Recently being a hot Word 0day vulnerability has been used for malware spreading and the country attack-vulnerability warning-the black bar safety net

Recently Microsoft Word 0day vulnerabilities is very hot, this month’s Patch Tuesday, Microsoft also finally released for the CVE-2017-0199 vulnerability patch, and the previously reported difference is that this vulnerability also affects Microsoft’s own WordPad. According to security firm FireEye revealed that the vulnerability had been cybercriminals used to spread malware, there are even state-sponsored Spy organizations used to spy on Ukrainian Pro-Russian faction.
Stories from the 2016 speaking at the time named Ryan Hanson of the security researcher in the RTF file that is in found a security vulnerability, exploit the vulnerability in the underlyingoperating systemon the implementation of the code.
Hanson finished the day of the vulnerability discovery work, intended to be him in 2016 for 10 months found that of the three Microsoft vulnerability report submitted to Microsoft at the time Microsoft has opened up a vulnerability Bounty program
Paradoxically, Microsoft actually took 6 months to repair the Hanson submitted the three Word vulnerabilities, the final in this year 4 month’s Patch Tuesday only published three corresponding patches, respectively, CVE-2017-0106, CVE-2017-0199, and CVE-2017-0204。
However, the Microsoft surprisingly, just before they released the patch a few days ago, McAfee and FireEye researchers also discovered the 0day, that is, our previously issued by that article.
! [](/Article/UploadPic/2017-4/2017415103314261. png? www. myhack58. com)
Vulnerability is used to attack Ukraine’s Pro-Russian faction
Too long repair period to other people, due to McAfee and FireEye published 0day vulnerability, Microsoft has not yet released a patch, so FireEye at the time not to disclose too many details. However, just at the time when the patch is released, the number of home security companies start some of the behind-the-scenes details holistic care.
According to FireEye said, 0day first appeared in in 2017 1 December 25, when FireEye found a FinSpy mode exploits.
It was designed by the Gamma Group to sell the hack kit, and this product is the buyers usually are some from around the world of government and law enforcement agencies, it is not able in an underground hacker forum to find the ordinary stuff is.
That once it was active mainly targeted at Russian-speaking countries user, used to attack the Word documents will end up in the target computer on the left it was the back door. These files are referred to the Donetsk People’s Republic, suggesting that a field in Eastern Ukraine Russian rebels as the target of the movement.
When FireEye found it was the action when you are sure that Gamma Group has been the 0day to inform its user base, which means that those who purchase through the spyware of the country are likely to use this vulnerability.
Crime software organizations also took a fancy to this 0day
In it was the activities after two months, that is the end of March, FireEye detected again the 0day, but this one is a cyber crime organization used to spread LatentBot it. LatentBot is a complex Backdoor Trojan, usually in a corporate environment and financial espionage action found in its shadow.
FireEye experts noted:
From FinSpy and LatentBot found in the examples shows that these two attacks built on the same Foundation, and support of cyber crime and cyber spying on the exploit code from the same source.
In the two Internet criminal activity appearing in the malicious document the latest version is on 2016-11-27 22:42:00,someone has to an organization peddling this Microsoft Word 0day the.
! [](/Article/UploadPic/2017-4/2017415103315824. png? www. myhack58. com)
It was and LatentBot case the last modified time
In FireEye and McAfee published Word 0day, the organization apparently launched a campaign for public sale, they know once the patch is in place, make your own exploit will be worthless, therefore the organization eagerly with other criminal organizations share the very likely sale of 0day in.
Just this Monday, Proofpoint has detected at once by the use of the Word 0day exploit spread Dridex banking Trojan spam campaign.
The same is on Monday, the security firm Netskope found the same spam tide, but this time spread is the Godzilla of. A ordinary malware download.
0day not only affect the Office, and WordPad
0day was originally in the Office the vulnerability of the form to enter our field of vision, however, according to Microsoft’s security Advisory said, Windows comes with WordPad similarly affected by the vulnerability.
In other words, even if the user don’t have Office installed, and choose to use WordPad to open the trap of the document, then they will also be at risk. When this happens, the files in the package of the vulnerability / exploit will be executed, and the download is disguised as RTF HTA HTML application file, which in turn will run using the user computer PowerShell command.
Obviously, this WordPad vulnerability more deadly, we don’t even have a similar to the Office of Protected View to protect to circumvent this attack. We had in the previous Word 0day referred by the Office of the Protected View feature to ensure we are not affected by such attacks.）
It is worth mentioning that, if the use of CVE-2017-0199, and CVE-2017-0204 combination of punches Office of the Read protection function can also be bypassed.
Last
Although Microsoft Update is long overdue, but there are a lot of computer and not install the patch, the vulnerability remains a threat.