The article is filled with fluff about iSIGHT and they buried the lead. Here are the high level details they posted:
* An exposed dangerous method vulnerability exists in the OLE package manager in Microsoft Windows and Server (Vista SP2 to Windows 8.1, Windows Server versions 2008 and 2012)
* When exploited, the vulnerability allows an attacker to remotely execute arbitrary code
* The vulnerability exists because Windows allows the OLE packager (packager .dll) to download and execute INF files. In the case of the observed exploit, specifically when handling Microsoft PowerPoint files, the packagers allows a Package OLE object to reference arbitrary external files, such as INF files, from untrusted sources.
* This will cause the referenced files to be downloaded in the case of INF files, to be executed with specific commands
* An attacker can exploit this vulnerability to execute arbitrary code but will need a specifically crafted file and use social engineering methods (observed in this campaign) to convince a user to open it
TL;DR - A vulnerability exists in INF processing and untrusted, 3rd party INF files can be included by PowerPoint files. This is not a worm.
Also these little gems:
> Further information will be provided in a live briefing to any interested parties on Thursday, October 16th at 2:00...
> iSIGHT is making available a broader technical report – inclusive of indicators – through a formal vetting process.
Fuck you iSIGHT. This is being used in the wild and a patch has been released. Post the details publicly. This isn't responsible disclosure, this is PR and lead gen.
Hijacking the top comment for relevance and visibility.
Seeing how all of the other articles about this exploit are basically regurgitating iSight's announcement, I thought I'd provide something a little bit more useful.
Is it me or is the linked article remarkably content free given the about of security babble it contains? The nice aspect of the Heartbleed branding was its simple and clear message, not having opaque sentences such as "Visibility into this campaign indicates targeting across the following domains" and self serving platitudes such as "As part of our normal cyber threat intelligence operations, iSIGHT Partners is tracking a growing drum beat of cyber espionage activity out of Russia."
edit: The meat of the vulnerability is in the "Working with Microsoft, we discovered the following" section, over halfway down the page.
I guess it is actually about the context in this case, not about the issue itself. Exploits via outlook and office existed for a long time. This is hardly something new. Targeting a specific region / company / group of people, based on politics, without spamming everyone in the world with this vulnerability is a relatively new thing. It looks like they really did want to stay hidden for a long time.
This might just be anti-microsoft bias but I think the thing here is that with a Windows vuln you can't see the source code so you really have no idea how severe the vuln is, the people who find it can simply make shit up with no one able to call them out other than Microsoft. Also maybe the average windows user will be less tech savy than a linux user and fall prey to scare tactics like these.
but will need a specifically crafted file and use social engineering methods (observed in this campaign) to convince a user to open it
What's next, "Zero-day Impacting All Versions of All Operating Systems - allows users to download and execute arbitrary code"? I suppose if you're a fan of user-hostile walled-garden trusted-computing models you might consider that a vulnerability, but I think it's safe to assume that most people consider the ability to "download and execute arbitrary code" to be a very useful and fundamental feature of an OS.
from Vista SP2 to Windows 8.1
I'm curious if this "vulnerability" also exists in XP.
Kinda depends under what level of privilege the code runs.
Also secure environments often strip down the ability to download and run arbitrary code, but might still allow theoretically-data-only formats to be downloaded and opened (such as .ppt files), in which case this is definitely relevant.
I'm curious if this "vulnerability" also exists in XP
I was curious as well. Elsewhere the article says it's not vulnerable:
...a zero-day vulnerability impacting all supported versions of Microsoft Windows (XP is not impacted)
Are there any significant Windows vulnerabilities for XP since the EOL? I was waiting for the first one that isn't patched, will be interesting to see how the bad guys use it.
The exploit seems to leverage PowerPoint files which are generally considered safe, and thus are allowed through mail systems and most normal good-practice behaviors. It uses a sideband exploit that allows PowerPoint to download and execute arbitrary content via a system service.
That is absolutely an exploit, similar to if I linked to an imgur jpeg that actually ran a trojan on your machine.
