According to iSight Sandworm targets a flaw in the OLE packager that allows someone to arbitrarily download and execute INF files even from untrusted sources. They found the interesting bit of code during an investigation in August. The investigation involved an alleged Russian group that is suspected of attacking multiple government organizations during a summit on the Ukraine issue. The targets included NATO, various sectors of the EU as well as telecommunications and energy resources. The attack was carried out using a specifically crafted PowerPoint file.
iSight has already notified Microsoft and says that a patch is imminent. However, we all know how long these patches can take to get in place even after they are dropped on the world so we can expect this one to hang around for a while.
The second bit of troubling news relates to a rumor that we heard a few weeks ago, but at the time had no additional confirmation. The rumor started when we were informed that SSL was just not safe anymore. When we asked for more information all we were told was that there was talk of some major flaws in SSL V3.0. We asked around for additional information, but could not find anything. We were told that there was talk of some new and more worrying flaws that would be hitting the world soon, but nothing specific to SSL V3.0.
Now the information available points to a flaw serious enough that the people who discovered it are being asked not to release it until a patch is pushed out. Normally when a flaw is found the person(s) who found it can release after 90 days. This usually gives time to address the issue and at least come up with mitigation steps. It is almost unheard of (except with some Apple flaws) that no word will be released until after a full patch is ready.
Sadly we do not even know what this flaw might relate to which makes it all the more concerning. We have learned in the past that by the time a security firm finds a flaw it has most likely already been found by the bad guys. This does not always mean it is used as an attack vector, but just that they probably found it first.
We will continue to dig up more information about both of these vulnerabilities and will follow up when we have more information.
Tell us what you think in our Forum