Microsoft Security Bulletin MS14-064 - Critical

Vulnerabilities in Windows OLE Could Allow Remote Code Execution (3011443)

Published: November 11, 2014

Version: 1.0

This security update resolves two privately reported vulnerabilities in Microsoft Windows Object Linking and Embedding (OLE). The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

This security update is rated Critical for all supported editions of Microsoft Windows. For more information, see the Affected Software section.

The security update addresses the vulnerabilities by modifying how the affected operating systems validate the use of memory when OLE objects are accessed, and by modifying how Internet Explorer handles objects in memory. For more information about the vulnerabilities, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability. 

This security update also addresses the vulnerability first described in Microsoft Security Advisory 3010060.

For more information about this document, see Microsoft Knowledge Base Article 3011443.

The following software versions or editions are affected. Versions or editions that are not listed are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, see Microsoft Support Lifecycle.

Operating System

Maximum Security Impact

Aggregate Severity Rating

Updates Replaced

Windows Server 2003

Windows Server 2003 Service Pack 2
(3006226)

Remote Code Execution

Critical

2476490 in MS11-038

Windows Server 2003 x64 Edition Service Pack 2
(3006226)

Remote Code Execution

Critical

2476490 in MS11-038

Windows Server 2003 with SP2 for Itanium-based Systems
(3006226)

Remote Code Execution

Critical

2476490 in MS11-038

Windows Vista

Windows Vista Service Pack 2
(3006226)

Remote Code Execution

Critical

2476490 in MS11-038

Windows Vista Service Pack 2
(3010788)

Remote Code Execution

Important

3000869 in MS14-060

Windows Vista x64 Edition Service Pack 2
(3006226)

Remote Code Execution

Critical

2476490 in MS11-038

Windows Vista x64 Edition Service Pack 2
(3010788)

Remote Code Execution

Important

3000869 in MS14-060

Windows Server 2008

Windows Server 2008 for 32-bit Systems Service Pack 2
(3006226)

Remote Code Execution

Critical

2476490 in MS11-038

Windows Server 2008 for 32-bit Systems Service Pack 2
(3010788)

Remote Code Execution

Important

3000869 in MS14-060

Windows Server 2008 for x64-based Systems Service Pack 2
(3006226)

Remote Code Execution

Critical

2476490 in MS11-038

Windows Server 2008 for x64-based Systems Service Pack 2
(3010788)

Remote Code Execution

Important

3000869 in MS14-060

Windows Server 2008 for Itanium-based Systems Service Pack 2
(3006226)

Remote Code Execution

Critical

2476490 in MS11-038

Windows Server 2008 for Itanium-based Systems Service Pack 2
(3010788)

Remote Code Execution

Important

3000869 in MS14-060

Windows 7

Windows 7 for 32-bit Systems Service Pack 1
(3006226)

Remote Code Execution

Critical

2476490 in MS11-038

Windows 7 for 32-bit Systems Service Pack 1
(3010788)

Remote Code Execution

Important

3000869 in MS14-060

Windows 7 for x64-based Systems Service Pack 1
(3006226)

Remote Code Execution

Critical

2476490 in MS11-038

Windows 7 for x64-based Systems Service Pack 1
(3010788)

Remote Code Execution

Important

3000869 in MS14-060

Windows Server 2008 R2

Windows Server 2008 R2 for x64-based Systems Service Pack 1
(3006226)

Remote Code Execution

Critical

2476490 in MS11-038

Windows Server 2008 R2 for x64-based Systems Service Pack 1
(3010788)

Remote Code Execution

Important

3000869 in MS14-060

Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
(3006226)

Remote Code Execution

Critical

2476490 in MS11-038

Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
(3010788)

Remote Code Execution

Important

3000869 in MS14-060

Windows 8 and Windows 8.1

Windows 8 for 32-bit Systems
(3006226)

Remote Code Execution

Critical

None

Windows 8 for 32-bit Systems
(3010788)

Remote Code Execution

Important

3000869 in MS14-060

Windows 8 for x64-based Systems
(3006226)

Remote Code Execution

Critical

None

Windows 8 for x64-based Systems
(3010788)

Remote Code Execution

Important

3000869 in MS14-060

Windows 8.1 for 32-bit Systems
(3006226)

Remote Code Execution

Critical

None

Windows 8.1 for 32-bit Systems
(3010788)

Remote Code Execution

Important

3000869 in MS14-060

Windows 8.1 for x64-based Systems
(3006226)

Remote Code Execution

Critical

None

Windows 8.1 for x64-based Systems
(3010788)

Remote Code Execution

Important

3000869 in MS14-060

Windows Server 2012 and Windows Server 2012 R2

Windows Server 2012
(3006226)

Remote Code Execution

Critical

None

Windows Server 2012
(3010788)

Remote Code Execution

Important

3000869 in MS14-060

Windows Server 2012 R2
(3006226)

Remote Code Execution

Critical

None

Windows Server 2012 R2
(3010788)

Remote Code Execution

Important

3000869 in MS14-060

Windows RT and Windows RT 8.1

Windows RT[1]
(3006226)

Remote Code Execution

Critical

None

Windows RT[1]
(3010788)

Remote Code Execution

Important

3000869 in MS14-060

Windows RT 8.1[1]
(3006226)

Remote Code Execution

Critical

None

Windows RT 8.1[1]
(3010788)

Remote Code Execution

Important

3000869 in MS14-060

Server Core installation option

Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
(3006226)

Remote Code Execution

Critical

None

Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
(3006226)

Remote Code Execution

Critical

None

Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
(3006226)

Remote Code Execution

Critical

None

Windows Server 2012 (Server Core installation)
(3006226)

Remote Code Execution

Critical

None

Windows Server 2012 R2 (Server Core installation)
(3006226)

Remote Code Execution

Critical

None

[1] This update is available via Windows Update only.

Note Windows Technical Preview and Windows Server Technical Preview are affected. Customers running these operating systems are encouraged to apply the update, which is available via Windows Update

The following severity ratings assume the potential maximum impact of the vulnerability. For information regarding the likelihood, within 30 days of this security bulletin's release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the November bulletin summary.

Vulnerability Severity Rating and Maximum Security Impact by Affected Software

Affected Software

Windows OLE Automation Array Remote Code Execution Vulnerability - CVE-2014-6332
(3006226)

Windows OLE Remote Code Execution Vulnerability - CVE-2014-6352
(3010788)

Aggregate Severity Rating

Windows Server 2003

Windows Server 2003 Service Pack 2

Critical 
Remote Code Execution

Not applicable

Critical

Windows Server 2003 x64 Edition Service Pack 2

Critical 
Remote Code Execution

Not applicable

Critical

Windows Server 2003 with SP2 for Itanium-based Systems

Critical 
Remote Code Execution

Not applicable

Critical

Windows Vista

Windows Vista Service Pack 2

Critical 
Remote Code Execution

Important
Remote Code Execution

Critical

Windows Vista x64 Edition Service Pack 2

Critical 
Remote Code Execution

Important
Remote Code Execution

Critical

Windows Server 2008

Windows Server 2008 for 32-bit Systems Service Pack 2

Critical 
Remote Code Execution

Important
Remote Code Execution

Critical

Windows Server 2008 for x64-based Systems Service Pack 2

Critical 
Remote Code Execution

Important
Remote Code Execution

Critical

Windows Server 2008 for Itanium-based Systems Service Pack 2

Critical 
Remote Code Execution

Important
Remote Code Execution

Critical

Windows 7

Windows 7 for 32-bit Systems Service Pack 1

Critical 
Remote Code Execution

Important
Remote Code Execution

Critical

Windows 7 for x64-based Systems Service Pack 1

Critical 
Remote Code Execution

Important
Remote Code Execution

Critical

Windows Server 2008 R2

Windows Server 2008 R2 for x64-based Systems Service Pack 1

Critical 
Remote Code Execution

Important
Remote Code Execution

Critical

Windows Server 2008 R2 for Itanium-based Systems Service Pack 1

Critical 
Remote Code Execution

Important
Remote Code Execution

Critical

Windows 8 and Windows 8.1

Windows 8 for 32-bit Systems

Critical 
Remote Code Execution

Important
Remote Code Execution

Critical

Windows 8 for x64-based Systems

Critical 
Remote Code Execution

Important
Remote Code Execution

Critical

Windows 8.1 for 32-bit Systems

Critical 
Remote Code Execution

Important
Remote Code Execution

Critical

Windows 8.1 for x64-based Systems

Critical 
Remote Code Execution

Important
Remote Code Execution

Critical

Windows Server 2012 and Windows Server 2012 R2

Windows Server 2012

Critical 
Remote Code Execution

Important
Remote Code Execution

Critical

Windows Server 2012 R2

Critical 
Remote Code Execution

Important
Remote Code Execution

Critical

Windows RT and Windows RT 8.1

Windows RT

Critical 
Remote Code Execution

Important
Remote Code Execution

Critical

Windows RT 8.1

Critical 
Remote Code Execution

Important
Remote Code Execution

Critical

Server Core installation option

Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)

Critical 
Remote Code Execution

Not applicable

Critical

Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)

Critical 
Remote Code Execution

Not applicable

Critical

Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)

Critical 
Remote Code Execution

Not applicable

Critical

Windows Server 2012 (Server Core installation)

Critical 
Remote Code Execution

Not applicable

Critical

Windows Server 2012 R2 (Server Core installation)

Critical 
Remote Code Execution

Not applicable

Critical

 

A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory. Microsoft received information about this vulnerability through coordinated vulnerability disclosure. When this security bulletin was issued, Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers. This update addresses the vulnerability by modifying the way that the affected operating systems validate the use of memory when OLE objects are accessed, and by modifying the way that Internet Explorer handles objects in memory.

Mitigating Factors

The following mitigating factors may be helpful in your situation:

  • An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
  • In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer, and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email message or in an Instant Messenger message that takes users to the attacker's website, or by getting them to open an attachment sent through email.

Workarounds

Microsoft has not identified any workarounds for this vulnerability.

FAQ

What might an attacker use the vulnerability to do? 
An attacker who successfully exploited this vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

How could an attacker exploit the vulnerability? 
An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer, and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email message or in an Instant Messenger message that takes users to the attacker's website, or by getting them to open an attachment sent through email.

What systems are primarily at risk from the vulnerability? 
Systems where Internet Explorer is used frequently, such as workstations or terminal servers, are at the most risk from this vulnerability.

A remote code execution vulnerability exists in the context of the current user that is caused when a user downloads, or receives, and then opens a specially crafted Microsoft Office file that contains OLE objects. Microsoft first received information about this vulnerability through coordinated vulnerability disclosure. This vulnerability was first described in Microsoft Security Advisory 3010060. Microsoft is aware of limited attacks that attempt to exploit this vulnerability. This update addresses the vulnerability by modifying the way that the affected operating systems validate the use of memory when OLE objects are accessed.

Mitigating Factors

The following mitigating factors may be helpful in your situation:

  • In observed attacks, User Account Control (UAC) displays a consent prompt or an elevation prompt, depending on the privileges of the current user, before a file containing the exploit is executed. UAC is enabled by default on Windows Vista and newer releases of Microsoft Windows.
  • An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
  • In a web-based attack scenario, an attacker could host a webpage that contains a specially crafted Office file that is used to attempt to exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker's website.
  • Files from the Internet and from other potentially unsafe locations can contain viruses, worms, or other kinds of malware that can harm your computer. To help protect your computer, files from these potentially unsafe locations are opened in Protected View. By using Protected View, you can read a file and see its contents while reducing the risks. Protected View is enabled by default.

Workarounds

The following workarounds may be helpful in your situation:

  • Apply the Microsoft Fix it solution, "OLE packager Shim Workaround", that prevents exploitation of the vulnerability
    See Microsoft Knowledge Base Article 3010060 to use the automated Microsoft Fix it solution to enable or disable this workaround. 
     
    Dn817438.note(en-us,Security.10).gifNote:
    The Fix it solution is available for Microsoft PowerPoint on 32-bit and x64-based editions of Microsoft Windows, with the exception of 64-bit editions of PowerPoint on x64-based editions of Windows 8 and Windows 8.1. 

  • Do not open Microsoft PowerPoint files, or other files, from untrusted sources
    Do not open Microsoft PowerPoint files that you receive from untrusted sources or that you receive unexpectedly from trusted sources. This vulnerability could be exploited when a user opens a specially crafted file. 

  • Enable User Account Control (UAC)
    Note
    User Account Control is enabled by default.
    1. Do one of the following to open Control Panel:
      1. Click Start, and then click Control Panel.
      2. Press the Windows logo key + s, type Control Panel, then open the Control Panel app.
    2. In Control Panel, click User Accounts (or User Accounts and Family Safety).
    3. In the User Accounts window, click User Accounts.
    4. In the User Accounts tasks window, click Turn User Account Control on or off (or Change User Account Control settings).
    5. If UAC is currently configured in Admin Approval Mode, a UAC message appears; click Continue.
    6. Click the check box "Use User Account Control (UAC) to help protect your computer", and then click OK.
    7. Do one of the following:
      1. Click Restart Now to apply the change right away.
      2. Click Restart Later.
    8. Close the User Accounts tasks window.

       
  • Deploy the Enhanced Mitigation Experience Toolkit 5.0 and configure Attack Surface Reduction
    The Attack Surface Reduction feature in EMET 5.0 can help block current attacks. You need to add configuration to the standard one in order to be protected. 
    1. Create a new file with the content below:
      <EMET Version="5.0.5324.31801">
        <Settings />
        <EMET_Apps>
          <AppConfig Path="*" Executable="dllhost.exe">
            <Mitigation Name="DEP" Enabled="false" />
            <Mitigation Name="SEHOP" Enabled="false" />
            <Mitigation Name="NullPage" Enabled="false" />
            <Mitigation Name="HeapSpray" Enabled="false" />
            <Mitigation Name="EAF" Enabled="false" />
            <Mitigation Name="EAF+" Enabled="false" />
            <Mitigation Name="MandatoryASLR" Enabled="false" />
            <Mitigation Name="BottomUpASLR" Enabled="false" />
            <Mitigation Name="LoadLib" Enabled="false" />
            <Mitigation Name="MemProt" Enabled="false" />
            <Mitigation Name="Caller" Enabled="false" />
            <Mitigation Name="SimExecFlow" Enabled="false" />
            <Mitigation Name="StackPivot" Enabled="false" />
            <Mitigation Name="ASR" Enabled="true">
              <asr_modules>packager.dll</asr_modules>
            </Mitigation>
          </AppConfig>
          <AppConfig Path="*\OFFICE1*" Executable="POWERPNT.EXE">
            <Mitigation Name="DEP" Enabled="true" />
            <Mitigation Name="SEHOP" Enabled="true" />
            <Mitigation Name="NullPage" Enabled="true" />
            <Mitigation Name="HeapSpray" Enabled="true" />
            <Mitigation Name="EAF" Enabled="true" />
            <Mitigation Name="EAF+" Enabled="false" />
            <Mitigation Name="MandatoryASLR" Enabled="true" />
            <Mitigation Name="BottomUpASLR" Enabled="true" />
            <Mitigation Name="LoadLib" Enabled="true" />
            <Mitigation Name="MemProt" Enabled="true" />
            <Mitigation Name="Caller" Enabled="true" />
            <Mitigation Name="SimExecFlow" Enabled="true" />
            <Mitigation Name="StackPivot" Enabled="true" />
            <Mitigation Name="ASR" Enabled="true">
              <asr_modules>flash*.ocx;packager.dll</asr_modules>
            </Mitigation>
          </AppConfig>
        </EMET_Apps>
      </EMET>
      
      
      
    2. Save this file as EMET_CVE-2014-6352.xml.
    3. From the EMET user interface, click Import from the File ribbon.
    4. Select the EMET_CVE-2014-6352.xml file and click Open.
    5. Alternatively, run this command from a Command Prompt with elevated privileges to import the saved script "EMET_CVE-2014-6532.xml" into EMET:
      EMET_Conf.exe  --import EMET_CVE-2014-6352.xml
      
      

 

FAQ

Are there additional security issues addressed in this update? 
While the root cause for the vulnerability described in this security bulletin is addressed with the provided security update, defense-in-depth fixes are provided for Microsoft PowerPoint to mitigate the attack initially described in Microsoft Security Advisory 3010060. These fixes can be found in supported versions of Microsoft PowerPoint respectfully in Microsoft Knowledge Base Articles, 2597972, 2878251, and 2889936.

What might an attacker use the vulnerability to do? 
An attacker who successfully exploited this vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

How could an attacker exploit the vulnerability? 
User interaction is required to exploit this vulnerability. For an attack to be successful by sending an email message to a locally logged-on user, the user must open an attachment that contains a specially crafted OLE object. Many different types of attached documents can contain the affected OLE objects. All Office file types as well as many other third-party file types could contain a malicious OLE object.

In an email attack scenario, an attacker could exploit the vulnerability by sending a specially-crafted file to the user and persuading the user to open the file.

In a web-based attack scenario, an attacker would have to host a website that contains a PowerPoint file that is used to attempt to exploit this vulnerability. In addition, compromised websites and websites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability. An attacker would have no way to force users to visit a malicious website. Instead, an attacker would have to persuade them to visit the website, typically by getting them to click a link that takes them to the attacker's site.

What systems are primarily at risk from the vulnerability? 
Microsoft Windows servers and clients that open specially crafted Microsoft Office data files that contain OLE objects are primarily at risk.

For Security Update Deployment information, see the Microsoft Knowledge Base article referenced here in the Executive Summary.

Microsoft recognizes the efforts of those in the security community who help us protect customers through coordinated vulnerability disclosure. See Acknowledgments for more information.

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

  • V1.0 (November 11, 2014): Bulletin published.

Page generated 2015-01-14 11:18Z-08:00.
Show: