Microsoft's September Patch Tuesday security updates includes a fix for a zero-day flaw found in the wild and used to target Russian language speakers along with the details on the BlueBorne vulnerability that potentially impacts five billion Bluetooth devices.
In total Microsoft patched 82 flaws with 21 being rated critical. There is also included the public disclosure of three additional zero-day vulnerabilities that have not been exploited.
The zero day flaw was brought to light by FireEye researchers who detected a malicious Microsoft Office RTF document that exploited CVE-2017-8759 that can allow for code injection. In this case the attackers downloaded and executed a Visual Basic script containing PowerShell commands, FireEye wrote. Several components were eventually downloaded resulting in the FINSPY payload being launched.
“FINSPY malware, also reported as FinFisher or WingBird, is available for purchase as part of a “lawful intercept” capability. Based on this and previous use of FINSPY, we assess with moderate confidence that this malicious document was used by a nation-state to target a Russian-speaking entity for cyberespionage purposes,” FireEye wrote.
The BlueBorne patch, covering CVE-2017-8628, was quietly pushed by Microsoft in July, according to Bleeping Computer, but the company held back with a public announcement to give its partners time to fix the problem. To take advantage of the flaw Microsoft noted that the attacker needs to be within Bluetooth range of the victim's device with that device's Bluetooth being enabled. The attacker then connects to the target device.
“An attacker who successfully exploited this vulnerability could perform a man-in-the-middle attack and force a user's computer to unknowingly route traffic through the attacker's computer. The attacker can then monitor and read the traffic before sending it on to the intended recipient,” Microsoft TechCenter said.
The three non-exploited zero-day issues are:
- CVE-2017-8723 a security feature bypass in Microsoft Edge when the Edge Content Security Policy fails to properly validate certain specially crafted documents and if exploited the bypass could trick a user into loading a page containing malicious content.
- CVE-2017-9417 a flaw that exists when a Broadcom chipset in HoloLens improperly handles objects in memory that could lead to remote code execution.
- CVE-2017-8746 a security feature bypass vulnerability in Device Guard that could allow an attacker to inject malicious code into a Windows PowerShell session.
“While all three of these have lower exploitability index ratings, the fact that they have been Publicly Disclosed means a Threat Actor has enough information to potentially create an exploit. Public Disclosures are a threat indicator to watch for as they are at higher risk of being exploited since some of the busy work of research and finding how to exploit may have been done for them already,” Chris Goettl, product manager at Ivanti, told SC Media in an email.