A vulnerability, designated as CVE-2014-6352, is triggered when a user is forced to open a PowerPoint files containing a malicious Object Linking and Embedding (OLE) object. All Office file types can also be used to carry out same attack.
The vulnerability could allow remote code execution if a user opens a specially crafted Microsoft Office file that contains an OLE object. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. Microsoft urges Windows users to pay attention to the User Account Control prompt, a pop-up alerts that require authorization before the OS is allowed to perform various tasks, which would warn a user once the exploit starts to trigger – asking permission to execute. But, users many times see it as an inconvenience and many habitually click through without a second thought.
The UAC prompt may look similar to this on Windows 7.
This vulnerability, combined with half of America’s e-mail addresses stolen from JP Morgan Chase, can be used as a targeted phishing attack.