Redmond has released a Fix It stopgap until a proper patch is available On Tuesday, Microsoft issued an advisory warning of a new Zero-Day vulnerability that impacts all supported versions of their Windows operating system except, Windows Server 2003. The software giant also confirmed targeted attacks looking to exploit this flaw.The advisory says that attackers are using PowerPoint files, which contain a malicious Object Linking and Embedding (OLE) object, to trigger the vulnerability. OLE technology is used to share data between applications.“The vulnerability could allow remote code execution if a user opens a specially crafted Microsoft Office file that contains an OLE object. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user,” the advisory explained.There are several mitigating factors including the use of User Account Control (UAC), which would warn a user once the exploit starts to trigger – asking permission to execute. However, these warnings are often ignored, and if the attacker used Social Engineering, then the victim could be expecting the malicious file, via an email attachment or a website download.Likewise, if the user’s access levels were restricted, then a compromised host would be limited in ability. At the same time, in corporate environments, executives and remote users are often granted administrative rights on their systems, rendering this level of mitigation obsolete – assuming that they’ve been restricted at all.“All Microsoft Office file types as well as many other third-party file types could contain a malicious OLE object… In addition, compromised websites (and websites that accept or host user-provided content) could contain specially crafted content that could exploit this vulnerability,” Microsoft’s advisory warns.The OLE Packager, where this latest Zero-Day was discovered by researchers at McAfee and Google, was just patched this month in MS14-060.In response to this latest development, Microsoft has released a Fix It package for PowerPoint, and encouraged the use of EMET 5.0, to shrink the attack surface.Furthermore, Redmond made no mention of an out-of-band patch for the Zero-Day, nor did they mention if a patch would be ready by November 11. Related content news Gwinnett Medical Center investigating possible data breach After being contacted by Salted Hash, Gwinnett Medical Center has confirmed they're investigating a security incident By Steve Ragan Oct 02, 2018 6 mins Regulation Data Breach Hacking news Facebook: 30 million accounts impacted by security flaw (updated) In a blog post, Facebook’s VP of product management Guy Rosen said the attackers exploited a flaw in the website's 'View As' function By Steve Ragan Sep 28, 2018 4 mins Data Breach Security news Scammers pose as CNN's Wolf Blitzer, target security professionals Did they really think this would work? By Steve Ragan Sep 04, 2018 2 mins Phishing Social Engineering Security news Congress pushes MITRE to fix CVE program, suggests regular reviews and stable funding After a year of investigation into the Common Vulnerabilities and Exposures (CVE) program, the Energy and Commerce Committee has some suggestions as to how it can be improved By Steve Ragan Aug 27, 2018 3 mins Vulnerabilities Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe