Microsoft patched one bug in Windows last week, but missed another that hackers continue to exploit, according to security researchers at McAfee.
On Tuesday, Microsoft confirmed that cyber criminals are targeting victims using tricked-out PowerPoint files that exploit a "zero-day" vulnerability, or a bug that has not been patched.
"Microsoft is aware of a vulnerability affecting all supported releases of Microsoft Windows, excluding Windows Server 2003," the company said in a security advisory yesterday. "At this time, we are aware of limited, targeted attacks that attempt to exploit the vulnerability through Microsoft PowerPoint."
What was interesting about the latest Windows zero-day was that it was similar to, if not related to, a vulnerability Microsoft patched last week. In bulletin MS14-060 of Oct. 14, Microsoft fixed a flaw identified as CVE-2014-4114, which was also in the OLE code within Windows.
Like the latest vulnerability, CVE-2014-4114 had been exploited using malicious PowerPoint files. When the rogue files were opened -- attackers attached them to email messages, using the presentations as bait to get users to open them -- the malware payload executed. The same process is being used by the hackers to exploit the zero-day.
Microsoft also used the same description of "limited, targeted attacks" to describe the ongoing attacks leveraging CVE-2014-4114.
McAfee, whose team was one of two that reported the zero-day to Microsoft, was politic, but implied Microsoft should have caught the latest bug during its code review and patch creation for last week's CVE-2014-4114.
"During our investigation, we found that the Microsoft's official patch (MS14-060, KB3000869) is not robust enough>," wrote Haifei Li on McAfee's blog (emphasis added). "In other words, attackers might still be able to exploit the vulnerability even after the patch is applied. Users who have installed the official patch are still at risk."
Li was one of the two McAfee researchers Microsoft credited with reporting the zero-day. Three members of Google's security team were also thanked for filing a bug report.
McAfee's title for Li's blog post -- "New Exploit of Sandworm Zero-Day Could Bypass Official Patch" -- also gave weight to Microsoft's oversight, as did the speed with which Li and his colleague, Bing Sun, were able to come up with a proof-of-concept exploit. Li and Sun wrapped up their investigation on Oct. 17, just three days after Microsoft patched CVE-2014-4114.
There are differences between the exploits of the two vulnerabilities. According to Symantec, attacks leveraging CVE-2014-4114 are stealthier, as the exploits sidestep UAC (user account control), the pop-up alerts that require user authorization before Windows is allowed to perform certain chores, like running software.
By Microsoft's account, some, although not all, attacks exploiting the zero-day do trigger UAC.
Symantec also claimed that there was evidence that at least two hacker groups were exploiting the zero day: The gang dubbed "Sandworm," allegedly based in Russia, and another named "Taidoor," which has previously targeted Taiwanese businesses and government agencies.
Both CVE-2014-4114 and the latest vulnerability -- which is tagged CVE-2014-6352 -- may have been recent discoveries by the criminals, as the former was first seen exploited in August while the latter popped up on Symantec's radar last month.
In its advisory, Microsoft recommended that customers apply an automated "Fixit" tool to block known attacks, and if necessary, take other steps, including using EMET 5.0 (Enhanced Mitigation Experience Toolkit) to harden PowerPoint's defenses.