Multiple active zero-day vulnerabilities patched today

UPDATED. Today's updates address serious holes in Windows that have been exploited for some time. The attackers exhibit a high level of sophistication.

Today's updates to Microsoft Windows will address at least three zero-day vulnerabilities being exploited in the wild.

Read this

Russian hackers target NATO, Ukraine through Windows zero-day exploit

iSight says the "Sandworm" team has targeted NATO, the European Union, Ukraine and industry through a previously unrecognized Windows zero-day exploit.

Read More

Two of the vulnerabilities were revealed to Microsoft by FireEye Labs, and are patched as part of MS14-058. They are designated CVE-2014-4148 and CVE-2014-4113 and both are being exploited.

The two attacks appear to be made for use on concert, but FireEye emphasizes: "We have no evidence of these exploits being used by the same actors. Instead, we have only observed each exploit being used separately, in unrelated attacks."

CVE-2014-4148 exploits a flaw in TrueType font processing. TTF processing is performed in kernel mode as part of the GDI and has been the source of critical vulnerabilities in the past.

Exploits of this vulnerability have been adapted by the attackers to several versions of Windows:

  • Windows 8.1/Windows Server 2012 R2
  • Windows 8/Windows Server 2012
  • Windows 7/Windows Server 2008 R2 (Service Pack 0 and 1)
  • Windows XP Service Pack 3

The vulnerability affects both 32-bit and 64-bit versions of the OS, but the attacks have only been observed against 32-bit systems.

CVE-2014-4113 is a a local Elevation of Privilege (EoP) attack that affects all versions of Windows. The exploit observed by FireEye affects Windows 7, Vista, XP, Windows 2000, Windows Server 2003/R2, and Windows Server 2008/R2, but not Windows 8.x or Windows Server 2012 or R2. New defensive technologies in Windows, specifically Null Page protection for 32-bit code and Supervisor Mode Execution Prevention for 64-bit code, block the exploit.

Update on October 14: An earlier version of this story stated that Windows 8.x and Windows Server 2012 and R2 were not vulnerable to CVE-2014-4113. They are, but the exploit observed by FireEye does not work on those versions.

The other, announced by iSight Partners , has been used by a cyberespionage gang to target many organizations in the US, Ukraine, Poland and western Europe.

The vulnerability, which iSight says is trivially exploitable, has been in use since 2009. The attack is delivered via highly targeted spear phishing emails, luring the user to open a PowerPoint file with embedded exploit code. Once in control of the system, the attack downloads and executes the Black Energy malware.

A fourth zero-day, CVE-2014-4123, was patched as part of MS14-056. It is another EoP vulnerability. No further details were available for it other than that it was revealed to Microsoft by James Forshaw of Context Information Security.