Sandworm – CVE-2014-4114

A newly discovered zero-day vulnerability called Sandworm have been published today by iSight ( The vulnerability affects all supported versions of Windows and is set to critical.

Attacks using the vulnerability have been seen on Nato, Power and Telecom companies, Western European governments and US academic organizations. All discovered attacks have been traced back to cyber-espionage out of Russia.

A short summary:

  • An exposed dangerous method vulnerability exists in the OLE package manager in Microsoft Windows and Server
  • Impacting all versions of the Windows operating system from Vista SP2 to Windows 8.1
  • Impacting Windows Server versions 2008 and 2012
  • When exploited, the vulnerability allows an attacker to remotely execute arbitrary code
  • The vulnerability exists because Windows allows the OLE packager (packager.dll) to download and execute INF files. In the case of the observed exploit, specifically when handling Microsoft PowerPoint files, the packagers allows a Package OLE object to reference arbitrary external files, such as INF files, from untrusted sources.
  • This will cause the referenced files to be downloaded in the case of INF files, to be executed with specific commands
  • An attacker can exploit this vulnerability to execute arbitrary code but will need a specifically crafted file and use social engineering methods (observed in this campaign) to convince a user to open it

The properties of the effected file from Windows 8.1


According to information, Microsoft will release a patch for this vulnerability today (MS14-060). And as a part of the security bulletin Microsoft will describe a list of workarounds to the vulnerability. These workarounds should help mitigate the risk of exploitation while the patching process unfolds.

More information can be found at Isights web site:

Killer feature in IIS 8.5!

Certificate Rebind in IIS?

So what is it then? It´s a function to automaticlly replace an SSL certificate bound to a web site. If the certificate is renewed then the old one will be replace with the new one. Great isn´t it?


How does this work?

When you enable Certificate Rebind a task will be added to the Task Scheduler which is triggered by the event ID for certificate renewal (event ID 1001). And when a certificate is renewed a function called “Certificate Services Lifecycle Notifications”, which keeps track of certificate releated stuff, writes the renewal event to the event log and the rebind process starts. It simply provides appcmd.exe with the thumbprint of the expired and new certificate.

Then appcmd locates all websites on that server which uses the old cert. It unbinds the old cert and binds the new certs to the affected websites. And this works for both manually and autoenrolled certificates.

If you are really interested this is the command line:

appcmd.exe renew binding /oldcert:$(OldCertHash) /newcert:$(NewCertHash)


What triggers Event ID1001?

EventID 1001


•  Action (see sources column)

For old and new certificate:

•  Template

•  Subject names

•  EKUs

•  Thumbprint

• Renewal via autoenrollment (action=renew)

• Enrollment for a superseding (action=supersede)

• Renewal via MMC enrollment (action=renew)

• Renewal via certreq.exe (action=renew)

• Manually replacing on cert with another using Replace-Certificate PowerShell CmdLet (action=replace)


Note: If you want to use autoenrollment and the cert got a DNS name och SAN-attribute you have to enable “Use subject information from existing certificates for autoenrollment renewal requests” on the template.


Can this be done any other way and on other systems then IIS?

Sure! By using Powershell you can create custom tasks which is triggered by events created by “Certificate Services Lifecycle Notifications”


More info:

An excellent article on certificate rebind can be found here:

How to renew web server certificates automatically?

Certificate Services Lifecycle Notifications


But be aware! There are some pitfals and you should have some kind of idea about what you are doing! And remember: Keep it simple!!