Object Linking and Embedding (OLE) is a technology based on Component Object Model (COM) allowing an application to embed and link to other documents or objects, and its primarily used in Microsoft Office and WordPad. In the recent years, we have seen a number of vulnerabilities, especially some critical zero-day attacks, are involving OLE. The typical examples are the "Sandworm" attack (CVE-2014-4114) that was disclosed in October 2014, and the CVE-2012-0158 - a years-old vulnerability but is still being actively exploited in the real world.
However, the previous work usually focus on the vulnerability or malware but the internals of OLE are never examined. This paper intends to fill this gap. The another important part of this research is to explore the attack surface it exposes on Windows, and to explain how an attacker may possibly leverage OLE vulnerability to perform document-based exploitation. These areas are never being looked at from a security point of view. In the 0-day demo section of our presentation, we will disclose and demonstrate a previously-unknown OLE attack vector introduced by the nature of the OLE mechanism, which could lead to a series of similar vulnerabilities being discovered in future.
Haifei Li is a security researcher with McAfee Labs (Intel Security). Usually he works on the world's two questions: how to find vulnerabilities and how to exploit them. He has a theory that is the security industry's failure is due to that researchers are not really involved into the detection/protection side. Therefore, he has been introducing his research-backed ideas into some industry-focused projects, one example is that he founded and developed the Advanced Exploit Detection System which aims to detect the most hidden zero-day exploits.
Bing Sun is a senior information security researcher, and now he is leading an IPS security research team of Intel Security Group (formerly McAfee). He has extensive experiences in operating system kernel layer and information security R&D;, with especially deep diving in advanced vulnerability exploitation and detection, Rootkits detection, firmware security and virtualization technology. Moreover, Bing is also a regular speaker at international security conference, such as XCon, Black Hat and CanSecWest.