Windows 10: Exploit for CVE-2017-8759 detected and neutralized

Brink · Sep 12, 2017

The September 12, 2017 security updates from Microsoft include the patch for a previously unknown vulnerability exploited through Microsoft Word as an entry vector. Customers using Microsoft advanced threat solutions were already protected against this threat.

The vulnerability, classified as CVE-2017-8759, was used in limited targeted attacks and reported to us by our partner, FireEye. Microsoft would like to thank FireEye for responsibly reporting this vulnerability and for working with us to protect customers.

Customers receiving automatic updates for Microsoft products are protected from this attack without any additional action required. Customers not enjoying the benefits of automatic updates should consider immediately applying this month’s updates to avoid unnecessary exposure.

Office 365 ATP and Windows Defender ATP customers protected

Customers running Microsoft advanced threat solutions such as Office 365 Advanced Threat Protection or Windows Defender Advanced Threat Protection were safe from this attack without the need of additional updates. The security configuration and reduced attack surface of Windows 10 S blocks this attack by default.

Office 365 ATP blocked the malicious attachments automatically in customer environments that have adopted the mail detonation and filtering solution. The attachment was blocked based on the detection of the malicious behaviors, as well as its similarity with previous exploits. SecOps personnel would see an ATP behavioral detection in Office 365’s Threat Explorer page:

Figure 1. Block reasons for the exploit attachment as seen in Office 365 ATP console

Windows Defender ATP was also able to raise multiple alerts related to post-exploitation activities performed by this exploit using scripting engines and PowerShell. Additional alerts may also be visible for subsequent stages of the attack performed after malware installation.

In addition, Windows Defender Antivirus detects and blocks exploits for this vulnerability as Exploit:RTF/Fitipol.A, Behavior:Win32/Fitipol.A, and Exploit:RTF/CVE-2017-8759.A using the cloud protection service, which delivers near-real-time protection against such never-before-seen threats.

Figure 2. Windows Defender ATP alerts raised for CVE-2017-8759 zero-day exploit

Protection with Windows Defender Exploit Guard

We are also happy to share with customers testing our upcoming Windows 10 Fall Creators Update that Windows Defender Exploit Guard was also able to prevent this attack using one of the many Attack Surface Reduction rules and exploit protection features.

Figure 3. Example of exploit blocking event logged by Windows Defender Exploit Guard

Windows Defender Exploit Guard is part of the defense-in-depth protection in the Windows 10 Fall Creators Update release.

Another zero-day leading to FinFisher

The CVE-2017-8759 vulnerability can allow remote code execution after users open a spam email, and double-click on an untrusted attachment and disable the Microsoft Office Protected View mode. The exploit uses Microsoft Word as the initial vector to reach the real vulnerable component, which is not related to Microsoft Office and which is responsible for certain SOAP-rendering functionalities through .NET classes.

For more information on this new campaign our partner FireEye has a good technical blog describing the infection mechanism and the details of the exploit.

After the initial notification from FireEye, Windows Defender telemetry revealed very limited usage of this zero-day exploit. The attacker used this exploit to deploy a spyware detected as Wingbird and also known to the security community as “FinFisher”, a commercial surveillance package often seen combined with expensive zero-day vulnerabilities and used by sophisticated actors.

Microsoft researchers believe that the adversary involved in this operation could be linked to the NEODYMIUM group, which has used similar zero-day exploits with spear-phishing attachments combined with the usage of FinFisher spyware. We previously reported about the NEODYMIUM group in the Windows Security blog in 2016. For additional information about this new attack as well as other NEODYMIUM attacks, we encourage ATP customers to review the in-product Threat Intelligence reports on this activity group.

Elia Florio
Windows Defender ATP Research Team
Click to expand...

Source: Exploit for CVE-2017-8759 detected and neutralized Windows Security blog

:)

Aidan McGrath · Sep 12, 2017

Microsoft Patches

Hi

Where can I check the latest KB numbers for Security Patches.

Fore example the Exploit (CVE-2017-8759) id covered in September Security package.

Where can I find the KB for this security package , and all packages.

I appreciate your help.,

Regards,

Aidan

Richard Bruins · Sep 12, 2017

ETA of patch for "KRACK". Was this patched previously or should we expect a patch soon?

We are looking for information that suggest when "Key Reinstallation Attack" will be patched for Windows 10 Professional. Has it been patched in an earlier update? This vulnerability has also been dubbed as "KRACK". This vulnerability is being tracked
as CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13084, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088.

Windows 10: Exploit for CVE-2017-8759 detected and neutralized

Exploit for CVE-2017-8759 detected and neutralized

Exploit for CVE-2017-8759 detected and neutralized

Exploit for CVE-2017-8759 detected and neutralized - Similar Threads - Exploit CVE 2017

Is WebP exploit CVE-2023-5129 being detected by Microsoft Windows Defender Antivirus and is...

Is WebP exploit CVE-2023-5129 being detected by Microsoft Windows Defender Antivirus and is...

Is WebP exploit CVE-2023-5129 being detected by Microsoft Windows Defender Antivirus and is...

Microsoft Defender detected threat called - Exploit:O97M/CVE-2017-0199.AR!MSR

[NEW UNPATCHED EXPLOIT] How to be safe from the CVE-2022-30190 exploit workaround /...

Exploit CVE-2014-0543 is back

Attacks exploiting Netlogon vulnerability (CVE-2020-1472)

Exploit : O97M/CVE-2017-11882.BY!MTB

Get-SpeculationControlSettings not checking for CVE-2017-5753?