{"id":38662,"date":"2014-10-21T15:06:30","date_gmt":"2014-10-21T22:06:30","guid":{"rendered":"http:\/\/blogs.mcafee.com\/?p=38662"},"modified":"2025-06-02T23:54:49","modified_gmt":"2025-06-03T06:54:49","slug":"new-exploit-sandworm-zero-day-bypass-official-patch","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/new-exploit-sandworm-zero-day-bypass-official-patch\/","title":{"rendered":"New Exploit of Sandworm Zero-Day Could Bypass Official Patch"},"content":{"rendered":"

Update of October 25: Some comments posted after we published this report suggest that our proof-of-concept exploit will trigger the UAC (User Account Control) on Windows. We did not observe this during our analysis.<\/em><\/p>\n

 <\/p>\n

During the last few days researchers at McAfee Labs have been actively investigating Sandworm, the Windows packager zero-day attack (CVE-2014-4114<\/a>). McAfee has already released various updates through our products to protect our customers, and we continue to analyze this attack.<\/p>\n

During our investigation, we found that the Microsoft’s official patch (MS14-060, KB3000869<\/a>) is not robust enough. In other words, attackers might still be able to exploit the vulnerability even after the patch is applied. Users who have installed the official patch are still at risk.<\/p>\n

This finding has significant impact because attacks leveraging the vulnerability are still very active. We reported our findings to the Microsoft Security Response Center<\/a> immediately after we successfully developed a proof of concept on October 17. Since then we have actively worked with Microsoft to resolve this issue.<\/p>\n

Today, Microsoft has released Security Advisory 3010060<\/a> as well as the \u201cFix It<\/a>\u201d temporary patch. A new ID, CVE-2014-6352, has been assigned to track this issue. To protect hundreds of millions of Windows users, we are not sharing any of the details until a permanent patch from Microsoft is available to the public.<\/p>\n

Security Precautions<\/h2>\n

While we will continue to monitor potential new attacks in the wild, users who have concerns about their security may consider the following actions:<\/p>\n