Widespread Windows Zero Day affecting Microsoft Office Files

Last week, Emsisoft published details on The Sandworm Team, and how this group of hackers has been using vulnerability CVE-2014-4114 to remotely execute malicious code through shared Microsoft Office files. Microsoft has since issued a patch for this vulnerability; however, it has been discovered that there is still a way to exploit Microsoft Office files to serve malware. This new zero day vulnerability has been designated CVE-2014-6352, and it allows attackers to remotely execute malicious code on all supported versions of Windows, excluding Windows Server 2003. This unpatched zero day has been used by The Sandworm Team, and it is currently also being used by cybercriminals across the Internet. Observed attacks have involved targeted emails containing malicious Powerpoint attachments. In theory, this vulnerability could also be leveraged in any scenario where Microsoft Office documents are shared.

How can I stay protected?

The most concerning aspect of CVE-2014-6352 is that it affects the most recently patched versions of Windows. Microsoft is currently investigating the issue, but it could be nearly 3 weeks before the vulnerability is formally patched. In the meantime, cybercriminals will be sure to exploit the vulnerability to serve malware to as many users as they can.

To stay protected, Emsisoft recommends:

  • Avoiding unsolicited Microsoft Office documents whenever possible
  • Implementing Microsoft’s Suggested Actions
  • Using a proactive antimalware that can automatically prevent infection from unregistered threats

Due to the facts that 1) sharing Microsoft Office files is for many people an everyday task and 2) that Microsoft’s Suggested Actions are somewhat technical, it is likely that CVE-2014-6352 will allow cybercriminals to infect a lot of users with malware. Furthermore, because a vulnerability is essentially a doorway into your PC, the malware served in such attacks will widely vary.

User running Emsisoft should know that, as was the case with CVE-2014-4114  and The Sandworm Team, your security solution does offer automatic protection from this latest zero day. If you are running one of our products, no further action is required: simply allow your computer to update whenever Microsoft issues a formal patch.

For those not using protection, we recommend giving Emsisoft Anti-Malware a try. You can actually test it for 30 days, at no cost – meaning that even if you hate it (which we’re pretty sure you won’t :) it will guarantee protection from this latest zero day until Microsoft fixes the problem. After the vulnerability is patched, you can then simply uninstall your trial – or you can keep it, to ensure that you’re protected the next time an application vulnerability (inevitably) pops up.

Have a great (zero-free) day!