Full Report
Today, we published our research about Windows exploitation in 2014. This report contains interesting information about vulnerabilities in Microsoft Windows and Office patched over the course of the year, drive-by download attacks and mitigation techniques.
Analysis Summary
# Vulnerability: Microsoft Windows and Office Vulnerabilities Exploited in 2014
## CVE Details
- CVE ID: Not provided in the article. The article summarizes research on **multiple** vulnerabilities patched in 2014.
- CVSS Score: Not provided.
- CWE: Not explicitly listed, but vulnerabilities include **Remote Code Execution (RCE)** and **Local Privilege Escalation (LPE)**.
## Affected Systems
- Products: Microsoft Windows and Microsoft Office.
- Versions: General discussion covering vulnerabilities patched *over the course of 2014* (specific version ranges not listed).
- Configurations: Vulnerabilities related to Internet Explorer (IE) were relevant for drive-by download attacks.
## Vulnerability Description
The research summarizes vulnerabilities discovered and patched in Microsoft Windows and Office throughout 2014. A major theme was **Remote Code Execution (RCE)** vulnerabilities, particularly in Internet Explorer, utilized in drive-by download attacks designed to silently install malware. Another area of concern was **Local Privilege Escalation (LPE)** attacks, sometimes exploiting the `win32k.sys` driver, used to bypass browser sandboxes or escalate malware privileges to kernel mode.
## Exploitation
- Status: Vulnerabilities were **exploited in the wild**, specifically those enabling drive-by downloads targeting IE.
- Complexity: Not explicitly rated, but drive-by downloads suggest complexity achievable by malicious actors. Specific mention of **ASLR bypass vulnerabilities** indicates advanced exploitation techniques were in use.
- Attack Vector: Primarily **Network** (via specially-crafted web pages/drive-by downloads) and **Local** (for LPE attacks).
## Impact
- Confidentiality: High (due to RCE leading to malware installation).
- Integrity: High (due to code execution and potential kernel-level compromise).
- Availability: Medium/High (due to potential malware installation disrupting system operation).
## Remediation
### Patches
- Patches were released by Microsoft throughout 2014 addressing the reported vulnerabilities in Windows, Office, and Internet Explorer. (Specific patch KB numbers or versions are not listed in the summary).
### Workarounds
- **Out-of-date ActiveX control blocking** in Internet Explorer was highlighted as a mitigation technique, useful for blocking exploits targeting old Java plugins.
- Reliance on mitigation features within Windows, Internet Explorer, and the **EMET tool**.
## Detection
- Detection focuses on **drive-by download attacks** where specially-crafted web pages trigger vulnerabilities.
- Indicators of compromise would involve signs of silent malware installation.
- The report covered mitigation techniques provided by Microsoft.
## References
- Vendor advisories: Microsoft security bulletins from 2014 (implied).
- Relevant links - defanged: hxxps://web-assets.esetstatic.com/wls/2015/01/Windows-Exploitation-in-2014.pdf