Windows 10: Is WebP exploit CVE-2023-5129 being detected by Microsoft Windows Defender Antivirus and is...

Fleischer Michael · Oct 3, 2023

Dear Microsoft and Microsoft Community,Is the actively exploited WebP exploit CVE-2023-5129 being detected by Microsoft Windows Defender Antivirus and is Defender Antivirus shielding your from this exploit?If yes, do i understand you correct there is nothing for us to do and we are protected?If no, does anyone know when Windows Defender Antivirus will be blocking this vulnerability? Or is Windows Defender Antivirus not ever able to be blocking this vulnerability? What is MS planning to do about this issue?Thank you for your time.

:)

Brink · Oct 3, 2023

Exploit for CVE-2017-8759 detected and neutralized

The September 12, 2017 security updates from Microsoft include the patch for a previously unknown vulnerability exploited through Microsoft Word as an entry vector. Customers using Microsoft advanced threat solutions were already protected against this threat.

The vulnerability, classified as CVE-2017-8759, was used in limited targeted attacks and reported to us by our partner, FireEye. Microsoft would like to thank FireEye for responsibly reporting this vulnerability and for working with us to protect customers.

Customers receiving automatic updates for Microsoft products are protected from this attack without any additional action required. Customers not enjoying the benefits of automatic updates should consider immediately applying this month’s updates to avoid unnecessary exposure.

Office 365 ATP and Windows Defender ATP customers protected

Customers running Microsoft advanced threat solutions such as Office 365 Advanced Threat Protection or Windows Defender Advanced Threat Protection were safe from this attack without the need of additional updates. The security configuration and reduced attack surface of Windows 10 S blocks this attack by default.

Office 365 ATP blocked the malicious attachments automatically in customer environments that have adopted the mail detonation and filtering solution. The attachment was blocked based on the detection of the malicious behaviors, as well as its similarity with previous exploits. SecOps personnel would see an ATP behavioral detection in Office 365’s Threat Explorer page:

Figure 1. Block reasons for the exploit attachment as seen in Office 365 ATP console

Windows Defender ATP was also able to raise multiple alerts related to post-exploitation activities performed by this exploit using scripting engines and PowerShell. Additional alerts may also be visible for subsequent stages of the attack performed after malware installation.

In addition, Windows Defender Antivirus detects and blocks exploits for this vulnerability as Exploit:RTF/Fitipol.A, Behavior:Win32/Fitipol.A, and Exploit:RTF/CVE-2017-8759.A using the cloud protection service, which delivers near-real-time protection against such never-before-seen threats.

Figure 2. Windows Defender ATP alerts raised for CVE-2017-8759 zero-day exploit

Protection with Windows Defender Exploit Guard

We are also happy to share with customers testing our upcoming Windows 10 Fall Creators Update that Windows Defender Exploit Guard was also able to prevent this attack using one of the many Attack Surface Reduction rules and exploit protection features.

Figure 3. Example of exploit blocking event logged by Windows Defender Exploit Guard

Windows Defender Exploit Guard is part of the defense-in-depth protection in the Windows 10 Fall Creators Update release.

Another zero-day leading to FinFisher

The CVE-2017-8759 vulnerability can allow remote code execution after users open a spam email, and double-click on an untrusted attachment and disable the Microsoft Office Protected View mode. The exploit uses Microsoft Word as the initial vector to reach the real vulnerable component, which is not related to Microsoft Office and which is responsible for certain SOAP-rendering functionalities through .NET classes.

For more information on this new campaign our partner FireEye has a good technical blog describing the infection mechanism and the details of the exploit.

After the initial notification from FireEye, Windows Defender telemetry revealed very limited usage of this zero-day exploit. The attacker used this exploit to deploy a spyware detected as Wingbird and also known to the security community as “FinFisher”, a commercial surveillance package often seen combined with expensive zero-day vulnerabilities and used by sophisticated actors.

