Microsoft has addressed 27 critical flaws this Patch Tuesday, including a Microsoft .Net Framework flaw that is being actively exploited to download Finspy surveillance software on devices running Windows 10.
Finspy is genuine software created by the UK-based Gamma Group, which is used by governments globally for cyber-surveillance. The software has been downloaded in at least two attacks in the past few months according to FireEye experts, the most recent attack leveraged the Microsoft .Net Framework flaw.
The attack begins with a spam email including a malicious RTF file. The document uses the CVE-2017-8759 vulnerability to create arbitrary code, which installs and executes a VB script including PowerShell commands, which in turn installs the malicious payload, which includes Finspy.
FireEye suggests at least one attack was completed by a nation-state against a Russian target; however, FireEye experts also believe other actors may also be using the vulnerability to conduct attacks.
According to a blog post last Tuesday, the Microsoft .Net Framework flaw has been detected and mitigated. Microsoft strongly recommends downloading the latest update promptly to minimize exposure. Microsoft says the flaw could permit a malicious actor to take full control of an impacted system.
Many Several Bluetooth flaws were discovered and shared on Tuesday by security company Aramis. The flaws impact billions of Bluetooth-enabled devices around the globe. The eight flaws, referred to as BlueBorne, could be used to carry out man-in-the-middle attacks on devices via Bluetooth, sending traffic to the attacker’s computer. The bugs exist in Windows, iOS, Android and Linux.
In order to target the flaws, Bluetooth would need to be turned for the targeted device, although it would not be necessary for the device to be in discoverable mode. A hacker could use the flaws to connect to a device – a TV or speaker for example – and start a connection to a computer without the user’s knowledge. In order to carry out the attack, it would be necessary to be in relatively close physically to the targeted device.
In addition to intercepting communications, a hacker could also take full management of a device and steal data, download ransomware or malware, or perform other malicious activities such as placing the device on a botnet. Microsoft addressed one of the Bluetooth driver spoofing bugs – CVE-2017-8628 – in the latest round of updates.
One of the most pressing updates is for a remote code execution vulnerability in NetBIOS (CVE-2017-0161). The vulnerability impacts both servers and work devices. While the vulnerability is not thought to be currently exploited in the wild, it is of note as it can be exploited just by sending specially crafted NetBT Session Service packets.
The Zero Day Initiative (ZDI) said the flaw “is practically wormable within a Local Area Network. This could also target many virtual clients if the guest OSes all connect to the same (virtual) LAN.”
Overall, 81 updates have been published by Microsoft this Patch Tuesday. Adobe has addressed eight flaws, including two critical memory corruption bugs (CVE-2017-11281, CVE-2017-11282) in Flash Player, a critical XML parsing flaw in ColdFusion (CVE-2017-11286) and two ColdFusion remote code execution flaws (CVE-2017-11283, CVE-2017-11284) relating to deserialization of untrusted data.