New Exploit of Sandworm Zero-Day Could Bypass Official Patch

By on

Update of October 25: Some comments posted after we published this report suggest that our proof-of-concept exploit will trigger the UAC (User Account Control) on Windows. We did not observe this during our analysis.


During the last few days researchers at McAfee Labs have been actively investigating Sandworm, the Windows packager zero-day attack (CVE-2014-4114). McAfee has already released various updates through our products to protect our customers, and we continue to analyze this attack.

During our investigation, we found that the Microsoft’s official patch (MS14-060, KB3000869) is not robust enough. In other words, attackers might still be able to exploit the vulnerability even after the patch is applied. Users who have installed the official patch are still at risk.

This finding has significant impact because attacks leveraging the vulnerability are still very active. We reported our findings to the Microsoft Security Response Center immediately after we successfully developed a proof of concept on October 17. Since then we have actively worked with Microsoft to resolve this issue.

Today, Microsoft has released Security Advisory 3010060 as well as the “Fix It” temporary patch. A new ID, CVE-2014-6352, has been assigned to track this issue. To protect hundreds of millions of Windows users, we are not sharing any of the details until a permanent patch from Microsoft is available to the public.

While we will continue to monitor potential new attacks in the wild, users who have concerns about their security may consider the following actions:

  • Apply the Microsoft “Fix It” or workarounds shared in Security Advisory 3010060.
  • Apply the first or the second workarounds shared in Security Bulletin MS14-060. These are “Disable the WebClient service” and “Block TCP ports 139 and 445.” We believe these two workarounds will be effective to block the new exploitation method, though the third in the bulletin (“Block the launching of executables via Setup information files”) may not be effective.

We thank James Forshaw of Google Project Zero, who helped us with this finding. Thanks as well to Bing Sun, Chong Xu, and Stanley Zhu of McAfee Labs for their help with this research and investigation.

4 comments on “New Exploit of Sandworm Zero-Day Could Bypass Official Patch

  • Haifei Li says:

    Hi Adrian,

    The answer is no, XP is not affected by this particular vulnerability. This is one rare good news for XP users since XP is affected by many other vulnerabilities (I'm sure you have been aware of that Microsoft doesn't support XP anymore).


  • We have one old cimplicity server ver. 6, running in Win Xp, not connected to internet. Recently we receive one information letter from GE, regarding this sandworm. I want to know if Win Xp is vulnerable.

    • Haifei Li says:

      Of course. McAfee has already delivered various protections against this threat to our customers at the first time, please keep your security product up-to-date.


Leave a Comment

Similar articles

5G has been nearly a decade in the making but has really dominated the mobile conversation in the last year or so. This isn’t surprising considering the potential benefits this new type of network will provide to organizations and users alike. However, just like with any new technological advancement, there are a lot of questions ...
Read Blog