Microsoft patches three zero-day vulnerabilities - what does that mean to you?

Published on 2014-10-15 07:00:00 UTC by GovCERT.ch (permalink)
Last updated on 2014-10-15 07:20:41 UTC

The facts

On Tuesday, Oct 14 2014, Microsoft published 8 patches that fix several vulnerabilities in the Windows operating system. An overview of the patches and their severity is available on the Microsoft website and the ISC Handler Diary Blog.

Microsoft Security Bulletin Summary for October 2014:
https://technet.microsoft.com/library/security/ms14-oct

InfoSec Handlers Diary Blog (incl. ISC rating on the released patches):
https://isc.sans.edu/diary/Microsoft+October+2014+Patch+Tuesday/18819

Several patches released by Microsoft are being classified by Microsoft and the Internet Storm Center (ISC) as critical. The most interesting ones are MS14-058 and MS14-060, which are patching three zero-day vulnerabilities in the windows operating system. This means that these vulnerabilities have already been identified by bad actors and are currently being exploited in order to spread malware.

MS BulletinCVEDescriptionAPT Campaign
MS14-058CVE-2014-4113Zero-Day Privilege EscalationHURRICANE PANDA
MS14-058CVE-2014-4148Zero-Day in Windows TTFHURRICANE PANDA
MS14-060CVE-2014-4114Zero-Day in OLE packagerSandworm

MS14-058 catches two zero-day vulnerabilities (CVE-2014-4113 and CVE-2014-4148). According to the security service providers FireEye and CrowdStrike, both vulnerabilities are already being exploited in the wild and are associated with an APT called HURRICANE PANDA. More details about the attack and the two reported zero-day vulnerabilities can be found on the blogs of FireEye and Crowdstrike blog.

The 3rd zero-day vulnerability (CVE-2014-4114) is related to yet another targeted attack against various organizations. According to the security service provider iSIGHT, the malware campaign - which is named "Sandworm" - is targeting the following organizations and sectors:

  • NATO
  • Governmental Organizations in Europe
  • Firms in the Energy Sector
  • European telecommunications companies
  • United States academic organization

According to iSIGHT, the attacks are at least partially making use of a malware called BlackEnergy, which has been already around since at least 2007. While BlackEnergy used to target random internet users in the early years, foreign actors have started to use BlackEnergy in targeted attacks against governmental bodies later. Further information about the recent attacks involving BlackEnergy can be found on iSIGHT's blog.

What does that mean to you?

Well, this is a nice story, but you may ask yourself what does that mean for you and your organizations. That's indeed a good question.

First of all: If you are a random Internet user, you are most likely safe (at least for the moment). For now (2014-10-15), there is no working exploit in the wild that random hackers could use to compromise your system. Bad actors that are having a working exploit are interested in and targeting a very limited number of organizations and sectors. However, be aware that this may change in the near future. So patching your system at the earliest moment possible is a good idea. You may want to ensure that automatic updates are turned on. A How-To to turn on automatic updates on your computer can be found on the Windows Help portal.

Turn automatic updating on or off (English):
http://windows.microsoft.com/en-US/windows/turn-automatic-updating-on-off

Aktivieren oder Deaktivieren von automatischen Updates (German):
http://windows.microsoft.com/de-ch/windows/turn-automatic-updating-on-off

Activer ou désactiver les mises à jour automatiques (French):
http://windows.microsoft.com/fr-ch/windows/turn-automatic-updating-on-off

If your organization is a governmental organization, working in the energy or telecommunication sector or is an academic organization in the US, you might have to worry. According to iSIGHT, you may be on the shopping list (target list) of Sandworm. You should ensure that you deploy the two patches MS14-058 and MS14-060 in your corporate network at the earliest convenience.

For corporate networks, GovCERT.ch recommends the use of EMET (Enhanced Mitigation Experience Toolkit) and Windows AppLocker. EMET has been developed by Microsoft and is available for free. It helps you to mitigate zero-day attacks against hosts running the windows operating system. Windows AppLocker has been introduced in Win7 and is built in in any newer Windows operating system. It allows you to define policies in regards to which hosts are allowed to execute which code / executables. By this you are able to detect and prevent the execution of unknown and arbitrary code on hosts running the Windows operating system.

If you are running an IDS/IPS such as Snort or Suricata to identify malicious traffic in your network, you may want to have a look at the following rules that help you spot botnet C&C traffic related to BlackEnergy:

SIDMessage
2007668ET TROJAN Blackenergy Bot Checkin to C&C
2010875ET TROJAN Blackenergy Bot Checkin to C&C (2)

Unfortunately, neither FireEye, nor CrowdStrike or iSIGHT published any Indicators Of Compromise (IOCs) yet. We are sure that they will be available later. Once they are, we will update this blog post.

References

Share on Twitter Share on Facebook

Back to top