Sandworm aka CVE-2014-4114

Blog Post created by rbarrett Employee on Oct 14, 2014

UPDATED: 2.30pm, ET, Tuesday, Oct 14.


There's another vulnerability with a clever name getting a lot of attention: Sandworm aka CVE-2014-4114.


This is not a cause for panic for the average system administrator or home users, but you should take it seriously and patch any vulnerable systems ASAP.


While the reach is pretty broad because the vulnerability in question affects all versions of the Windows operating system from Vista SP2 to Windows 8.1, and Windows Server editions 2008 and 2012, this is a local file format exploit. They're fairly common and Microsoft patches these kinds of things routinely. It's not like Heartbleed or ShellShock, where an attacker could just "do" this to a vulnerable system.  An attacker needs to have tricked their target into opening a malicious file or clicking on a link in order to exploit this vulnerability. Once they do that, the bug is definitely nasty as it allows an attacker to take complete control of the compromised system.


Note, Sandworm is not a "worm" in the sense of a computer virus that can self-propagate.


It’s interesting that the discoverers, iSight Partners, found this being used in Russian cyber espionage attacks in the wild, targeting NATO, the European Union, and the telecommunications and energy sectors, but that’s probably the most interesting aspect of it.


EDIT:  Microsoft has release MS14-060 to patch the vulnerability exploited by Sandworm.  As with all Microsoft patches, we recommend businesses and individuals update their systems as soon as possible.




Nexpose will have coverage for this vulnerability with our 5.10.15 release on October 15.


If anyone has exploit code samples for Sandworm, the Metasploit team would love to see them