Microsoft Security Advisory released on OLE bug vulnerability in Microsoft Office files
In the last Patch Tuesday, there was an update targeting a bug in the OLE that allowed remote code execution. We had assumed that it was fixed, but it seems to be a more complex issue than we anticipated. Microsoft has released Security Advisory 3010060 concerning this bug, along with a one-click ‘Fix it’ solution.
This vulnerability is in every supported release of Microsoft Windows, besides Windows Server 2003. It is found in maliciously-crafted Microsoft Office files (the attackers were found using PowerPoint files) with an OLE object. OLE, which stands for Object Linking and Embedding, can be useful in cases such as linking an Excel file in a PowerPoint so you only have to edit the data in one place.
While attacks have been very limited and specific, if you are worried about the vulnerability, there are a few things you can do.
The first is the ‘Fix it’ solution (click here), which patches this vulnerability for Microsoft PowerPoint on both 32-bit and 64-but editions of Microsoft Windows — except 64-bit PowerPoint on 64-bit Windows 8 and 8.1. Additionally, Microsoft has stated this is a vulnerability with all Office files, so if the attackers switch away from PowerPoint files, this isn’t of much help.
The second thing you can do, and everyone should, is not open files from sources you don’t trust. Even if it is from a trusted source, use common sense as the attackers may have tricked your friends.
If this isn’t comforting, there are two other solutions. Since this vulnerability gives an attacker with the same user rights as the current user, there are differences in how vulnerable you can be initially.
The last two solutions are to enable User Account Control, and deploy the Enhanced Mitigation Experience Toolkit 5.0 and configure Attack Surface Reduction.
You can find out how to enable the last two solutions, as well as other suggestions and details, by reading the advisory yourself (here). Microsoft is, of course, monitoring the exploit and working on a security update.Further reading: Microsoft, Security