McAfee Labs

New Exploit of Sandworm Zero-Day Could Bypass Official Patch

4
By on Oct 21, 2014

Update of October 25: Some comments posted after we published this report suggest that our proof-of-concept exploit will trigger the UAC (User Account Control) on Windows. We did not observe this during our analysis.

 

During the last few days researchers at McAfee Labs have been actively investigating Sandworm, the Windows packager zero-day attack (CVE-2014-4114). McAfee has already released various updates through our products to protect our customers, and we continue to analyze this attack.

During our investigation, we found that the Microsoft’s official patch (MS14-060, KB3000869) is not robust enough. In other words, attackers might still be able to exploit the vulnerability even after the patch is applied. Users who have installed the official patch are still at risk.

This finding has significant impact because attacks leveraging the vulnerability are still very active. We reported our findings to the Microsoft Security Response Center immediately after we successfully developed a proof of concept on October 17. Since then we have actively worked with Microsoft to resolve this issue.

Today, Microsoft has released Security Advisory 3010060 as well as the “Fix It” temporary patch. A new ID, CVE-2014-6352, has been assigned to track this issue. To protect hundreds of millions of Windows users, we are not sharing any of the details until a permanent patch from Microsoft is available to the public.

While we will continue to monitor potential new attacks in the wild, users who have concerns about their security may consider the following actions:

  • Apply the Microsoft “Fix It” or workarounds shared in Security Advisory 3010060.
  • Apply the first or the second workarounds shared in Security Bulletin MS14-060. These are “Disable the WebClient service” and “Block TCP ports 139 and 445.” We believe these two workarounds will be effective to block the new exploitation method, though the third in the bulletin (“Block the launching of executables via Setup information files”) may not be effective.

We thank James Forshaw of Google Project Zero, who helped us with this finding. Thanks as well to Bing Sun, Chong Xu, and Stanley Zhu of McAfee Labs for their help with this research and investigation.

4 Comments

  • Haifei Li

    Hi Adrian,

    The answer is no, XP is not affected by this particular vulnerability. This is one rare good news for XP users since XP is affected by many other vulnerabilities (I’m sure you have been aware of that Microsoft doesn’t support XP anymore).

    Thanks,
    Haifei

  • Adrian

    We have one old cimplicity server ver. 6, running in Win Xp, not connected to internet. Recently we receive one information letter from GE, regarding this sandworm. I want to know if Win Xp is vulnerable.
    Thanks

  • Martha Arellano

    Any mitigation from McAfee? DAT? HIPS?

    • Haifei Li

      Of course. McAfee has already delivered various protections against this threat to our customers at the first time, please keep your security product up-to-date.

Leave a Reply

Your email address will not be published. Required fields are marked *