Microsoft researchers believe that the adversary involved in this operation could be linked to the NEODYMIUM group, which has used similar zero-day exploits with spear-phishing attachments combined with the usage of FinFisher spyware. We previously reported about the NEODYMIUM group in the Windows Security blog in 2016. For additional information about this new attack as well as other NEODYMIUM attacks, we encourage ATP customers to review the in-product Threat Intelligence reports on this activity group.

Elia Florio
Windows Defender ATP Research Team
Click to expand...

Source: Exploit for CVE-2017-8759 detected and neutralized Windows Security blog

Rob Koch · Oct 3, 2023

about cve-2023-29351

If you have already installed the June 13, 2023 Windows Updates as you should have shortly after their release, then if your Windows 10 or 11 device is otherwise kept up to date, this particular known vulnerability should have been fixed and no longer an issue.

See the Security Updates section about halfway through the following Microsoft MSRC document discussing this particular vulnerability for the complete list of all Windows versions for which these updates were made available.

CVE-2023-29351 - Security Update Guide - Microsoft - Windows Group Policy Elevation of Privilege Vulnerability

Rob

NICK ADSL UK · Oct 3, 2023

Microsoft September 2023 Security Updates

September 2023 Security Updates

This release consists of the following 59 Microsoft CVEs:

Tag CVE Base Score CVSS Vector Exploitability FAQs? Workarounds? Mitigations?

Microsoft Azure Kubernetes Service CVE-2023-29332

Azure DevOps CVE-2023-33136

Windows Cloud Files Mini Filter Driver CVE-2023-35355

Microsoft Identity Linux Broker CVE-2023-36736

3D Viewer CVE-2023-36739

3D Viewer CVE-2023-36740

Visual Studio Code CVE-2023-36742

Microsoft Exchange Server CVE-2023-36744

Microsoft Exchange Server CVE-2023-36745

Microsoft Exchange Server CVE-2023-36756

Microsoft Exchange Server CVE-2023-36757

Visual Studio CVE-2023-36758

Visual Studio CVE-2023-36759

3D Viewer CVE-2023-36760

Microsoft Office Word CVE-2023-36761

Microsoft Office Word CVE-2023-36762

Microsoft Office Outlook CVE-2023-36763

Microsoft Office SharePoint CVE-2023-36764

Microsoft Office CVE-2023-36765

Microsoft Office Excel CVE-2023-36766

Microsoft Office CVE-2023-36767

3D Builder CVE-2023-36770

3D Builder CVE-2023-36771

3D Builder CVE-2023-36772

3D Builder CVE-2023-36773

Microsoft Exchange Server CVE-2023-36777

.NET Framework CVE-2023-36788

.NET and Visual Studio CVE-2023-36792

.NET and Visual Studio CVE-2023-36793

.NET and Visual Studio CVE-2023-36794

.NET and Visual Studio CVE-2023-36796

.NET Core & Visual Studio CVE-2023-36799

Microsoft Dynamics Finance & Operations CVE-2023-36800

Windows DHCP Server CVE-2023-36801

Microsoft Streaming Service CVE-2023-36802

Windows Kernel CVE-2023-36803

Windows GDI CVE-2023-36804

Windows Scripting CVE-2023-36805

Microsoft Dynamics CVE-2023-36886

Windows Kernel CVE-2023-38139

Windows Kernel CVE-2023-38140

Windows Kernel CVE-2023-38141

Windows Kernel CVE-2023-38142

Windows Common Log File System Driver CVE-2023-38143

Windows Common Log File System Driver CVE-2023-38144

Windows Themes CVE-2023-38146

Microsoft Windows Codecs Library CVE-2023-38147

Windows Internet Connection Sharing (ICS) CVE-2023-38148

Windows TCP/IP CVE-2023-38149

Windows Kernel CVE-2023-38150

Windows DHCP Server CVE-2023-38152

Azure DevOps CVE-2023-38155

Azure HDInsights CVE-2023-38156

Windows TCP/IP CVE-2023-38160

Windows GDI CVE-2023-38161

Windows DHCP Server CVE-2023-38162

Windows Defender CVE-2023-38163

Microsoft Dynamics CVE-2023-38164

Microsoft Office CVE-2023-41764

We are republising 6 non-Microsoft CVEs:

CNA Tag CVE FAQs? Workarounds? Mitigations?

