Wednesday, October 22, 2014

NEWS: Don't say we didn't warn you about this one

Security researchers have been talking behind the scenes with Microsoft concerning the recent patching efforts on CVE-2014-4114. Apparently we are not the only ones that noticed the problem with the patch last week. McAfee apparently had warned Microsoft that the patch was not 100% effective in stopping attacks that were being seen in the wild.

We reported last week that we were aware of the zero day being exploited.  See our earlier story. 

We noticed that hackers were largely still performing the attack with a slightly different payload method (as indicated by our distributed IDS system and honeypot indicators). We had several VM images attacked but the exploit still required that an end user to take an action before the payload was delivered. 

At no time were our customers vulnerable to this attack as our SLC Security appliances had signatures to detect the issue last week when we first discovered the problem.

Code appeared on a popular hacker website last Weds concerning the OLE issue and an updated script was uploaded the following day. 

Another Issue
While the issue we reported on is slightly different the premise is the same except that the variant we are seeing only activates during a reboot and not by an infected email attachment. The actual exploit we report on is still exploitable on Windows but is not able to be patched because in order to do so would require individual vendors to patch their products. Utilizing similar vectors allows a malicious attacker to run code through an undisclosed Windows service flaw that is not easily fixable and has been exploitable for several years now. This issue remains unpatched and vulnerable although we have only seen it used by a select few security firms during penetration testing.

No comments:

Post a Comment