Zero-day vulnerability in Microsoft .NET Framework

Improper input validation
CVE-2017-8759

The vulnerability was detected by FireEye  researchers. The attacker used Microsoft Office RTF document to leverage RCE in .NET Framework and deploy FINSPY malware. The malicious document “Проект.doc” (MD5: fe5c4d6bb78e170abf5cf3741868ea4c) had Russian name and might have been used to target a Russian speaker.

Known malware:

FINSPY

Vulnerability details

Advisory: SB2017091210 - Remote code execution in Microsoft .NET Framework

Vulnerable component: Microsoft .NET Framework

CVE-ID: CVE-2017-8759

CVSSv3 score: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C

CWE-ID: CWE-20 - Improper Input Validation

Description:

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to uncpecified error when processing untrusted input. A remote unauthenticated attacker can execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Note: this vulnerability is being actively exploited in the wild.

Public Exploits:

Latest references in media:

- Creators of Tools for Building Malicious Office Docs Ditch Old Exploits [2018-09-12 22:30:05]

- The Complexity amidst Simplicity: Exploiting the MS Office DDE Feature [2018-05-29 04:11:22]

- IT threat evolution Q1 2018. Statistics [2018-05-14 12:12:44]

- The King is dead. Long live the King! [2018-05-09 08:07:49]

- The Complexity amidst Simplicity: Exploiting the MS Office DDE Feature [2018-04-05 15:40:34]

- ChessMaster Adds Updated Tools to Its Arsenal [2018-03-29 15:01:57]

- The Complexity amidst Simplicity: Exploiting the MS Office DDE Feature [2018-03-29 04:27:19]

- New ThreadKit exploit builder used to spread banking Trojan and RATs [2018-03-28 14:43:53]

- Threat Landscape for Industrial Automation Systems in H2 2017 [2018-03-26 12:01:35]

- The Complexity amidst Simplicity: Exploiting the MS Office DDE Feature [2018-03-26 00:32:11]

- ComboJack malware tries to steal your cryptocurrency by changing the data in your clipboard | ZDNet [2018-03-06 14:15:17]

- Windows Defender ATP Detects Spyware Used by Law Enforcement: Microsoft [2018-03-04 19:15:50]

- The Complexity amidst Simplicity: Exploiting the MS Office DDE Feature [2017-10-31 01:00:00]

- Attack Using Windows Installer msiexec.exe leads to LokiBot [2018-02-08 17:02:44]

- Cybercriminals are exploiting Microsoft Office vulnerabilities to Spread Zyklon Botnet Malware [2018-01-27 13:20:03]

- Hackers are using recent Microsoft Office vulnerabilities to distribute malware | ZDNet [2018-01-19 17:00:05]

- Zyklon Spreads Using Just-Patched Microsoft Vulns [2018-01-18 22:40:03]

- Threat actors are delivering the Zyklon Malware exploiting three Office vulnerabilities [2018-01-18 10:31:12]

- Attackers Use Microsoft Office Vulnerabilities to Spread Zyklon Malware [2018-01-18 00:31:32]

- Zyklon Malware Delivered via Recent Office Flaws [2018-01-17 20:41:38]

- Cybercriminals are exploiting Microsoft Office vulnerabilities to Spread Zyklon Botnet Malware [2018-01-17 19:30:03]

- Microsoft Office Vulnerabilities Used to Distribute Zyklon Malware in Recent Campaign [2018-01-17 17:10:02]

- Threat Actors Quickly Adopt Effective Exploits [2018-01-17 17:01:21]

- Windows Defender ATP machine learning and AMSI: Unearthing script-based attacks that ‘live off the land’ [2018-01-17 00:24:39]

- CVE-2017-11882 Exploited to Deliver a Cracked Version of the Loki Infostealer [2018-01-15 06:50:35]

- CVE-2017-11882 Exploited to Deliver a Cracked Version of the Loki Infostealer [2017-12-20 10:02:42]

- Security Alert: New Wave of Malicious Exploit Kits Are Targeting Microsoft Office [2017-12-15 10:54:53]

- Security Alert: New Wave of Malicious Exploit Kits Are Targeting Microsoft Office [2017-12-15 10:31:47]

- Untangling the Patchwork Cyberespionage Group [2017-12-11 13:33:54]

- Windows Defender ATP machine learning and AMSI: Unearthing script-based attacks that ‘live off the land’ [2017-12-04 15:06:33]

- Cobalt Hackers Exploit 17-Year-Old Vulnerability in Microsoft Office [2017-11-27 19:50:06]

- A Hacking Group Is Already Exploiting the Office Equation Editor Bug [2017-11-24 18:53:22]

