A new Windows zero-day flaw has just been unearthed, and worryingly, this vulnerability is already being exploited in the wild with reports of a few installations being compromised.
Interestingly, it affects all versions of Windows, except for Windows Server 2003 — ironic, because this is the version of the operating system that is set for retirement very soon.
Anyway, this is a glitch in Microsoft OLE (Object Linking and Embedding) technology. A rather serious one at that in the sense that it allows attackers the power of remote code execution.
Microsoft is expected to provide a patch, though it is not known whether it would be released on Update Tuesday or out-of-band. Since this is a serious vulnerability, chances are we might get one as soon as the company develops and tests a fix.
Redmond has provided this security advisory, though.
And the company says that it is aware of limited, target attacks against select computers. Cyber espionage, perhaps?
The flaw has been labeled (CVE-2014-6352), and Microsoft says that this vulnerability is exploited through PowerPoint documents — OLE is widely used on Microsoft Office in order to create and edit data with information in multiple formats.
Microsoft has also rolled out a Fix It solution that takes care of this PowerPoint attack on most Office suites. However, the 64-bit versions of PowerPoint on Windows 8, 8.1, Windows Server 2012, and Server 2012 R2 are not covered with this workaround.
Which ultimately makes it somewhat limited.
Worryingly, as reported here by McAfee, attackers are still exploiting the OLE packager weakness, the result of which is that a second zero-day has been leveraged, one that goes as (CVE-2014-6352).
Fingers crossed for a quick solution from Microsoft on this pressing security concern.