to Microsoft Windows will address at least three zero-day vulnerabilities being exploited in the wild.
The two attacks appear to be made for use on concert, but FireEye emphasizes: "We have no evidence of these exploits being used by the same actors. Instead, we have only observed each exploit being used separately, in unrelated attacks."
CVE-2014-4148 exploits a flaw in TrueType font processing. TTF processing is performed in kernel mode as part of the GDI and has been the source of critical vulnerabilities in the past.
Exploits of this vulnerability have been adapted by the attackers to several versions of Windows:
- Windows 8.1/Windows Server 2012 R2
- Windows 8/Windows Server 2012
- Windows 7/Windows Server 2008 R2 (Service Pack 0 and 1)
- Windows XP Service Pack 3
The vulnerability affects both 32-bit and 64-bit versions of the OS, but the attacks have only been observed against 32-bit systems.
CVE-2014-4113 is a a local Elevation of Privilege (EoP) attack that affects all versions of Windows. The exploit observed by FireEye affects Windows 7, Vista, XP, Windows 2000, Windows Server 2003/R2, and Windows Server 2008/R2, but not Windows 8.x or Windows Server 2012 or R2. New defensive technologies in Windows, specifically Null Page protection for 32-bit code and Supervisor Mode Execution Prevention for 64-bit code, block the exploit.
Update on October 14: An earlier version of this story stated that Windows 8.x and Windows Server 2012 and R2 were not vulnerable to CVE-2014-4113. They are, but the exploit observed by FireEye does not work on those versions.
The other,, has been used by a cyberespionage gang to target many organizations in the US, Ukraine, Poland and western Europe.
The vulnerability, which iSight says is trivially exploitable, has been in use since 2009. The attack is delivered via highly targeted spear phishing emails, luring the user to open a PowerPoint file with embedded exploit code. Once in control of the system, the attack downloads and executes the Black Energy malware.
A fourth zero-day, CVE-2014-4123, was patched as part of MS14-056. It is another EoP vulnerability. No further details were available for it other than that it was revealed to Microsoft by James Forshaw of Context Information Security.