Windows Exploit Advisory

We are aware of recent activity in the form of specific exploits in the wild targeting Microsoft Windows Vulnerabilities and the potential to exploit the vast majority of Microsoft operating systems. The first vulnerability (CVE-2014-6352) allows threat actors to execute code on a victim’s machine after visiting a maliciously crafted webpage. The second actively targeted vulnerability (CVE-2014-6324) may allow domain users to elevate their privileges to Domain Administrator. The third vulnerability (CVE-2014-6321) has not been actively seen in the wild but has the potential for the greatest impact. Patches for all three of these vulnerabilities should be applied as soon as possible with verification that they have been applied successfully.

What We Know

CVE-2014-6321 AKA WinShock:

• Affects major Windows operating systems (all, up to and including Win 8)
• PoC has been released no public exploits are available yet
• A completely remote attack vector
• Remote code execution exploits are expected
• PoC released for IIS, RDP, AD
• No known workarounds
  
  

CVE-2014-6352

• Actively attacked in the wild
• Requires user intervention to visit a malicious site
• Affects most major Windows operating systems
• Exploits are available to the public
• A workaround is possible with the Enhanced Mitigation Toolkit (EMET)
  
  

CVE-2014-6324

• Actively attacked in the wild
• Requires domain user access
• Privilege escalation to domain admin possible
• No known workarounds
  
  

eSentire Defenses

eSentire features that help protect you:

• Continuous Vulnerability Scanning can identify all vulnerable servers.
• AMP can stop the communication to known command and control servers.
• Behavioral analysis tools can detect anomalous network behavior.
• The SOC can quarantine suspected systems in your direction or based on established policy.
  
  

Further Protection

How to further protect yourself from these emerging threats:

• EMET can help further prevent memory protection bypasses (microsoft.com/emet).
• User awareness: infections are occurring from users visiting malicious websites.
• Remind users not to visit untrusted websites or follow links provided by unknown or un-trusted sources.
• Remind users to be cautious when clicking on links in emails coming from trusted sources.
  
  

Resources

• technet.microsoft.com/library/security/MS14-064
• technet.microsoft.com/library/security/MS14-066
• technet.microsoft.com/library/security/MS14-068
• cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6332
• cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6352
• cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6321
• https://www.malwaretech.com/2014/11/how-ms14-066-winshock-is-worse-than.html