In a security advisory released yesterday, Microsoft has warned about a just-discovered vulnerability of all Windows systems due to security hack attacks. The threat is found in the Windows Object Linking function (OLE). The function is developed so users can embed an excel table into a text file for example. The vulnerability is discovered to be executed with Windows Power Point office application at the moment, but it can be embedded into practically every type of file which supports the OLE function. It allows the attackers to execute a malware when a user is opening a Microsoft Office document, for example, injected with the malware. Opening such document the users grant the same level of access to the hackers they have themselves and should be extra careful with such at the moment. The User Account Control (UAC) feature of Windows is automatically turned on for Windows Vista and above but if it has been turned off at some point, the malware can easily affect the system.
All Windows supported versions except Windows Server 2003 are exposed to the attack. According to Microsoft, it is already active, using PowerPoint application files.
Microsoft state that they are already working on fixing the issue and have released a one-time fix solution at the moment. In their security advisory from yesterday they also advise users to follow their “Protect Your Computer” guide by enabling a firewall, applying all software updates and installing anti-virus and anti-spyware software. The fix is not supporting the PowerPoint 64-bit editions on x64-based editions of Windows 8 and Windows 8.1 though. Alternatively the users of those can turn the UAC on their computers on and configure the Enhanced Mitigation Experience Toolkit 5.0 to reduce the harm of the attack.
Microsoft’s Patch Tuesday release for October already contained four zero-day vulnerability fixes. The next Patch Tuesday release from the company will be on 11 November, 2014. Maybe it will contain a permanent fix for this one as well.