April Patch Tuesday: Microsoft Patches Office Vulnerability Used in Zero-Day Attacks

One of the major updates for this month’s Patch Tuesday addresses CVE-2017-0199, a zero-day remote code execution vulnerability that allowed attackers to exploit a flaw that exists in the Windows Object Linking and Embedding (OLE) interface of Microsoft Office. This flaw is currently being exploited by the notorious DRIDEX banking trojan.

Threat actors leveraging this vulnerability do so via a spam campaign in which the attacker sends an email with an embedded Microsoft Word document to a targeted user. When the user opens the attached document, the hidden exploit code connects to a remote server that fetches malicious files, which are DRIDEX variants(detected by Trend Micro as TSPY_DRIDEX.SLP, TROJ_CVE20170199.B and TROJ_CVE20170199.C).

The following DPI rules from Trend Micro Deep Security and Vulnerability Protection address this critical vulnerability:

  • 1008285-Microsoft Word Remote Code Execution Vulnerability (CVE-2017-0199)
  • 1008295-Restrict Microsoft Word RTF File With Embedded OLE2link Object (CVE-2017-0199)
  • 1008297-Identified Suspicious RTF File With Obfuscated Powershell Execution (CVE-2017-0199)

In addition to CVE-2017-0199, updates were made to the Hyper-V component of Windows Server, designed to address the following Critical vulnerabilities: CVE-2017-0162, CVE-2017-0163, CVE-2017-0180 and CVE-2017-0181, which are remote code execution vulnerabilities that trigger when the Windows Hyper-V Network Switch on a host server fails to properly validate input from an authenticated user on a guest operating system. Attackers will be able to exploit these vulnerabilities by running a specially crafted application on a guest operating system that could cause arbitrary code execution on the Hyper-V host operating system.

Microsoft’s round of updates also contains cumulative ones which address three Critical vulnerabilities (CVE-2017-0201, CVE-2017-0202 and CVE-2017-0158) for Microsoft Internet Explorer, and another three (CVE-2017-0093, CVE-2017-0200 and CVE-2017-0205) for Microsoft Edge.

In sync with Microsoft, Adobe also released their own updates, with the most important ones being APSB17-10, which addresses critical vulnerabilities in Adobe Flash Player; and APSB17-11, which resolves critical vulnerabilities in Adobe Acrobat and Reader. The vulnerabilities could allow a potential attacker to take control of affected systems.

The following vulnerabilities were disclosed via Trend Micro’s Zero Day Initiative (ZDI):

  • CVE-2017-0155
  • CVE-2017-0158
  • CVE-2017-3019
  • CVE-2017-3020
  • CVE-2017-3021
  • CVE-2017-3022
  • CVE-2017-3023
  • CVE-2017-3028
  • CVE-2017-3029
  • CVE-2017-3031
  • CVE-2017-3032
  • CVE-2017-3033
  • CVE-2017-3036
  • CVE-2017-3034
  • CVE-2017-3035
  • CVE-2017-3042
  • CVE-2017-3043
  • CVE-2017-3044
  • CVE-2017-3045
  • CVE-2017-3046
  • CVE-2017-3047
  • CVE-2017-3048
  • CVE-2017-3049
  • CVE-2017-3050
  • CVE-2017-3051
  • CVE-2017-3052
  • CVE-2017-3053
  • CVE-2017-3055
  • CVE-2017-3056
  • CVE-2017-3057
  • CVE-2017-3058
  • CVE-2017-3059
  • CVE-2017-3060
  • CVE-2017-3062

In addition to the DPI rules that protect users from the CVE-2017-0199 vulnerability, Trend Micro Deep Security and Vulnerability Protection also protect user systems from any threats that may target these Microsoft vulnerabilities:

  • 1008274-Microsoft Windows Multiple Security Vulnerabilities (CVE-2017-0155, CVE-2017-0160, CVE-2017-0165, CVE-2017-0167, CVE-2017-0188, CVE-2017-0189, CVE-2017-0211, CVE-2017-0156)
  • 1008275-Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2017-0158)
  • 1008278-Microsoft LDAP Elevation Of Privilege Vulnerability (CVE-2017-0166)
  • 1008282-Microsoft Windows ATMFD.dll Information Disclosure Vulnerability (CVE-2017-0192)
  • 1008283-Microsoft Office Memory Corruption Vulnerability (CVE-2017-0194)
  • 1008284-Microsoft Office DLL Loading Vulnerability Over Network Share (CVE-2017-0197)
  • 1008286-Microsoft Edge Memory Corruption Vulnerability (CVE-2017-0200)
  • 1008287-Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2017-0201)
  • 1008288-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2017-0202)
  • 1008290-Microsoft Edge Memory Corruption Vulnerability (CVE-2017-0205)
  • 1008291-Microsoft Edge Scripting Engine Information Disclosure Vulnerability (CVE-2017-0208)
  • 1008292-Microsoft Office DLL Loading Vulnerability Over WebDAV (CVE-2017-0197)
  • 1008294-Microsoft Internet Explorer Elevation Of Privilege Vulnerability (CVE-2017-0210)

TippingPoint customers are protected from attacks exploiting these vulnerabilities via these Custom Shield Writer (CSW) and MainlineDV filters:

  • 27423: HTTP: Microsoft Template with an Embedded Shockwave Flash Object
  • 27719: HTTP: Microsoft Internet Explorer VBScript Recordset Use-After-Free Vulnerability
  • 27723: HTTP: Microsoft Edge SVG xlink Type Confusion Vulnerability
  • 27724: HTTP: Microsoft Internet Explorer Stylesheet Type Confusion Vulnerability
  • 27725: HTTP: Microsoft Edge Render Format Type Confusion Vulnerability
  • 27726: HTTP: Microsoft Word RTF objautlink Memory Corruption Vulnerability
  • 27727: HTTP: Microsoft Windows DDI Out-of-Bounds Write Vulnerability
  • 27728: HTTP: Microsoft Excel XML Memory Corruption Vulnerability
  • 27729: HTTP: Microsoft Windows Win32k KASLR Information Disclosure Vulnerability
  • 27731: HTTP: Microsoft Windows GDI Out-of-Bounds Write Vulnerability
  • 27732: HTTP: Microsoft Windows DDI Out-of-Bounds Write Vulnerability
  • 27733: HTTP: Microsoft Windows Adobe Type-1 Font ATMFD.DLL Memory Corruption Vulnerability
  • 27736: HTTP: Microsoft OneNote DLL Hijacking Vulnerability
  • 27737: HTTP: Microsoft Edge Chakra Information Disclosure Vulnerability
  • 27739: HTTP: Microsoft Windows IEETWCollector Privilege Escalation Vulnerability
  • 27740: HTTP: Microsoft .NET WMI Memory Corruption Vulnerability
  • 27841: HTTP: RTF File Implementing objautlink and URL Monikers
  • 27842: HTTP: Suspicious Obfuscated Powershell Execution
  • CSW:27850:HTTPS: TSPY_DRIDEX.SLP Checkin

Users with Trend Micro Home Network Security are protected via the following signature:

  • 1133594 FILE Microsoft Outlook Remote Code Execution Vulnerability (CVE-2017-0199)

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

April Patch Tuesday: Microsoft Patches Office Vulnerability Used in Zero-Day Attacks

Read more: April Patch Tuesday: Microsoft Patches Office Vulnerability Used in Zero-Day Attacks

Story added 12. April 2017, content source with full text you can find at link above.