An actively exploited zero-day vulnerability tied to Microsoftâs .NET framework is one of 25 critical and 54 important vulnerabilities fixed by Microsoft in its September Patch Tuesday security bulletin.
According to Microsoft, the .NET framework vulnerability ([CVE-2017-8759]()) allows attackers to âtake control of an affected system.â From there, attackers can install programs and view, change, or delete data, or create new accounts with full user rights.
âTo exploit the vulnerability, an attacker would first need to convince the user to open a malicious document or application,â Microsoft said Tuesday. The bulletin doesnât give any indication of how widespread the attacks are but says the vulnerability is âimportantâ and was found by security firm FireEye.
According to FireEye, the vulnerability is actively being distributed with the FINSPY spyware and delivered via malicious Microsoft Office RTF files. Researchers there said the zero day leverages a SOAP WSDL parser code injection vulnerability.
âFireEye analyzed a Microsoft Word document where attackers used the arbitrary code injection to download and execute a Visual Basic script that contained PowerShell commands,â Genwei Jiang, Ben Read, Tom Bennett, researchers with the firm wrote in a technical analysis of the [vulnerability also posted Tuesday]().
This is the second zero-day vulnerability used to distribute FINSPY uncovered by FireEye in 2017. The first [was found in April]() and was part of an unidentified state-sponsored attack targeting victims in Russia
âThese exposures demonstrate the significant resources available to âlawful interceptâ companies and their customers. Furthermore, FINSPY has been sold to multiple clients, suggesting the vulnerability was being used against other targets,â the firm said.
On Tuesday, Microsoft also publicly disclosed information pertaining to a patch for vulnerability that is part of a collection [of exploits known as BlueBorne](), discovered and publicly revealed Tuesday by security firm Armis.
The BlueBorne-related bug ([CVE-2017-8628]()), identified as a Bluetooth driver spoofing vulnerability, could allow an attacker to successfully perform a man-in-the-middle attack and force a userâs computer to unknowingly route traffic through the attackerâs computer, according to Microsoft.
The prerequisite for the attack includes the targetâs device to have Bluetooth enabled and for the adversary to be within proximity of the device. âThe attacker can then initiate a Bluetooth connection to the target computer without the userâs knowledgeâ and carry out the attack, according to Microsoft.
âYou donât often see patches to fix issues that depend on physical proximity, but Bluetooth attacks are definitely an exception,â the [Zero Day Initiativeâs (ZDI) Dustin Childs said in an analysis of the vulnerability](). âFor the Windows OS, code execution over Bluetooth cannot directly occur with this bug. Still, the MiTM attack is still severe enough to warrant extra attention.â
Microsoft also patched a critical NetBIOS remote code execution vulnerability ([CVE-2017-0161]()). The flaw exists in NetBT Session Services when NetBT fails to maintain certain sequencing requirements, Microsoft said. âTo exploit the vulnerability, an attacker needs to be able to send specially crafted NetBT Session Service packets to an impacted system,â according to the bulletin.
ZDI points out that NetBIOS isnât a routable protocol, so the impact is limited. âThe bad news is that this is practically wormable within a LAN. This could also impact multiple virtual clients if the guest OSes all connect to the same (virtual) LAN,â according to ZDI.
In total, Microsoft released 81 security patches as part of its September Patch Tuesday impacting Windows, Internet Explorer, Edge, Exchange, .NET Framework, Office and Hyper-V. Twenty-six of the vulnerabilities are critical, 53 important and two are rated moderate in severity. Cutting the numbers even further, 38 of the vulnerabilities impacted Windows and 22 are tied Microsoftâs Edge and IE browsers.
âMany of these vulnerabilities involve the Scripting Engine, which can impact both browsers and Microsoft Office, and should be considered for prioritizing for workstation-type systems that use email and access the internet via a browser,â according [to analysis by]() Jimmy Graham, director of product management, vulnerability management for security firm Qualys.Read More