New Exploit of Sandworm Zero-Day Could Bypass Official Patch

By on

Update of October 25: Some comments posted after we published this report suggest that our proof-of-concept exploit will trigger the UAC (User Account Control) on Windows. We did not observe this during our analysis.


During the last few days researchers at McAfee Labs have been actively investigating Sandworm, the Windows packager zero-day attack (CVE-2014-4114). McAfee has already released various updates through our products to protect our customers, and we continue to analyze this attack.

During our investigation, we found that the Microsoft’s official patch (MS14-060, KB3000869) is not robust enough. In other words, attackers might still be able to exploit the vulnerability even after the patch is applied. Users who have installed the official patch are still at risk.

This finding has significant impact because attacks leveraging the vulnerability are still very active. We reported our findings to the Microsoft Security Response Center immediately after we successfully developed a proof of concept on October 17. Since then we have actively worked with Microsoft to resolve this issue.

Today, Microsoft has released Security Advisory 3010060 as well as the “Fix It” temporary patch. A new ID, CVE-2014-6352, has been assigned to track this issue. To protect hundreds of millions of Windows users, we are not sharing any of the details until a permanent patch from Microsoft is available to the public.

While we will continue to monitor potential new attacks in the wild, users who have concerns about their security may consider the following actions:

  • Apply the Microsoft “Fix It” or workarounds shared in Security Advisory 3010060.
  • Apply the first or the second workarounds shared in Security Bulletin MS14-060. These are “Disable the WebClient service” and “Block TCP ports 139 and 445.” We believe these two workarounds will be effective to block the new exploitation method, though the third in the bulletin (“Block the launching of executables via Setup information files”) may not be effective.

We thank James Forshaw of Google Project Zero, who helped us with this finding. Thanks as well to Bing Sun, Chong Xu, and Stanley Zhu of McAfee Labs for their help with this research and investigation.

4 comments on “New Exploit of Sandworm Zero-Day Could Bypass Official Patch

  • Haifei Li says:

    Hi Adrian,

    The answer is no, XP is not affected by this particular vulnerability. This is one rare good news for XP users since XP is affected by many other vulnerabilities (I'm sure you have been aware of that Microsoft doesn't support XP anymore).


  • We have one old cimplicity server ver. 6, running in Win Xp, not connected to internet. Recently we receive one information letter from GE, regarding this sandworm. I want to know if Win Xp is vulnerable.

    • Haifei Li says:

      Of course. McAfee has already delivered various protections against this threat to our customers at the first time, please keep your security product up-to-date.


Leave a Comment

Similar articles

With summertime just around the corner, families are eagerly looking to book their next getaway. Since vacation is so top-of-mind during the summer months, users are bound to come across websites offering cheap deals on flights, accommodations, and other experiences and activities. With so many websites claiming to offer these "can't-miss deals," how do you ...
Read Blog
Over the years, our lives have become more and more digital. Think about it: 20 years ago, no one was using banking apps and social media had just barely begun coming to fruition. Now, many of us are reliant on mobile banking to pay our bills and we check our favorite social media platforms multiple ...
Read Blog
Logging onto a free Wi-Fi network can be tempting, especially when you’re out running errands or waiting to catch a flight at the airport. But this could have serious cybersecurity consequences. One popular Android app, which allowed anyone to search for nearby Wi-Fi networks, was recently left exposed, leaving a database containing over 2 million network passwords unprotected. ...
Read Blog