Microsoft Office Zero-Day Vulnerability Addressed in September Patch Tuesday
Microsoft has released their monthly security bulletin—colloquially known as Patch Tuesday—for September. The most important update is one that addresses a zero-day vulnerability that exploits Microsoft Word. CVE-2017-8759 is a .NET Framework Remote Code Execution Vulnerability that allows attackers to execute code on the target system remotely when exploited. The vulnerability is exploited via the use of a spam email that prompts the user to open the attached Microsoft Office RTF document. Opening the attachment drops payloads (Detected by Trend Micro as TSPY_FINSPY.A, TROJ_POWLOAD.ASUKQ, TROJ_CVE20178759.A and TROJ_CVE20178759.A) that are often used with zero-day vulnerabilities to pull off attacks.
The bulletin also addresses CVE-2017-8628, a vulnerability concerning the Windows Bluetooth driver, specifically its implementation of the Bluetooth stack. An attacker who successfully exploits this vulnerability could pull off man-in-the-middle attacks to reroute network traffic, allowing the attacker to monitor and manipulate data before passing it to the actual recipient. This vulnerability was actually patched back in July, but details were revealed in the September update.
Three additional zero-day issues were covered in the update:
- CVE-2017-8723: A security feature bypass that exists in Microsoft Edge when the Edge Content Security Policy (CSP) fails to properly validate certain specially crafted documents. This vulnerability could be exploited to potentially trick a user into loading a page containing malicious content.
- CVE-2017-8746: A security feature bypass vulnerability that exists in Device Guard that could potentially allow attackers to inject malicious code into a Windows PowerShell session. Successfully exploiting this vulnerability could allow injected code into a trusted PowerShell process to bypass the Device Guard Code Integrity policy on the local machine.
- CVE-2017-9417: A remote code execution vulnerability that exists when the Broadcom chipset in HoloLens improperly handles objects in memory. Exploiting this vulnerability could allow an attacker to take control of an affected system, after which they can install programs and view, change, or delete data or create new accounts with full user rights.
It is important to note that these three vulnerabilities have not been used in any attacks or campaigns at the time of publication. However, given their public disclosure by Microsoft, it means that they consider these vulnerabilities serious enough to focus on.
Adobe also released APSB17-28, which address CVE-2017-11281 and CVE-2017-11282, which are critical memory corruption vulnerabilities in Adobe Flash that could lead to code execution. Users are encouraged to update to the latest version of Flash Player, which is 220.127.116.11.
The following vulnerabilities were disclosed via Trend Micro’s Zero Day Initiative (ZDI)::
Trend Micro Solutions
- 1008512-ImageMagick Denial Of Service Vulnerability (CVE-2017-9261)
- 1008564-Microsoft Edge Scripting Engine Memory Corruption Vulnerability (CVE-2017-8634)
- 1008566-Microsoft Edge Scripting Engine Memory Corruption Vulnerability (CVE-2017-8640)
- 1008592-Microsoft Windows Win32k Graphics Remote Code Execution Vulnerability (CVE-2017-8682)
- 1008594-Microsoft Edge Memory Corruption Vulnerability (CVE-2017-8731)
- 1008595-Microsoft Edge Memory Corruption Vulnerability (CVE-2017-8734)
- 1008597-Microsoft Edge Scripting Engine Memory Corruption Vulnerability (CVE-2017-8738)
- 1008598-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2017-8747)
- 1008599-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2017-8749)
- 1008600-Microsoft Internet Explorer And Edge Memory Corruption Vulnerability (CVE-2017-8750)
- 1008601-Microsoft Edge Scripting Engine Memory Corruption Vulnerability (CVE-2017-8753)
- 1008602-Microsoft Windows PDF Library Multiple Remote Code Execution Vulnerabilities ( CVE-2017-8728, CVE-2017-8737)
- 1008603-Microsoft Edge Remote Code Execution Vulnerability (CVE-2017-8757)
- 1008604-Microsoft Windows .NET Framework Remote Code Execution Vulnerability (CVE-2017-8759)
TippingPoint customers are protected via the following MainlineDV filters:
- 28226: HTTP: Microsoft Windows Bitmap Parsing Information Disclosure Vulnerability
- 28736: HTTP: Microsoft Windows PDF Library JPEG2000 Memory Corruption Vulnerability
- 28737: HTTP: Microsoft Office Word Bidirectional Text Information Disclosure Vulnerability
- 28981: HTTP: Microsoft Edge Scripting Engine Memory Corruption Vulnerability
- 29153: HTTP: Microsoft Office Powerpoint Use-After-Free Vulnerability
- 29569: HTTP: Microsoft Windows win32k Out-of-Bounds Write Vulnerability
- 29573: HTTP: Microsoft Scripting Engine Memory Corruption Vulnerability
- 29574: HTTP: Microsoft Windows PDF Memory Corruption Vulnerability
- 29575: HTTP: Microsoft Internet Explorer Memory Corruption Vulnerability
- 29576: HTTP: Microsoft Internet Explorer and Edge WeakMap Memory Corruption Vulnerability
- 29577: HTTP: Microsoft Edge iframe Memory Corruption Vulnerability
- 29578: HTTP: Microsoft Edge Applet Memory Corruption Vulnerability
- 29579: HTTP: Microsoft Edge SelectionRange Memory Corruption Vulnerability
- 29581: HTTP: Microsoft Internet Explorer onload Memory Corruption Vulnerability
- 29599: HTTP: Microsoft Office Excel .xlsb Buffer Overflow Vulnerability
- 29600: HTTP: Microsoft .NET SOAP Command Injection Vulnerability
Trend Micro™ Deep Discovery™ provides detection, in-depth analysis, and proactive response to attacks using exploits and other similar threats through specialized engines, custom sandboxing, and seamless correlation across the entire attack lifecycle, allowing it to detect these kinds of attacks even without any engine or pattern update.
Deep Discovery Inspector protects customers from CVE-2017-8759 via this DDI Rule:
- DDI Beta Rule ID 3746:CVE-2017-8759 – SOAP WSDL Parser Code Injection Exploit- HTTP (Request)