An actively exploited zero-day vulnerability tied to Microsoft’s .NET framework is one of 25 critical and 54 important vulnerabilities fixed by Microsoft in its September Patch Tuesday security bulletin.
According to Microsoft, the .NET framework vulnerability (CVE-2017-8759) allows attackers to “take control of an affected system.” From there, attackers can install programs and view, change, or delete data, or create new accounts with full user rights.
“To exploit the vulnerability, an attacker would first need to convince the user to open a malicious document or application,” Microsoft said Tuesday. The bulletin doesn’t give any indication of how widespread the attacks are but says the vulnerability is “important” and was found by security firm FireEye.
According to FireEye, the vulnerability is actively being distributed with the FINSPY spyware and delivered via malicious Microsoft Office RTF files. Researchers there said the zero day leverages a SOAP WSDL parser code injection vulnerability.
“FireEye analyzed a Microsoft Word document where attackers used the arbitrary code injection to download and execute a Visual Basic script that contained PowerShell commands,” Genwei Jiang, Ben Read, Tom Bennett, researchers with the firm wrote in a technical analysis of the vulnerability also posted Tuesday.
This is the second zero-day vulnerability used to distribute FINSPY uncovered by FireEye in 2017. The first was found in April and was part of an unidentified state-sponsored attack targeting victims in Russia
“These exposures demonstrate the significant resources available to ‘lawful intercept’ companies and their customers. Furthermore, FINSPY has been sold to multiple clients, suggesting the vulnerability was being used against other targets,” the firm said.
On Tuesday, Microsoft also publicly disclosed information pertaining to a patch for vulnerability that is part of a collection of exploits known as BlueBorne, discovered and publicly revealed Tuesday by security firm Armis.
The BlueBorne-related bug (CVE-2017-8628), identified as a Bluetooth driver spoofing vulnerability, could allow an attacker to successfully perform a man-in-the-middle attack and force a user’s computer to unknowingly route traffic through the attacker’s computer, according to Microsoft.
The prerequisite for the attack includes the target’s device to have Bluetooth enabled and for the adversary to be within proximity of the device. “The attacker can then initiate a Bluetooth connection to the target computer without the user’s knowledge” and carry out the attack, according to Microsoft.
“You don’t often see patches to fix issues that depend on physical proximity, but Bluetooth attacks are definitely an exception,” the Zero Day Initiative’s (ZDI) Dustin Childs said in an analysis of the vulnerability. “For the Windows OS, code execution over Bluetooth cannot directly occur with this bug. Still, the MiTM attack is still severe enough to warrant extra attention.”
Microsoft also patched a critical NetBIOS remote code execution vulnerability (CVE-2017-0161). The flaw exists in NetBT Session Services when NetBT fails to maintain certain sequencing requirements, Microsoft said. “To exploit the vulnerability, an attacker needs to be able to send specially crafted NetBT Session Service packets to an impacted system,” according to the bulletin.
ZDI points out that NetBIOS isn’t a routable protocol, so the impact is limited. “The bad news is that this is practically wormable within a LAN. This could also impact multiple virtual clients if the guest OSes all connect to the same (virtual) LAN,” according to ZDI.
In total, Microsoft released 81 security patches as part of its September Patch Tuesday impacting Windows, Internet Explorer, Edge, Exchange, .NET Framework, Office and Hyper-V. Twenty-six of the vulnerabilities are critical, 53 important and two are rated moderate in severity. Cutting the numbers even further, 38 of the vulnerabilities impacted Windows and 22 are tied Microsoft’s Edge and IE browsers.
“Many of these vulnerabilities involve the Scripting Engine, which can impact both browsers and Microsoft Office, and should be considered for prioritizing for workstation-type systems that use email and access the internet via a browser,” according to analysis by Jimmy Graham, director of product management, vulnerability management for security firm Qualys.