Object Linking and Embedding (OLE) is a technology based on Component Object Model (COM) allowing an application to embed and link to other documents or objects, and its primarily used in Microsoft Office and WordPad. In the recent years, we have seen a number of vulnerabilities, especially some critical zero-day attacks, are involving OLE. The typical examples are the "Sandworm" attack (CVE-2014-4114) that was disclosed in October 2014, and the CVE-2012-0158 - a years-old vulnerability but is still being actively exploited in the real world.
However, the previous work usually focus on the vulnerability or malware but the internals of OLE are never examined. This paper intends to fill this gap. The another important part of this research is to explore the attack surface it exposes on Windows, and to explain how an attacker may possibly leverage OLE vulnerability to perform document-based exploitation. These areas are never being looked at from a security point of view. In the 0-day demo section of our presentation, we will disclose and demonstrate a previously-unknown OLE attack vector introduced by the nature of the OLE mechanism, which could lead to a series of similar vulnerabilities being discovered in future.