Microsoft has released numerous patches for vulnerabilities as a part of its September update. In total, 81 security patches affecting Windows, Internet Explorer, Edge, Exchange, .NET Framework, Office, and Hyper-V were released in the update. The vulnerabilities vary in threat level, with 26 being rated as “critical.” But the most dangerous among them includes a zero-day exploit that targets the .Net Framework.
In the exploit report on Microsoft's Security TechCenter, the zero-day (aka CVE-2017-8759) is detailed as a remote code execution vulnerability that is exploited as follows:
A remote code execution vulnerability exists when Microsoft .NET Framework processes untrusted input. An attacker who successfully exploited this vulnerability in software using the .NET framework could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
FireEye notes in its blog post on CVE-2017-8759 that this exploit has been used in the wild already. They noticed a Microsoft Office RTF file entitled “Проект.doc” targeting Russian speakers that is distributing spyware called FINSPY. CVE-2014-8759 is being used in the attacks to distribute the spyware via “the arbitrary code injection to download and execute a Visual Basic script that contained PowerShell commands.”
FINSPY (sold by the Gamma Group) is noted by researchers to be mostly indicative of a nation-state attack due to its “lawful intercept” function. Their argument is bolstered by the fact that this is the second time an attack utilizing FINSPY has specifically targeted Russian speakers. The first attack, also reported on by FireEye, occurred in January 2017 with the spread of a malicious document called СПУТНИК РАЗВЕДЧИКА.doc. The document in question pretended to be from the Russian Ministry of Defense and exploited the vulnerability CVE-2017-0199 to infect the machine with FINSPY.
The fact that this zero-day was able to be used in cyber-espionage shows just how powerful, and dangerous CVE-2017-8759 is. Of the 81 total patches in Microsoft's September update, as Jimmy Graham of Qualys noted, “many of these vulnerabilities involve the Scripting Engine, which can impact both browsers and Microsoft Office, and should be considered for prioritizing for workstation-type systems that use email and access the internet via a browser.”
Get to patching as soon as possible, folks!
Photo credit:Flickr/ fishadow