Information on Sandworm - The Microsoft Windows OLE Package Manager Remote Code Execution Vulnerability (CVE-2014-4114)

This article provides more information about the vulnerability in Microsoft Windows that can allow Remote Code Execution.

iSIGHT disclosed information about a previously unknown vulnerability in Microsoft Windows which has been used in very limited targeted attacks since September 3, 2014.

What is Sandworm?

The Microsoft Windows OLE Package Manager Remote Code Execution Vulnerability (CVE-2014-4114) allows attackers to embed Object Linking and Embedding (OLE) files from external locations. The vulnerability can be exploited to download and install malware on to the target user's computer. The vulnerability appears to have been used by a cyberespionage group known as Sandworm to deliver Backdoor.Lancafdo.A (also known as the Black Energy backdoor) to targeted organizations. For more information, read the iSIGHT announcement.

What does Sandworm do?

The vulnerability affects all versions of Windows operating system, from Windows Vista (Service Pack 2) to Windows 8.1 and Windows Server versions 2008 and 2012. It relates to how Windows handles Object Linking and Embedding (OLE), a Microsoft technology that allows rich data from one document to be embedded in another or a link to a document to be embedded in another. OLE is generally used for embedding locally stored content, but this vulnerability enables the unprompted download and execution of external files.

Attacks to date have seen targeted individuals receive a spear phishing email containing a malicious PowerPoint file attachment, which is detected by Symantec as Trojan.Mdropper. The PowerPoint file contains two embedded OLE documents containing URLs. If the user opens the PowerPoint file, these URLs are contacted and two files are downloaded, one .exe and one .inf, which will install malware on the computer. Symantec detects this malware payload as Backdoor.Lancafdo.A. Once installed on the user's computer, this backdoor allows attackers to download and install other malware. The malware may also download updates for itself, including an information stealing component. For more information, read the Symantec Security Response blog.

What actions should I take?

  1. Microsoft has released a patch for this vulnerability for all affected Windows operating systems. The patch will be automatically downloaded and installed if you have configured to get automatic updates from Microsoft. However, if you have turned off automatic updates, we recommend that you run Windows Update manually as soon as possible. To know more details about the Security update, read Microsoft Security Bulletin MS14-060.

  2. All Norton security products (including Norton AntiVirus, Norton Internet Security, Norton 360, Norton Security, Norton Security with Backup, and Norton Security Suite) incorporate multiple layers of defense against attempts to exploit the bug (vulnerability) like Sandworm.

    You must have a current Norton subscription and up-to-date virus definitions and signatures to receive this protection.

    Norton Protection leverages both antivirus and an intrusion prevention engine to deliver this protection by the following signature updates:


    Intrusion Prevention:

    • Attack: Malicious File Download

Symantec is not responsible for the reliability of any data, opinions, advise, or statements made on third-party sites. Symantec provides these links merely as a convenience. The inclusion of such links does not imply that Symantec endorses, recommends, or accepts any responsibility for the content of such sites.

More information

Visit our threat removal support page for more solutions

Thank you!

Thank you for using Norton Support.

< Back

Was this information helpful?

DOCID: v102743206_EndUserProfile_en_us
Operating System: Windows
Last modified: 05/22/2015