From the article: The vulnerability exists because Windows allows the OLE packager (packager .dll) to download and execute INF files. In the case of the observed exploit, specifically when handling Microsoft PowerPoint files, the packagers allows a Package OLE object to reference arbitrary external files, such as INF files, from untrusted sources.
So the process is initiated through a spearphish, and when the file is opened the vulnerability causes the system to download additional code and execute it.
Can't believe they designed a logo especially for this worm (and gave a fancy name). There's apparently a marketing campaign in vulnerability discoveries too.
Yes. This absolutely fucking sickens me. It instantly gives news agencies an excuse to pick up every little hole and scare all the mortals into submission.
Security has become a marketing and media circus now which in turn desensitizes people to real concerns and rational thought.
I do see your point, however sometimes it is a good thing to let everyone know about it, so they're able to do something about it.
For example, my manager even heard about "shell shock" and prompted me to do something about it. Although, it was over a week after the outbreak, and we'd already established we weren't vulnerable (applied the patch anyway) - but even so!
By labeling a bug with a catchy name it enables conversation. If there is one thing the world of security needs it more conversation. More talk == more $$$.
At least Heartbleed and Shellshock made sense. Sandworm is just trying to play up fear for a boring not-really-remote vuln. And, the vulnerability is not a worm. It's shitty marketing.
In defense of "branding" vulnerabilities ... Heartbleed was the first instance where "normal" people were asking me if I had heard about it and if it effected me/my business.
Attribution and PR aside, branding these helps educate the public and give them something tangible to call it/discuss.
And it really makes life easier when you have to explain downtime to your clients, who are often "normal people" and won't understand what SSL is but will have seen Heartbleed on the news and will probably remember it when you say the name. (I'm not sure Shellshock got quite the same coverage, but maybe I'm wrong there.)
It looks like a sandworm from the computer games and shitty [1] film adaption of the Dune series by Frank Herbert [2].
[1] The games were great, if unrelated to the story. The film is ridiculous and uses the books merely as backdrop.
[2] Pedantic I know, but the books had pictures on the covers that showed exactly what a sandworm should look like – e.g. visible crystal teeth of a size that could be made into a dagger (a crysknife) and a hot furnace behind – not three weird flaps around a dark mouth.
Yeah, I think they do this because if they can make a catchy name and logo, it becomes the focus of the media and I think they must pull in like a million hits or more to these articles. That is valuable if you have something to sell.
I think that soon there will be multiple names for each new vulerability with multiple logo-ed/brand-ed info pages. And then this trend will start to die out.
But for now, you should be worried about the latest Vulnerability[tm].
"On Tuesday, October 14, 2014, iSIGHT Partners – in close collaboration with Microsoft – announced the discovery of a zero-day vulnerability..."
"Over the past 5 weeks, iSIGHT Partners worked closely with Microsoft to track and monitor the exploitation of this vulnerability..."
I'm sorry, I feel you should lose the right to call this a zero day when both you and Microsoft have known not only its existence, but the fact that it's being actively exploited for five freaking weeks. Also, am I the only one that feels this reads as a sensationalist article? I think the phrase "weaponized PowerPoint file" was what ended up pegging my meter, but the fact it's not a worm and barely fits the category of remote code execution helps.
You are right that the usage of the term is confusing in this context. I think it still communicates two critical aspects: First, this is being exploited right now in the wild (and was when it was discovered it sounds like).
Second, your windows machines are almost certainly vulnerable right this moment, and you should update immediately.
Perhaps they could have phrased it more clearly, but considering that it sounds like a full exploit on opening a powerpoint document, some alarm is appropriate.
I also think it was a little brash to name it "Sandworm" when it is not, as far as we know, a worm. It certainly has the potential to be used as the key exploit in a worm though.
I'm a little annoyed that they called it worm. Malware with the description meant that the software could spread entirely under its own power from machine to machine. This is nothing more than your typical email attachment exploit which is entirely incapable of spreading without human intervention for each attacked host.
