Authored by a Symantec employee
On Tuesday October 14th, a new vulnerability was discovered in Microsoft Windows Operating Systems, affecting all supported versions of Windows, from Windows Vista Service Pack 2 up to Windows 8.1. According to the security firm, iSIGHT, this vulnerability has been exploited by a cyberespionage group known as Sandworm, to deliver malware to targeted organizations. Known targets include NATO, Ukrainian government organizations, Western European government organizations, Polish energy sector firms, European telecommunications firms, and United States academic organizations.
Currently, these cyber criminals are sending PowerPoint documents containing malicious links via various phishing scams; however there is a possibility that these may crop up in other types of Microsoft Office documents, so users should be wary of all Office attachments from unknown senders.
Symantec considers this vulnerability critical since it allows attackers remote access to the affected computer. Since we are seeing two different payloads being used, it is possible that more than one group is using this vulnerability besides Sandworm. Symantec had identified two PowerPoint documents written in Chinese that contain this exploit.
How attackers get into your system
The operating system vulnerability lies within Microsoft’s Object Linking and Embedding (OLE) technology. This technology allows the linking and embedding of objects such as images, charts and graphs between documents and allows a user to export a document from one editing application to another.
To exploit this Windows bug, groups like Sandworm have used scams such as email phishing and social engineering, to deliver a malicious Microsoft Office PowerPoint File. Once the file is opened, malware is automatically downloaded onto the computer, which will open up a “back door” to let attackers connect to the machine, where they can load additional malware and steal data.
- Immediately download and install all security patches once available from Microsoftwhen released.
- Makesure your security software is up to date.
- Always be cautious about emails from unknown senders, especially when containing attachments or URLs. For more information about phishing scams, read our article about how to protect yourself from phishing scams.
Am I protected by Norton?
Norton and Symantec customers are protected against the malware being used in attacks exploiting this vulnerability.
All Norton security products (including Norton Antivirus, Norton Internet Security, Norton360 and the new Norton Security) incorporate multiple layers of defense against malicious software, including technologies that help monitor and defend against malicious threats and activity targeted at your computer.
If you are not already a Norton customer, consider taking Norton for a test drive. Microsoft has issued an "OLE packager Shim Workaround" that prevents exploitation of the vulnerability. While there is no patch available for this vulnerability, it is advised to use the Microsoft Fix it solution before a patch is available. In addition to exercising caution when opening Microsoft PowerPoint files or other files from untrusted sources, users should enable the User Account Control (UAC), if it is not already enabled.
Symantec Corporation, the world’s leading cyber security company, allows organizations, governments, and people to secure their most important data wherever it lives. More than 50 million people and families rely on Symantec’s Norton and LifeLock comprehensive digital safety platform to help protect their personal information, devices, home networks, and identities.
© 2017 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, the Checkmark Logo, Norton, Norton by Symantec, LifeLock, and the Lockman Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the United States and other countries. Firefox is a trademark of Mozilla Foundation. Google Chrome is a trademark of Google, Inc. Mac, iPhone and iPad are trademarks of Apple Inc. Microsoft and the Windows logo are trademarks of Microsoft Corporation in the United States and/or other countries. The Android robot is reproduced or modified from work created and shared by Google and used according to terms described in the Creative Commons 3.0 Attribution License. Other names may be trademarks of their respective owners.