Zero-day vulnerabilities discovered: 9
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error when Windows Search handles objects in memory. A remote unauthenticated attacker can send specially crafted messages to the Windows Search service and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note: this vulnerability is being actively exploited in the wild.
Software: Windows
Improper input validation
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to an error when processing .LNK files. A remote attacker can create a specially crafted .LNK file and execute arbitrary code on the target system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Note: the vulnerability is being actively exploited in the wild.
Software: Windows
Buffer overflow
The vulnerability allows a remote attacker to compromise vulnerable system.The vulnerability was disclosed by the Shadow Brokers hacking team.
Software: Windows
Known/fameous malware:
EsteemAudit
Type confusion
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a type confusion error when processing EPS wiles within Microsoft Office documents. A remote unauthenticated attacker can create a specially crafted document, trick the victim into opening it and execute arbitrary code on the target system with privileges of the current victim.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note: this vulnerability is being actively exploited in the wild.
The vulnerability was used by APT28 team along with another zero-day CVE-2017-0263.
Software: Microsoft Office
Known/fameous malware:
GAMEFISH
Elevation of privilege
The vulnerability allows a local user to elevate privileges on the system.
The vulnerability exists due to boundary error in Win32k.sys driver. A local user can escalate privileges on the system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note: this vulnerability is being actively exploited.
The vulnerability was used by APT28 team along with another zero-day CVE-2017-0262.
Software: Windows
Known/fameous malware:
GAMEFISH
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to boundary error. A remote attacker can create a specially crafted website, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution.Software: Microsoft Internet Explorer
Use-after-free
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a use-after-free error when processing EPS images within Microsoft Office files. A remote attacker can create a specially crafted Office file with malicious EPS image, trick the victim into opening it and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of this vulnerability may allow an attacker to compromise vulnerable system.
Note: this vulnerability is being actively exploited in the wild.
The vulnerability was used by Turla and an unknown financially motivated actor.
Software: Microsoft Office
Known/fameous malware:
SHIRIME
NETWIRE
Links:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/2017-2605
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0261
https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html
https://blogs.technet.microsoft.com/msrc/2017/05/09/coming-together-to-address-encapsulated-postscri...
Cross-domain scripting
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability is caused by incorrect filtration of input data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim’s browser in security context of another domain.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Note: this vulnerability is being exploited in the wild.
Software: Microsoft Internet Explorer
Improper input validation
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation. A remote unauthenticated attacker can create a specially crafted Office document, trick the victim into opening it with Microsoft Office or WordPad and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of this vulnerability may result in compromise vulnerable system.
Note: the vulnerability is being actively exploited.
The detected samples are organized as Word files containing Dridex botnet ID 7500 (more specially, RTF files with “.doc†extension name). The exploit works on all Microsoft Office versions, including the latest Office 2016 running on Windows 10. The earliest attack dates to late January, according to McAfee.
According to FireEye, the malware leveraging this vulnerability was used to target Russian-speaking victims. As early as Jan. 25, 2017, lure documents referencing a Russian Ministry of Defense decree and a manual allegedly published in the "Donetsk People's Republic" exploited CVE-2017-0199 to deliver FINSPY payloads.
This vulnerability was also used by Patya.A ransomware in malware outbreak on 27 June, 2017 as one of the attack vectors.
Software: Microsoft Office
Known/fameous malware:
Malware.Binary.Rtf
Dridex botnet
FINSPY
LATENTBOT
Petya.A
Links:
https://securingtomorrow.mcafee.com/mcafee-labs/critical-office-zero-day-attacks-detected-wild/
https://www.fireeye.com/blog/threat-research/2017/04/acknowledgement_ofa.html
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199
https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199_useda.html
https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html