{"id": "OPENVAS:1361412562310810786", "bulletinFamily": "scanner", "title": "Microsoft Office Suite Remote Code Execution Vulnerabilities (KB3172458)", "description": "This host is missing an important security\n update for Microsoft Office Suite according to Microsoft KB3172458", "published": "2017-05-10T00:00:00", "modified": "2019-05-03T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310810786", "reporter": "Copyright (C) 2017 Greenbone Networks GmbH", "references": ["https://support.microsoft.com/en-us/help/3172458", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0262", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0261"], "cvelist": ["CVE-2017-0262", "CVE-2017-0261"], "type": "openvas", "lastseen": "2019-05-29T18:34:36", "history": [{"bulletin": {"bulletinFamily": "scanner", "cvelist": ["CVE-2017-0262", "CVE-2017-0261"], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "This host is missing an important security\n update for Microsoft Office Suite according to Microsoft KB3172458", "edition": 6, "enchantments": {"dependencies": {"modified": "2019-05-06T14:30:56", "references": [{"idList": ["SMNTC-98279", "SMNTC-98104"], "type": "symantec"}, {"idList": ["CVE-2017-0262", "CVE-2017-0261"], "type": "cve"}, {"idList": ["TRENDMICROBLOG:278CA36BE7BE1D87941A99D03E2C3D5B"], "type": "trendmicroblog"}, {"idList": ["RAPID7COMMUNITY:70FFE7CD88D4CCE4994B4B417E2B4960"], "type": "rapid7community"}, {"idList": ["OPENVAS:1361412562310810787"], "type": "openvas"}, {"idList": ["THREATPOST:BAC3CD99B74F1D6CD22A123ED632AA3F", "THREATPOST:FC2B25371317ED019A81553465477089"], "type": "threatpost"}, {"idList": ["MYHACK58:62201786206"], "type": "myhack58"}, {"idList": ["QUALYSBLOG:2AFF0D4E01534CA4823F85B912170FD0"], "type": "qualysblog"}, {"idList": ["SECURELIST:75F0B75D28318C525992E42495D8C5EE", "SECURELIST:F845B38B54D0C8C027B3C2728E64B367", "SECURELIST:0C40BC07DFF80D4B158D166D0DC2C870"], "type": "securelist"}, {"idList": ["FIREEYE:AA5B50E5C593F4E6EFF300E3DE9EDB85", "FIREEYE:35D0439B3D476357F4D2F51F3D5CD294"], "type": "fireeye"}, {"idList": ["SSV:93116"], "type": "seebug"}, {"idList": ["SMB_NT_MS17_MAY_OFFICE.NASL"], "type": "nessus"}, {"idList": ["KLA11010"], "type": "kaspersky"}, {"idList": ["THN:35CDED923C2A70050CA53879EA860398"], "type": "thn"}]}, "score": {"value": 6.8, "vector": "NONE"}}, "hash": "d9e59764228a249afa512f32fb545ec60f11cd7c9ab61144f8df4d717f4fc330", "hashmap": [{"hash": "a2323bbbec1269474bb5afba0147298f", "key": "reporter"}, {"hash": "2076413bdcb42307d016f5286cbae795", "key": "cvss"}, {"hash": "4ca6ad331c526397f05fa5e45fd019bc", "key": "description"}, {"hash": "251f7e82e99b45e17b6cf8e939e6b119", "key": "published"}, {"hash": "db71024efacc961fe05ae7115a86b4f3", "key": "cvelist"}, {"hash": "26462eef0f573c6efd6b620aa43317d5", "key": "title"}, {"hash": "c9898bc973bfffca5119f1a3bfa73a8d", "key": "naslFamily"}, {"hash": "7735046c566f2095074c87f22a84a6c5", "key": "pluginID"}, {"hash": "47c1f692ea47a21f716dad07043ade01", "key": "type"}, {"hash": "db56c9867bef52d8f4d8a23afbbbc07d", "key": "sourceData"}, {"hash": "230e4e681e068318529dcb757e27f9e7", "key": "href"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "028078cc329a16c7aadaf0e9df327bfc", "key": "modified"}, {"hash": "c46f28c93e5f40fb6da212e12667aa04", "key": "references"}], "history": [], "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310810786", "id": "OPENVAS:1361412562310810786", "lastseen": "2019-05-06T14:30:56", "modified": "2019-05-03T00:00:00", "naslFamily": "Windows : Microsoft Bulletins", "objectVersion": "1.3", "pluginID": "1361412562310810786", "published": "2017-05-10T00:00:00", "references": ["https://support.microsoft.com/en-us/help/3172458", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0262", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0261"], "reporter": "Copyright (C) 2017 Greenbone Networks GmbH", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Office Suite Remote Code Execution Vulnerabilities (KB3172458)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.810786\");\n script_version(\"2019-05-03T10:54:50+0000\");\n script_cve_id(\"CVE-2017-0261\", \"CVE-2017-0262\");\n script_bugtraq_id(98104, 98279);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-05-03 10:54:50 +0000 (Fri, 03 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-05-10 13:29:20 +0530 (Wed, 10 May 2017)\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_name(\"Microsoft Office Suite Remote Code Execution Vulnerabilities (KB3172458)\");\n\n script_tag(name:\"summary\", value:\"This host is missing an important security\n update for Microsoft Office Suite according to Microsoft KB3172458\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaws exist in Microsoft Office software\n when the software fails to properly handle objects in memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to run arbitrary code in the context of the current user on an\n affected system.