The 2015 Pwnie Nominee For Best Client-Side Bug

Sandworm (CVE-2014-4114)



Credit: Unknown

The CVE-2014-4114 (a.k.a. the “Sandworm”) zero-day attack was first disclosed by iSIGHT Partners in October 2014, it’s believed to be used in Russian cyber-espionage campaigns targeting many sensitive organizations including the NATO. For the technical part, the most interesting point is that this is a logic bug (better considering it’s a “feature”, yeah!) in the “Packager” OLE object, which allows Office to perform context menu actions on embedded file object automatically. Since it’s a logic bug, the exploit runs quite smoothly and reliably, even with effective exploitation mitigation tools such as EMET installed. All these have made the vulnerability become the premier choice for later exploit kits and cyber attacks that target Office. Another interesting point is that Microsoft failed to patch the bug (though they did stop the original exploit samples) in its initial fix MS14-060, the vulnerability was finally resolved in the 2nd fix MS14-064 with a new ID CVE-2014-6352 assigned.