Microsoft is rushing out a patch for a newly-discovered zero-day vulnerability which affects all currently  supported versions of  Windows (including Vista) and Windows Server 2008 and 2012.

The news came this morning from security firm iSight Partners, which in conjunction with Microsoft discovered the hole in the OLE package manager in the client and server versions of Windows after attacks on unspecified NATO countries and institutions (Canada is a member of NATO), academic institutions in the U.S., Ukrainian government organizations, Western European government organization, energy sector firms (specifically in Poland) European telecommunications firms United States academic organization.

Researchers at iSight and Fortinet believe the vulnerability is being exploited by a group from Russia. iSight has dubbed them the Sandworm Team.

Microsoft has dubbed the vulnerability CVE-2014-4114, and detailed in this bulletin.

iSight said it has been monitoring the Sandworm Team’s activities from late 2013. It apparently prefers to  use of spear-phishing with malicious document attachments — sometimes a PowerPoint — to target victims. “Many of the lures observed have been specific to the Ukrainian conflict with Russia and to broader geopolitical issues related to Russia,” the researchers said. “The team has recently used multiple exploit methods to trap its targets including the use of BlackEnergy crimeware, exploitation of as many as two known vulnerabilities simultaneously, and this newly observed Microsoft Windows zero-day.”

While iSight has detected the vulnerability it can’t say if any data was compromised. Although it has known about the vulnerability for weeks, it held back divulging the information until today, which is Microsoft’s normal Patch Tuesday.

“Given that affected parties were notified and that we did not witness a major surge / broader propagation of the exploit based upon our visibility into the team’s command and control infrastructure, we elected to time the disclosure to the availability of a patch. This timing minimizes the potential for other bad actors to take advantage of the vulnerability.”

  • Mario Levesque

    There are no information that come out when i search for the CVE-2014-411. Is it too soon to look for it on google?