Emerging Threats

New Windows zero-day exploit via cyberespionage group Sandworm discovered

Written by a NortonLifeLock employee


On Tuesday October 14th, a new vulnerability was discovered in Microsoft Windows Operating Systems, affecting all supported versions of Windows, from Windows Vista Service Pack 2 up to Windows 8.1. According to the security firm, iSIGHT, this vulnerability has been exploited by a cyberespionage group known as Sandworm, to deliver malware to targeted organizations. Known targets include NATO, Ukrainian government organizations, Western European government organizations, Polish energy sector firms, European telecommunications firms, and United States academic organizations.

A security suite that helps protect your devices.

Free security software just doesn’t have the resources to keep up with new threats as they emerge. That’s why you need a multi-layered defense to security. Meet Norton Security Premium — protection for up to 10 of your devices.

Currently, these cyber criminals are sending PowerPoint documents containing malicious links via various phishing scams; however there is a possibility that these may crop up in other types of Microsoft Office documents, so users should be wary of all Office attachments from unknown senders.

Symantec considers this vulnerability critical since it allows attackers remote access to the affected computer. Since we are seeing two different payloads being used, it is possible that more than one group is using this vulnerability besides Sandworm. Symantec had identified two PowerPoint documents written in Chinese that contain this exploit.

How attackers get into your system

The operating system vulnerability lies within Microsoft’s Object Linking and Embedding (OLE) technology. This technology allows the linking and embedding of objects such as images, charts and graphs between documents and allows a user to export a document from one editing application to another.

To exploit this Windows bug, groups like Sandworm have used scams such as email phishing and social engineering, to deliver a malicious Microsoft Office PowerPoint File. Once the file is opened, malware is automatically downloaded onto the computer, which will open up a “back door” to let attackers connect to the machine, where they can load additional malware and steal data.

Stay protected

  • Immediately download and install all security patches once available from Microsoftwhen released.
  • Makesure your security software is up to date.
  • Always be cautious about emails from unknown senders, especially when containing attachments or URLs. For more information about phishing scams, read our article about how to protect yourself from phishing scams.

Am I protected by Norton?

Norton customers are protected against the malware being used in attacks exploiting this vulnerability.

All Norton security products incorporate multiple layers of defense against malicious software, including technologies that help monitor and defend against malicious threats and activity targeted at your computer.

If you are not already a Norton customer, consider taking Norton for a test drive. Microsoft has issued an "OLE packager Shim Workaround" that prevents exploitation of the vulnerability. While there is no patch available for this vulnerability, it is advised to use the Microsoft Fix it solution before a patch is available. In addition to exercising caution when opening Microsoft PowerPoint files or other files from untrusted sources, users should enable the User Account Control (UAC), if it is not already enabled.

Our best protection. One low price

Norton Security Premium helps protect up to 10 of your Windows PCs, Macs, Android smartphones or your iPads.

Editorial note: Our articles provide educational information for you. NortonLifeLock offerings may not cover or protect against every type of crime, fraud, or threat we write about. Our goal is to increase awareness about cyber safety. Please review complete Terms during enrollment or setup. Remember that no one can prevent all identity theft or cybercrime, and that LifeLock does not monitor all transactions at all businesses.

Copyright © 2020 NortonLifeLock Inc. All rights reserved. NortonLifeLock, the NortonLifeLock Logo, the Checkmark Logo, Norton, LifeLock, and the LockMan Logo are trademarks or registered trademarks of NortonLifeLock Inc. or its affiliates in the United States and other countries. Firefox is a trademark of Mozilla Foundation. Android, Google Chrome, Google Play and the Google Play logo are trademarks of Google, LLC. Mac, iPhone, iPad, Apple and the Apple logo are trademarks of Apple Inc., registered in the U.S. and other countries. App Store is a service mark of Apple Inc. Alexa and all related logos are trademarks of, Inc. or its affiliates. Microsoft and the Window logo are trademarks of Microsoft Corporation in the U.S. and other countries. The Android robot is reproduced or modified from work created and shared by Google and used according to terms described in the Creative Commons 3.0 Attribution License. Other names may be trademarks of their respective owners.