Sandworm – CVE-2014-4114

A newly discovered zero-day vulnerability called Sandworm have been published today by iSight ( The vulnerability affects all supported versions of Windows and is set to critical.

Attacks using the vulnerability have been seen on Nato, Power and Telecom companies, Western European governments and US academic organizations. All discovered attacks have been traced back to cyber-espionage out of Russia.

A short summary:

  • An exposed dangerous method vulnerability exists in the OLE package manager in Microsoft Windows and Server
  • Impacting all versions of the Windows operating system from Vista SP2 to Windows 8.1
  • Impacting Windows Server versions 2008 and 2012
  • When exploited, the vulnerability allows an attacker to remotely execute arbitrary code
  • The vulnerability exists because Windows allows the OLE packager (packager.dll) to download and execute INF files. In the case of the observed exploit, specifically when handling Microsoft PowerPoint files, the packagers allows a Package OLE object to reference arbitrary external files, such as INF files, from untrusted sources.
  • This will cause the referenced files to be downloaded in the case of INF files, to be executed with specific commands
  • An attacker can exploit this vulnerability to execute arbitrary code but will need a specifically crafted file and use social engineering methods (observed in this campaign) to convince a user to open it

The properties of the effected file from Windows 8.1


According to information, Microsoft will release a patch for this vulnerability today (MS14-060). And as a part of the security bulletin Microsoft will describe a list of workarounds to the vulnerability. These workarounds should help mitigate the risk of exploitation while the patching process unfolds.

More information can be found at Isights web site: