OLEAgain_SQWait a minute – didn’t Microsoft just issue a patch for a remote code execution vulnerability in Windows Object Linking and Embedding (OLE)? The answer is “yes”; on this month’s Patch Tuesday (October 11), MS14-060 (KB3000869) addressed a problem with the way OLE objects are activated in Windows. But that doesn’t mean the trouble with OLE is over.

Today (October 21) Microsoft put out another security advisory regarding OLE. Once again, opening a maliciously crafted Office file could expose a system to attack if someone exploits this vulnerability. And the bad news is that Microsoft is already aware of attempts to exploit this vulnerability via PowerPoint files. So far, the attacks appear to be limited and targeted. A successful attempt could result in the attacker obtaining the same privileges as the user who’s logged on, so the ramifications could be particularly serious if a user is logged on with administrative privileges.

The operating systems that contain this vulnerability include all currently supported versions of Windows client and server, including Windows RT and RT 8.1. The good news is that if User Account Control is enabled on Windows client systems (as it is by default on Vista and above), the attack can’t succeed unless the user enables it by clicking on the UAC prompt, which limits the ability of an attacker to carry out an attack. In addition, opening Office files in Protected View can allow users to see the contents without the risk.

Microsoft has not yet completed the investigation of this issue or issued a patch. They have, however, suggested workarounds to prevent or reduce the risk of exploitation of the vulnerability in the meantime. These include:

  • Avoiding the opening of PowerPoint files from untrusted sources.
  • Enabling UAC if it has been disabled.
  • Applying the automated Fix It solution called OLE packager Shim Workaround.
  • Deploying the Enhanced Mitigation Experience Toolkit (EMET) 5.0 and using the Attack Surface Reduction feature.

You can find out more about this vulnerability and get the link to the Fix It solution in KB article 3010060 on the Microsoft Support web site:
https://support.microsoft.com/kb/3010060

Note that the Fix It solution does not apply to the following operating system/PowerPoint combinations:

  • 64 bit PowerPoint 2007 on 64  bit versions of Windows 8/8.1 and Server 2012/2012 R2
  • 64 bit PowerPoint 2010 on 64 bit versions of Windows 8/8.1 and Server 2012/2012 R2
  • 64 bit PowerPoint 2013 on 64 bit versions of Windows 8/8.1 and Server 2012/2012 R2

The workarounds and fixes above shouldn’t be considered substitutes for a security update. Until a patch is released, this is considered a zero day vulnerability. This latest OLE vulnerability was reported to Microsoft by researchers from Google and McAfee.