CVE-2017-0022 Deployed in AdGholas Malvertising and Neutrino EK

March 2017 Patch Tuesday has been in the spotlight since it was rolled out. Cumulative updates caused quite the havoc. In the meantime, a privately reported flaw given the CVE-2017-0022 identifier has been patched. TrendMicro reported the vulnerability to Microsoft in September 2016.

The flaw was exploited in the AdGholas malvertising campaign and was then implemented in the Neutrino exploit kit. Researchers say that CVE-2017-0022 took the place of CVE-2016-3298 and CVE-2016-3351 in the campaign as the two flaws were addressed in previous updates.

CVE-2017-0022 Technical Overview

MITRE Description

Microsoft XML Core Services (MSXML) in Windows 10 Gold, 1511, and 1607; Windows 7 SP1; Windows 8.1; Windows RT 8.1; Windows Server 2008 SP2 and R2 SP1; Windows Server 2012 Gold and R2; Windows Server 2016; and Windows Vista SP2 improperly handles objects in memory, allowing attackers to test for files on disk via a crafted web site, aka “Microsoft XML Information Disclosure Vulnerability.”

CVE-2017-0022 Exploited in Malvertising and Phishing Attacks

If CVE-2017-0022 is exploited it could be used in phishing attacks to trick users into visiting malicious websites. If the malicious attempt proves to be successful it could lead to unauthorized access to sensitive information. The attacker could also be able to detect the type of security software running on the targeted system, especially solutions that analyze malware.

Here is how a malvertising campaign built on this vulnerability looks like:

Related: CVE-2017-0016, CVE-2017-0037, CVE-2017-0038 – What Are the Mitigations?

Other recent vulnerabilities in Microsoft are CVE-2017-0016, CVE-2017-0037, CVE-2017-0038. They brough to light the employment of Intrusion prevention system protection (IPS), as pointed out by TrendMicro researchers. IPS, also known as Virtual Patching, helps protect against vulnerabilities even in cases where patched have not been released yet. The three Microsoft flaws were located in the following components: Core SMB service, Internet Explorer and Edge browsers, and the Graphics Device Interface.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:

Related posts:

1. .gold Virus File (Dharma Ransomware) – Remove It .gold virus file – what is it? The virus is...
2. Adobe Patches 112 Vulnerabilities in Latest Patch Package (CVE-2018-5007) Adobe has released the latest patch package that addresses a...
3. Remove Wewe.gold Ads Wewe.gold is a website page for a monetization marketing platform....
4. .gold File Virus (Scarab Ransomware) – How to Remove What is .gold file virus? .gold file virus is also...
5. December 2017 Patch Tuesday: CVE-2017-11937, CVE-2017-11940 The final Microsoft’s Patch Tuesday for 2017 has just rolled....
6. CVE-2017-0016, CVE-2017-0037, CVE-2017-0038 – What Are the Mitigations? CVE-2017-0016, CVE-2017-0037, CVE-2017-0038 are three recently uncovered Microsoft vulnerabilities that...
7. Self-Propagating Lucifer Malware Set Against Windows Computers An advanced Microsoft Windows malware called Lucifer has been found...
8. CVE-2015-1641 and CVE-2015-2545 Prevail in Microsoft Office Malware Microsoft Office vulnerabilities are cyber criminals’ favorites. Two of the...

Leave a Comment Cancel reply

Your email address will not be published. Required fields are marked *