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Office 2013 Service Pack 1\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0261\");\n script_xref(name:\"URL\", value:\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0262\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_office_products_version_900032.nasl\");\n script_mandatory_keys(\"MS/Office/Ver\");\n script_require_ports(139, 445);\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/3172458\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\n## MS Office\noffVer = get_kb_item(\"MS/Office/Ver\");\nif(!offVer){\n exit(0);\n}\n\npath = registry_get_sz(key:\"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\",\n item:\"CommonFilesDir\");\nif(!path){\n exit(0);\n}\n\nif(offVer =~ \"^15\\..*\")\n{\n filePath = path + \"\\Microsoft Shared\\TextConv\";\n\n fileVer = fetch_file_version(sysPath:filePath, file_name:\"wpequ532.dll\");\n if(fileVer =~ \"^2012\")\n {\n if(version_in_range(version:fileVer, test_version:\"2012\", test_version2:\"2012.1500.4454.0999\"))\n {\n report = 'File checked: ' + filePath + \"\\wpequ532.dll\" + '\\n' +\n 'File version: ' + fileVer + '\\n' +\n 'Vulnerable range: ' + \"2012 - 2012.1500.4454.0999\" + '\\n' ;\n security_message(data:report);\n exit(0);\n }\n }\n}\n", "title": "Microsoft Office Suite Remote Code Execution Vulnerabilities (KB3172458)", "type": "openvas", "viewCount": 2}, "differentElements": ["cvss"], "edition": 6, "lastseen": "2019-05-06T14:30:56"}, {"bulletin": {"bulletinFamily": "scanner", "cvelist": ["CVE-2017-0262", "CVE-2017-0261"], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "This host is missing an important security\n update for Microsoft Office Suite according to Microsoft KB3172458", "edition": 3, "enchantments": {"score": {"value": 6.8, "vector": "NONE"}}, "hash": "3daa0fb5c42c40e9da14ff655e9e4bcaa9a32680abfb5a50ff09d7a29fae71a9", "hashmap": [{"hash": "a2323bbbec1269474bb5afba0147298f", "key": "reporter"}, {"hash": "2076413bdcb42307d016f5286cbae795", "key": "cvss"}, {"hash": "4ca6ad331c526397f05fa5e45fd019bc", "key": "description"}, {"hash": "251f7e82e99b45e17b6cf8e939e6b119", "key": "published"}, {"hash": "db71024efacc961fe05ae7115a86b4f3", "key": "cvelist"}, {"hash": "26462eef0f573c6efd6b620aa43317d5", "key": "title"}, {"hash": "c9898bc973bfffca5119f1a3bfa73a8d", "key": "naslFamily"}, {"hash": "7735046c566f2095074c87f22a84a6c5", "key": "pluginID"}, {"hash": "47c1f692ea47a21f716dad07043ade01", "key": "type"}, {"hash": "230e4e681e068318529dcb757e27f9e7", "key": "href"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "c13e627689eaabc5b896019f68ebc792", "key": "sourceData"}, {"hash": "251f7e82e99b45e17b6cf8e939e6b119", "key": "modified"}, {"hash": "c46f28c93e5f40fb6da212e12667aa04", "key": "references"}], "history": [], "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310810786", "id": "OPENVAS:1361412562310810786", "lastseen": "2018-09-01T23:44:13", "modified": "2017-05-10T00:00:00", "naslFamily": "Windows : Microsoft Bulletins", "objectVersion": "1.3", "pluginID": "1361412562310810786", "published": "2017-05-10T00:00:00", "references": ["https://support.microsoft.com/en-us/help/3172458", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0262", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0261"], "reporter": "Copyright (C) 2017 Greenbone Networks GmbH", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ms_office_suite_kb3172458.nasl 6096 2017-05-10 15:16:10Z antu123 $\n#\n# Microsoft Office Suite Remote Code Execution Vulnerabilities (KB3172458)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.810786\");\n script_version(\"$Revision: 6096 $\");\n script_cve_id(\"CVE-2017-0261\", \"CVE-2017-0262\");\n script_bugtraq_id(98104, 98279);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-05-10 17:16:10 +0200 (Wed, 10 May 2017) $\");\n script_tag(name:\"creation_date\", value:\"2017-05-10 13:29:20 +0530 (Wed, 10 May 2017)\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_name(\"Microsoft Office Suite Remote Code Execution Vulnerabilities (KB3172458)\");\n\n script_tag(name:\"summary\", value:\"This host is missing an important security\n update for Microsoft Office Suite according to Microsoft KB3172458\");\n\n script_tag(name:\"vuldetect\", value:\"Get the vulnerable file version and check\n appropriate patch is applied or not.