Autodesk 3D Viewer CVE-2022-41303 Yes No No

Electron Visual Studio Code CVE-2023-39956 Yes No No

Chrome Microsoft Edge (Chromium-based) CVE-2023-4761 Yes No No

Chrome Microsoft Edge (Chromium-based) CVE-2023-4762 Yes No No

Chrome Microsoft Edge (Chromium-based) CVE-2023-4763 Yes No No

Chrome Microsoft Edge (Chromium-based) CVE-2023-4764 Yes No No

Security Update Guide Blog Posts

Date Blog Post

January 11, 2022 Coming Soon: New Security Update Guide Notification System

February 9, 2021 Continuing to Listen: Good News about the Security Update Guide API

January 13, 2021 Security Update Guide Supports CVEs Assigned by Industry Partners

December 8, 2020 Security Update Guide: Let’s keep the conversation going

November 9, 2020 Vulnerability Descriptions in the New Version of the Security Update Guide

Relevant Resources

The new Hotpatching feature is now generally available. Please see Hotpatching feature for Windows Server Azure Edition virtual machines (VMs) for more information.

Windows 10 updates are cumulative. The monthly security release includes all security fixes for vulnerabilities that affect Windows 10, in addition to non-security updates. The updates are available via the Microsoft Update Catalog. For information on lifecycle and support dates for Windows 10 operating systems, please see Windows Lifecycle Facts Sheet.

Microsoft is improving Windows Release Notes. For more information, please see What's next for Windows release notes.

A list of the latest servicing stack updates for each operating system can be found in ADV990001. This list will be updated whenever a new servicing stack update is released. It is important to install the latest servicing stack update.

In addition to security changes for the vulnerabilities, updates include defense-in-depth updates to help improve security-related features.

Customers running Windows 7, Windows Server 2008 R2, or Windows Server 2008 need to purchase the Extended Security Update to continue receiving security updates. See 4522133 for more information.

Known Issues

You can see these in more detail from the Deployments tab by selecting Known Issues column in the Edit Columns panel.

For more information about Windows Known Issues, please see Windows message center (links to currently-supported versions of Windows are in the left pane).

KB Article Applies To

5002472 SharePoint Server 2019 Core

5002474 SharePoint Server Subscription Edition

5002494 SharePoint Enterprise Server 2016

5002501 SharePoint Enterprise Server 2016

5030216 Windows Server 2022

5030261 Windows Server 2008 R2 (Security-only update)

5030265 Windows Server 2008 R2 (Monthly Rollup)

5030271 Windows Server 2008 (Monthly Rollup)

5030286 Windows Server 2008 (Security-only update)

Released: Sep 12, 2023

September 2023 Security Updates - Release Notes - Security Update Guide - Microsoft

Windows 10: Is WebP exploit CVE-2023-5129 being detected by Microsoft Windows Defender Antivirus and is...

Is WebP exploit CVE-2023-5129 being detected by Microsoft Windows Defender Antivirus and is...

Is WebP exploit CVE-2023-5129 being detected by Microsoft Windows Defender Antivirus and is...

Is WebP exploit CVE-2023-5129 being detected by Microsoft Windows Defender Antivirus and is...

Is WebP exploit CVE-2023-5129 being detected by Microsoft Windows Defender Antivirus and is... - Similar Threads - WebP exploit CVE

Windows Defender Detect exploit win32/shellcode.MR

Windows Defender Detect exploit win32/shellcode.MR

Windows Defender Detect exploit win32/shellcode.MR

Is WebP exploit CVE-2023-5129 being detected by Microsoft Windows Defender Antivirus and is...

Is WebP exploit CVE-2023-5129 being detected by Microsoft Windows Defender Antivirus and is...

about cve-2023-29351

Exploit CVE-2014-0543 is back

Exploit : O97M/CVE-2017-11882.BY!MTB

Exploit for CVE-2017-8759 detected and neutralized