Researchers have uncovered a new critical, zero-day vulnerability in Windows, which was identified as CVE-2017-8759. The flaw is flagged as high risk, making the operating system vulnerable to remote code execution. The flaw resides within the .NET Framework.
The following versions are affected:
- Microsoft .NET Framework 2.0 SP2
- Microsoft .NET Framework 3.5
- Microsoft .NET Framework 3.5.1
- Microsoft .NET Framework 4.5.2
- Microsoft .NET Framework 4.6
- Microsoft .NET Framework 4.6.1
- Microsoft .NET Framework 4.6.2
- Microsoft .NET Framework 4.7
An exploit that turns out unsuccessful may lead to denial-of-service conditions, researchers point out.
Has CVE-2017-8759 Been Exploited in Real Attacks?
In a nutshell, yes. FireEye researchers recently detected a maliciously crafted Microsoft Office RTF document that exploited the CVE-2017-8759 flaw. The flaw allowed hackers to inject arbitrary code during the parsing of SOAP WSDL definition contents. The research team analyzed such a document where “attackers used the arbitrary code injection to download and execute a Visual Basic script that contained PowerShell commands”.
As for the technical side of the exploit, FireEye explains that “a code injection vulnerability exists in the WSDL parser module within the PrintClientProxy method. The IsValidUrl does not perform correct validation if provided data that contains a CRLF sequence. This allows an attacker to inject and execute arbitrary code. “
“Проект.doc” Document Carries Malicious Payload – FINSPY Surveillance Malware
The malicious document detected by FireEye is “Проект.doc”, and it appears it has been most likely used against Russian speaking victims. In case of s successful exploitation, the document has been detected to download multiple components, including a piece of malware known as FINSPY.
FINSPY also known as FinFisher and WingBird is a piece of well-known surveillance software which can be used for lawful interception. Having in mind the type of payload in the CVE-2017-8759 attack, researchers believe that it was a nation-state attack deployed to target a Russian-speaking entity. The most logical purpose of the whole operation is obviously cyber espionage.
Is Microsoft Aware of the CVE-2017-8759-Powered Nation-State Attack?
Researchers contacted Microsoft and shared their findings. The cybersecurity company has coordinated the public disclosure with the release of a security patch that fixes the flaw.
An intriguing fact here is that this flaw is the second zero-day vulnerability that was deployed in attacks delivering the FINSPY payload. A previous attack with a similar attack vector was also disclosed by the same security company earlier this year. This is not that surprising, considering the fact that the surveillance malware has been sold to various clients.
This only means that CVE-2017-8759 was leveraged against other victims. Even though there is no particular evidence to support such claims regarding the current flaw, this was the case with the zero-day FireEye uncovered back in April. If the actors behind FINSPY acquired this vulnerability from the same source, it is very likely that source sold it to additional actors, researchers conclude.
Other attack scenarios involving the deployment of CVE-2017-8759 are also to be considered as possible. After all, running outdated software is always a risk. That is why it is highly critical for both companies and home users to keep their systems fully patched and protected against malware of all types, spyware inclusive. Users are strongly advised to see whether their systems have been affected by malicious campaigns.
Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter