SandWorm Zero-Day - CVE-2014-4114 - MS14-060 (UPDATED!)

Just came across the new zero-day in Windows which affects all versions.  The patch should be available today under MS14-060, but I haven’t seen it yet to link it.  It’s also not showing in WSUS.

The zero-day appears to be a remote code execution in Microsoft Office when a malicious OLE object is embedded.  It affects all supported versions of Windows, but it is not clear if Windows XP is affected.  I would assume it is, and that we won’t be getting a patch for it.  The exploit allows the code to be run with the logged-in user’s rights, limiting the impact if the user doesn’t have administrative rights.

Some workarounds, which might mitigate the risk even to XP users:

  • Disable WebClient services - which breaks Sharepoint integration and WebDAV.
  • Block TCP ports 139 and 445 - which breaks SMB and CIFS file sharing
  • Block the launching of executables via Setup INF files - which would likely break your older installers.

If you aren’t on XP, better start patching.  If you are, well it’s time to consider moving up in the world.

Full details available here (which I haven’t read yet):

I will update when I know more.

10/14/14 1:54 PM - Updated with latest info from MS.