The article is filled with fluff about iSIGHT and they buried the lead. Here are the high level details they posted:
* An exposed dangerous method vulnerability exists in the OLE package manager in Microsoft Windows and Server (Vista SP2 to Windows 8.1, Windows Server versions 2008 and 2012)
* When exploited, the vulnerability allows an attacker to remotely execute arbitrary code
* The vulnerability exists because Windows allows the OLE packager (packager .dll) to download and execute INF files. In the case of the observed exploit, specifically when handling Microsoft PowerPoint files, the packagers allows a Package OLE object to reference arbitrary external files, such as INF files, from untrusted sources.
* This will cause the referenced files to be downloaded in the case of INF files, to be executed with specific commands
* An attacker can exploit this vulnerability to execute arbitrary code but will need a specifically crafted file and use social engineering methods (observed in this campaign) to convince a user to open it
TL;DR - A vulnerability exists in INF processing and untrusted, 3rd party INF files can be included by PowerPoint files. This is not a worm.
Also these little gems:
> Further information will be provided in a live briefing to any interested parties on Thursday, October 16th at 2:00...
> iSIGHT is making available a broader technical report – inclusive of indicators – through a formal vetting process.
Fuck you iSIGHT. This is being used in the wild and a patch has been released. Post the details publicly. This isn't responsible disclosure, this is PR and lead gen.
Hijacking the top comment for relevance and visibility.
Seeing how all of the other articles about this exploit are basically regurgitating iSight's announcement, I thought I'd provide something a little bit more useful.
* An exposed dangerous method vulnerability exists in the OLE package manager in Microsoft Windows and Server (Vista SP2 to Windows 8.1, Windows Server versions 2008 and 2012)
* When exploited, the vulnerability allows an attacker to remotely execute arbitrary code
* The vulnerability exists because Windows allows the OLE packager (packager .dll) to download and execute INF files. In the case of the observed exploit, specifically when handling Microsoft PowerPoint files, the packagers allows a Package OLE object to reference arbitrary external files, such as INF files, from untrusted sources.
* This will cause the referenced files to be downloaded in the case of INF files, to be executed with specific commands * An attacker can exploit this vulnerability to execute arbitrary code but will need a specifically crafted file and use social engineering methods (observed in this campaign) to convince a user to open it
TL;DR - A vulnerability exists in INF processing and untrusted, 3rd party INF files can be included by PowerPoint files. This is not a worm.
Also these little gems:
> Further information will be provided in a live briefing to any interested parties on Thursday, October 16th at 2:00...
> iSIGHT is making available a broader technical report – inclusive of indicators – through a formal vetting process.
Fuck you iSIGHT. This is being used in the wild and a patch has been released. Post the details publicly. This isn't responsible disclosure, this is PR and lead gen.