What Is Windows OLE?
Object Linking and Embedding (OLE) is a Microsoft technology for embedding and linking content between applications. CVE-2014-6352 is directly related to CVE-2014-4114 — the Sandworm Windows OLE zero-day. See the CVE-2014-4114 page for full background on the OLE package object vulnerability class and the Sandworm campaign.
Overview
CVE-2014-6352 is a bypass of the MS14-060 patch for CVE-2014-4114 (the Sandworm OLE zero-day). Within one week of Microsoft releasing the patch for the Sandworm OLE vulnerability, researchers discovered that the fix was incomplete — a different OLE crafting technique could still achieve code execution via malicious OLE objects in Office documents. Microsoft published Security Advisory 3010060 with a FixIt workaround on October 21, 2014, and delivered the formal patch in MS14-064 (November 11, 2014), which also fixed CVE-2014-6332 (OLE Automation Array).
Affected Versions
| Windows | Status |
|---|---|
| Windows Vista through 8.1 | Vulnerable (patched to MS14-060 but not MS14-064) |
| Windows Server 2003 through 2012 R2 | Vulnerable |
Systems that applied MS14-060 (CVE-2014-4114 fix) but not MS14-064 (CVE-2014-6352 fix) remained exploitable via this bypass.
Technical Details
Root Cause: Incomplete OLE Package Object Restriction
The MS14-060 patch for CVE-2014-4114 attempted to restrict OLE package objects from executing downloaded content. The patch added validation to prevent certain OLE package operations (specifically, executing a downloaded INF file from a UNC path). CVE-2014-6352 describes a different OLE crafting approach — likely a different OLE object type or a different parameter path — that the MS14-060 restriction did not cover.
By crafting an Office document with an OLE object that exploits this alternative code path, an attacker can still:
- Cause Windows to retrieve content from a remote attacker-controlled server
- Execute the retrieved content on the victim's machine
The exploitation mechanism is analogous to CVE-2014-4114: no memory corruption is required; the flaw is in OLE's design allowing remote content execution.
The "Double-Kill" Pattern
The rapid discovery of CVE-2014-6352 as a bypass for CVE-2014-4114's patch illustrates a common pattern in complex vulnerability classes: the first patch closes one avenue but the underlying design issue (OLE allowing remote content execution) provides multiple exploitation paths. True remediation required rearchitecting the OLE package object's behavior rather than blocking specific patterns.
Attack Characteristics
| Attribute | Detail |
|---|---|
| Attack Vector | Local (file-based) — malicious Office document |
| User Interaction | Required (open the Office file) |
| Related to | CVE-2014-4114 (same OLE class; this is the bypass) |
| Sandworm | Used by Sandworm Team after MS14-060 was deployed |
| CVSS | 7.8 HIGH |
Discovery
Identified by researchers analyzing the completeness of the MS14-060 patch for CVE-2014-4114 one week after patch release. Microsoft published Advisory 3010060 on October 21, 2014 with a FixIt workaround while preparing the formal fix.
Exploitation Context
- Sandworm continuation: After the MS14-060 patch was released and widely deployed, Sandworm Team (the Russian APT) adapted their malicious Office documents to use the CVE-2014-6352 bypass — maintaining their attack capability for the approximately three weeks between the bypass discovery and the MS14-064 patch
- NATO/Ukraine targeting: The same targeting profile as CVE-2014-4114 continued through the CVE-2014-6352 exploitation window
- Patch management urgency: The rapid bypass demonstrated that organizations that had patched CVE-2014-4114 needed to also apply MS14-064 to maintain protection
- CISA KEV (2022): Added February 2022, confirming continued exploitation against unpatched systems
Remediation
-
Apply MS14-064 (November 2014) — this bulletin addresses CVE-2014-6352 and CVE-2014-6332. Note: applying only MS14-060 (the CVE-2014-4114 patch) is insufficient.
-
Disable OLE package activation for Office applications to prevent OLE objects from downloading and executing remote content:
HKCU\Software\Microsoft\Office\<version>\<app>\Security\PackagerPrompt = 2 -
Block outbound SMB (TCP 445) at the perimeter — prevents OLE package objects from reaching attacker-controlled SMB servers, breaking the exploit chain.
-
Enable Office Protected View — opens documents from email and internet in a sandboxed view that blocks OLE object execution.
-
Verify complete patch application — confirm both MS14-060 and MS14-064 are applied to all Windows systems, not just MS14-060.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2014-6352 |
| Vendor / Product | Microsoft — Windows |
| NVD Published | 2014-10-22 |
| NVD Last Modified | 2025-10-22 |
| CVSS 3.1 Score | 7.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| Severity | HIGH |
| CWE | CWE-94 — Improper Control of Generation of Code ('Code Injection') find similar ↗ |
| CISA KEV Added | 2022-02-25 |
| CISA KEV Deadline | 2022-08-25 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2014-10-14 | MS14-060 patches CVE-2014-4114 (Sandworm OLE zero-day) |
| 2014-10-21 | Researchers demonstrate CVE-2014-4114 patch bypass; CVE-2014-6352 assigned; Microsoft Security Advisory 3010060 published |
| 2014-10-22 | CVE-2014-6352 published by NVD; FixIt workaround released |
| 2014-11-11 | Microsoft Security Bulletin MS14-064 released with permanent fix for CVE-2014-6352 |
| 2022-02-25 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2022-08-25 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| NVD — CVE-2014-6352 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| Microsoft Security Advisory 3010060 — Vulnerability in OLE Could Allow Remote Code Execution | Vendor Advisory |
| Microsoft Security Bulletin MS14-064 — Vulnerabilities in Windows OLE Could Allow Remote Code Execution | Vendor Advisory |