New 0day vulnerability in Windows exploited in-the-wild

Specialists at iSIGHT Partners today announced a new vulnerability CVE-2014-4114 in Windows 7+, which they discovered a month earlier. According to company analysts, the vulnerability was exploited by a cybercriminal group whose traces lead to Russia. Exploitation of the vulnerability is possible using a specially crafted MS PowerPoint document, which contains embedded OLE objects. The component of the Windows subsystem, which is responsible for processing embedded objects, contains a vulnerability that allows you to download the .INF file from a remote server and install it on the system.



The exploit is a PowerPoint document that contains two objects, oleObject1.bin and oleObject2.bin. Each of these files contains a link to an external IP address. One of them is used to download the .INF file, which will be used to install the malicious program, and the second contains a link to the malicious program itself - the BlackEnergy Lite dropper (Win32 / Rootkit.BlackEnergy). This dropper will be installed into the system using the downloaded .INF file. We recently wrote about a malicious campaign to distribute BlackEnergy Lite to one of the hacker groups, whose roots also go to Russia. In both cases, NATO countries become targets.


Fig. Link to the .INF file in oleObject2.bin.


Fig. Directory with OLE objects in a malicious PowerPoint document.


Fig. The topic of the presentation refers to the conflict in Ukraine.


Fig. The format of the downloaded .INF file that is used to install the malicious program. The vulnerability allows you to download both of these files from the attacker server.

Vulnerable are the up-to-date versions of Windows 7, the latest Windows 8 & 8.1, and RT. Microsoft promises to close this vulnerability today as part of the monthly patch tuesday.