-064 is one of the most important. The bulletin addresses a Windows Object Linking and Embedding (OLE) automation array RCE flaw (CVE-2014-6332), and a Windows OLE RCE bug (CVE-2014-6352).

CVE-2014-6352 had already been exploited in limited attacks when Microsoft released the patch, and experts have found that CVE-2014-6332 is also being exploited in the wild.

The CVE-2014-6332 vulnerability was reported to Microsoft in May by researchers from IBM. The company says the issue affects all versions of Microsoft’s operating system starting with Windows 95. The vulnerability, which has been dubbed “Unicorn,” has existed for at least 19 years, and it has been remotely exploitable since the introduction of Internet Explorer 3.0, which relies on the code affected by the bug.

“The bug can be used by an attacker for drive-by attacks to reliably run code remotely and take over the user’s machine — even sidestepping the Enhanced Protected Mode (EPM) sandbox in IE 11 as well as the highly regarded Enhanced Mitigation Experience Toolkit (EMET) anti-exploitation tool Microsoft offers for free,” IBM explained.

A Chinese researcher released proof-of-concept (PoC) code for the vulnerability on the same day that Microsoft made the patch available. A Metasploit module for the bug was created the next day. On November 17, NSS Labs observed attacks exploiting CVE-2014-6332.

NSS Labs researchers spotted the exploit on a South Korean website. The site hosts a piece of JavaScript that’s designed to determine what type of device is used by visitors. If a mobile device running Android is detected, an APK file is served. If a PC is detected, a piece of malware is dropped via the exploit published by the Chinese researcher.

“The malware is a little different to that which is typically dropped from regular exploit kits and malware campaigns. The difference lies in the way in which this malware is packaged, and in its method of operation,” NSS Labs wrote in a Nov. 20 blog post.

Researchers at ESET have also spotted an attack leveraging the Windows RCE vulnerability. The security firm detected exploitation attempts on the website of a major news agency in Bulgaria. The attackers planted an invisible iframe that points to a Russian website hosting an exploit based on the PoC released by the Chinese researcher.

“The downloaded binary is detected by ESET as Win32/IRCBot.NHR. This malware has numerous capabilities, as launching DDoS attacks, or opening remote shells for the miscreants,” ESET said in a blog post.

Experts believe it’s just a matter of time until the exploit is included into a mainstream exploit kit.

On Tuesday, Microsoft released an out-of-band update to address another serious vulnerability that has been exploited in limited, targeted attacks. The flaw exists in Microsoft Windows Kerberos KDC and it can be leveraged to elevate unprivileged domain user account privileges to those of the domain administrator account.