I think another (real) windows zero day will be announced soon. I received an email from Rackspace giving advanced notice that they will be patching all Windows servers to fix a 0day. I'm not sure why they'd take such measures for an exploit involving opening powerpoint files...
But I expect most servers don't have any software on them related to opening emails or Office files. I would've thought that Rackspace reserves mandatory server hotfixes for only the most serious vulnerabilities (E.G. shellshock).
> An attacker can exploit this vulnerability to execute arbitrary code but will need a specifically crafted file and use social engineering methods (observed in this campaign) to convince a user to open it
So, it's a remote exploit, but requires the user to open a document.
Maybe I'm reading into details too much, but they never said "open". They said: "specifically when handling Microsoft PowerPoint files". Outlook allows previews of office files and "handling" may be involved even before the presentation is actually opened / previewed. It's just speculation though.
It says "to convince a user to open it" in the description. If a preview was enough to execute, I'd think that is very important point and they'd definitely mention it - I remember distinctly "previews are sufficient" mentioned in the WMF exploit when it first came out.
This exploit is delivered with a PowerPoint document, so no remote hole.
It's a bit strange, that the reference a CVE (for which no information is available) and just generically describe the campaign and whatnot. The real report though is only available after a registration?
That's not really the way things should be done. If there is a threat, inform people about it and don't hide all the stuff.
To get the real report you have to give them your work email address and work phone number. The context of why they are asking for that is to make sure you're qualified to receive the information but you can be darned sure that list will make its way to the marketing department.
Use of the exploit in the wild is "attributed to Russia", but I can't see any evidence stated to support that other than "Many of the lures observed have been specific to the Ukrainian conflict with Russia and to broader geopolitical issues related to Russia." Is there actually good evidence to point the finger at Russia? It plays quite nicely in to the Western agenda, so it seems an easy one to play off even if it's rooted only in suspicion.
Dear security researchers: Please stop taking time to come up with a clever name and a logo for your vulnerability. This is not a marketing event for you or your company. You are disclosing a vulnerability, not promoting your fly-by-night "consulting" company.
Trust me, if the vulnerability is important and has merit, you'll get the street cred among other security researchers and the potential employers that would hire you because of the work you did and your skills.
See Mike Lynn's massively bad RCE vuln in Cisco Routers or Dan Kaminsky's huge DNS vulnerability as examples on disclosing terrible problems with class.
If it is in the wild then it is most responsible to let firms know right now. Now the administrators can choose if they want to block said files until the patch is released.
> How to embed PowerPoint presentations in your web pages.
> Once you've created the PowerPoint presentation, embedding it on a Web page is as easy as saving it to the Web, grabbing the embed code and pasting it onto your page - no code required. Visitors to your site will then be able to page through the presentation and interact with it directly on your Web page, from within the browser and without having to have PowerPoint installed.
* An exposed dangerous method vulnerability exists in the OLE package manager in Microsoft Windows and Server (Vista SP2 to Windows 8.1, Windows Server versions 2008 and 2012)
* When exploited, the vulnerability allows an attacker to remotely execute arbitrary code
* The vulnerability exists because Windows allows the OLE packager (packager .dll) to download and execute INF files. In the case of the observed exploit, specifically when handling Microsoft PowerPoint files, the packagers allows a Package OLE object to reference arbitrary external files, such as INF files, from untrusted sources.
* This will cause the referenced files to be downloaded in the case of INF files, to be executed with specific commands * An attacker can exploit this vulnerability to execute arbitrary code but will need a specifically crafted file and use social engineering methods (observed in this campaign) to convince a user to open it
TL;DR - A vulnerability exists in INF processing and untrusted, 3rd party INF files can be included by PowerPoint files. This is not a worm.
Also these little gems:
> Further information will be provided in a live briefing to any interested parties on Thursday, October 16th at 2:00...
> iSIGHT is making available a broader technical report – inclusive of indicators – through a formal vetting process.
Fuck you iSIGHT. This is being used in the wild and a patch has been released. Post the details publicly. This isn't responsible disclosure, this is PR and lead gen.