- Cobalt Hackers Now Targeting Banks Directly [2017-11-21 18:11:18]

- Cobalt Strikes Again: Spam Runs Use Macros and CVE-2017-8759 Exploit Against Russian Banks [2017-11-20 13:41:07]

- ChessMaster’s New Strategy: Evolving Tools and Tactics [2017-11-13 09:24:38]

- IT threat evolution Q3 2017. Statistics [2017-11-10 11:54:53]

- ChessMaster’s New Strategy: Evolving Tools and Tactics [2017-11-06 14:12:01]

- Windows 10 Exploit Guard Boosts Endpoint Defenses [2017-11-01 18:30:10]

- Windows Defender Exploit Guard: Reduce the attack surface against next-generation malware [2017-10-23 18:11:18]

- Windows Defender Exploit Guard: Reducing the attack surface with next-generation host intrusion prevention [2017-10-23 15:05:55]

- Cyber espionage – China-Linked group leverages recently patched .NET Flaw [2017-10-19 10:00:23]

- Recently Patched .NET Flaw Exploited by China-Linked Cyberspies [2017-10-18 16:21:20]

- Mysterious cyber espionage campaign uses 'torpedo' lure to trick you into downloading malware | ZDNet [2017-10-18 12:20:04]

- Adobe releases emergency fix for Flash Player zero-day exploited in the wild [2017-10-17 12:00:06]

- BlackOasis APT leverages new Flash zero-day exploit to deploy FinSpy [2017-10-17 09:11:24]

- Adobe patches zero-day vulnerability used to plant gov't spying software | ZDNet [2017-10-17 08:50:04]

- Fresh Adobe Zero-Day Spotted in the Wild [2017-10-16 23:20:04]

- Here's a timeless headline: Adobe rushes out emergency Flash fix after hacker exploits bug [2017-10-16 20:50:01]

- Government Hacker Using New Flash Zero-Day Exploit to Install FinFisher/FinSpy Spyware On High-Profile Targets [2017-10-16 18:00:03]

- Adobe Patches Flash Zero Day Exploited by Black Oasis APT [2017-10-16 17:50:06]

- Adobe Patches Flash Zero-Day Used by BlackOasis APT [2017-10-16 17:14:27]

- BlackOasis APT and new targeted attacks leveraging zero-day exploit [2017-10-16 16:44:46]

- Exploit for CVE-2017-8759 detected and neutralized [2017-09-12 20:46:50]

- ISP Involvement Suspected in the Distribution of FinFisher Spyware [2017-09-21 22:11:03]

- Internet Providers Possibly Involved in FinFisher Surveillance Operations: Report [2017-09-21 19:30:44]

- Microsoft Office Zero-Day Spread Surveillance Software [2017-09-14 19:20:02]

- Microsoft patches second FinSpy zero-day exploit this year [2017-09-14 17:33:33]

- September Patch Tuesday, patch your Windows now to avoid ugly surprises [2017-09-13 19:31:08]

- Adobe, Microsoft Plug Critical Security Holes [2017-09-13 19:21:30]

- Patch Tuesday: 80+ vulnerabilities fixed, one exploited in the wild [2017-09-13 14:20:30]

- Microsoft's September Patch Tuesday: Install Security Patch for Windows 0-Day Flaw That's Being Used to Distribute FINSPY Mal [2017-09-13 13:20:13]

- Microsoft Office Zero-Day Vulnerability Addressed in September Patch Tuesday [2017-09-13 13:04:28]

- Microsoft Patches 'BlueBorne' Bluetooth Bug in Latest Update [2017-09-13 11:50:03]

- Microsoft Patches Zero-Day, Many Other Flaws [2017-09-13 10:51:47]

- It's September 2017, and .NET lets PDFs hijack your Windows PC [2017-09-13 01:40:01]

- Microsoft patches zero-day security bug used to spread state-sponsored spy tools [2017-09-12 22:51:40]

- Microsoft Patches Office Zero Day Vulnerability [2017-09-12 22:00:45]

- Researchers Catch Microsoft Zero-Day Used To Install Government Spyware [2017-09-12 20:42:11]

- .NET Zero-Day Flaw Exploited to Deliver FinFisher Spyware [2017-09-12 20:40:42]

- Microsoft September Patch Tuesday Fixes 82 Security Issues, Including a Zero-Day [2017-09-12 20:35:22]

- FireEye Uncovers CVE-2017-8759: Zero-Day Used in the Wild to Distribute FINSPY [2017-09-12 19:20:22]

Vulnerability Scanning SaaS

Vulnerability scanning SaaS service is online 3-rd generation vulnerability scanner with scheduled assessments and vulnerability subscription. You can use service to check security of your network perimeter.