\");\n\n script_tag(name:\"insight\", value:\"The flaws exist in Microsoft Office software\n when the software fails to properly handle objects in memory.\"); \n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to run arbitrary code in the context of the current user on an\n affected system.\n\n Impact Level: System/Application\");\n\n script_tag(name:\"affected\", value:\"Microsoft Office 2013 Service Pack 1\");\n\n script_tag(name:\"solution\", value:\"Run Windows Update and update the listed\n hotfixes or download and update mentioned hotfixes in the advisory from the\n below link,\n https://support.microsoft.com/en-us/help/3172458\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name : \"URL\" , value : \"https://support.microsoft.com/en-us/help/3172458\");\n script_xref(name : \"URL\" , value : \"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0261\");\n script_xref(name : \"URL\" , value : \"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0262\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_office_products_version_900032.nasl\");\n script_mandatory_keys(\"MS/Office/Ver\");\n script_require_ports(139, 445);\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\n## Variable initialization\noffVer = \"\";\nfilePath = \"\";\nfileVer = \"\";\npath = \"\";\n\n## MS Office\noffVer = get_kb_item(\"MS/Office/Ver\");\nif(!offVer){\n exit(0);\n}\n\n## Get Office File Path\npath = registry_get_sz(key:\"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\",\n item:\"CommonFilesDir\");\nif(!path){\n exit(0);\n}\n\nif(offVer =~ \"^(15)\\..*\")\n{\n filePath = path + \"\\Microsoft Shared\\TextConv\";\n\n fileVer = fetch_file_version(sysPath:filePath, file_name:\"wpequ532.dll\");\n if(fileVer =~ \"^(2012)\")\n {\n if(version_in_range(version:fileVer, test_version:\"2012\", test_version2:\"2012.1500.4454.0999\"))\n {\n report = 'File checked: ' + filePath + \"\\wpequ532.dll\" + '\\n' +\n 'File version: ' + fileVer + '\\n' +\n 'Vulnerable range: ' + \"2012 - 2012.1500.4454.0999\" + '\\n' ;\n security_message(data:report);\n exit(0);\n }\n }\n}\n", "title": "Microsoft Office Suite Remote Code Execution Vulnerabilities (KB3172458)", "type": "openvas", "viewCount": 1}, "differentElements": ["modified", "sourceData"], "edition": 3, "lastseen": "2018-09-01T23:44:13"}, {"bulletin": {"bulletinFamily": "scanner", "cvelist": ["CVE-2017-0262", "CVE-2017-0261"], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "This host is missing an important security\n update for Microsoft Office Suite according to Microsoft KB3172458", "edition": 2, "enchantments": {"score": {"value": 6.8, "vector": "NONE"}}, "hash": "2f75063ad0a84b50fc9c9336cea4aaf3cb05db97e20644f2752f301d942a5ead", "hashmap": [{"hash": "a2323bbbec1269474bb5afba0147298f", "key": "reporter"}, {"hash": "4ca6ad331c526397f05fa5e45fd019bc", "key": "description"}, {"hash": "251f7e82e99b45e17b6cf8e939e6b119", "key": "published"}, {"hash": "db71024efacc961fe05ae7115a86b4f3", "key": "cvelist"}, {"hash": "26462eef0f573c6efd6b620aa43317d5", "key": "title"}, {"hash": "c9898bc973bfffca5119f1a3bfa73a8d", "key": "naslFamily"}, {"hash": "7735046c566f2095074c87f22a84a6c5", "key": "pluginID"}, {"hash": "47c1f692ea47a21f716dad07043ade01", "key": "type"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "230e4e681e068318529dcb757e27f9e7", "key": "href"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "c13e627689eaabc5b896019f68ebc792", "key": "sourceData"}, {"hash": "251f7e82e99b45e17b6cf8e939e6b119", "key": "modified"}, {"hash": "c46f28c93e5f40fb6da212e12667aa04", "key": "references"}], "history": [], "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310810786", "id": "OPENVAS:1361412562310810786", "lastseen": "2018-08-30T19:20:10", "modified": "2017-05-10T00:00:00", "naslFamily": "Windows : Microsoft Bulletins", "objectVersion": "1.3", "pluginID": "1361412562310810786", "published": "2017-05-10T00:00:00", "references": ["https://support.microsoft.com/en-us/help/3172458", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0262", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0261"], "reporter": "Copyright (C) 2017 Greenbone Networks GmbH", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ms_office_suite_kb3172458.nasl 6096 2017-05-10 15:16:10Z antu123 $\n#\n# Microsoft Office Suite Remote Code Execution Vulnerabilities (KB3172458)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.810786\");\n script_version(\"$Revision: 6096 $\");\n script_cve_id(\"CVE-2017-0261\", \"CVE-2017-0262\");\n script_bugtraq_id(98104, 98279);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-05-10 17:16:10 +0200 (Wed, 10 May 2017) $\");\n script_tag(name:\"creation_date\", value:\"2017-05-10 13:29:20 +0530 (Wed, 10 May 2017)\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_name(\"Microsoft Office Suite Remote Code Execution Vulnerabilities (KB3172458)\");\n\n script_tag(name:\"summary\", value:\"This host is missing an important security\n update for Microsoft Office Suite according to Microsoft KB3172458\");\n\n script_tag(name:\"vuldetect\", value:\"Get the vulnerable file version and check\n appropriate patch is applied or not.\");\n\n script_tag(name:\"insight\", value:\"The flaws exist in Microsoft Office software\n when the software fails to properly handle objects in memory.\"); \n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to run arbitrary code in the context of the current user on an\n affected system.\n\n Impact Level: System/Application\");\n\n script_tag(name:\"affected\", value:\"Microsoft Office 2013 Service Pack 1\");\n\n script_tag(name:\"solution\", value:\"Run Windows Update and update the listed\n hotfixes or download and update mentioned hotfixes in the advisory from the\n below link,\n https://support.microsoft.com/en-us/help/3172458\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name : \"URL\" , value : \"https://support.microsoft.com/en-us/help/3172458\");\n script_xref(name : \"URL\" , value : \"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0261\");\n script_xref(name : \"URL\" , value : \"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0262\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_office_products_version_900032.nasl\");\n script_mandatory_keys(\"MS/Office/Ver\");\n script_require_ports(139, 445);\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\n## Variable initialization\noffVer = \"\";\nfilePath = \"\";\nfileVer = \"\";\npath = \"\";\n\n## MS Office\noffVer = get_kb_item(\"MS/Office/Ver\");\nif(!offVer){\n exit(0);\n}\n\n## Get Office File Path\npath = registry_get_sz(key:\"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\",\n item:\"CommonFilesDir\");\nif(!path){\n exit(0);\n}\n\nif(offVer =~ \"^(15)\\..*\")\n{\n filePath = path + \"\\Microsoft Shared\\TextConv\";\n\n fileVer = fetch_file_version(sysPath:filePath, file_name:\"wpequ532.dll\");\n if(fileVer =~ \"^(2012)\")\n {\n if(version_in_range(version:fileVer, test_version:\"2012\", test_version2:\"2012.1500.4454.0999\"))\n {\n report = 'File checked: ' + filePath + \"\\wpequ532.dll\" + '\\n' +\n 'File version: ' + fileVer + '\\n' +\n 'Vulnerable range: ' + \"2012 - 2012.1500.4454.0999\" + '\\n' ;\n security_message(data:report);\n exit(0);\n }\n }\n}\n", "title": "Microsoft Office Suite Remote Code Execution Vulnerabilities (KB3172458)", "type": "openvas", "viewCount": 1}, "differentElements": ["cvss"], "edition": 2, "lastseen": "2018-08-30T19:20:10"}, {"bulletin": {"bulletinFamily": "scanner", "cvelist": ["CVE-2017-0262", "CVE-2017-0261"], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "This host is missing an important security\n update for Microsoft Office Suite according to Microsoft KB3172458", "edition": 5, "enchantments": {"dependencies": {"modified": "2019-03-15T12:25:39", "references": [{"idList": ["SMNTC-98279", "SMNTC-98104"], "type": "symantec"}, {"idList": ["CVE-2017-0262", "CVE-2017-0261"], "type": "cve"}, {"idList": ["TRENDMICROBLOG:278CA36BE7BE1D87941A99D03E2C3D5B"], "type": "trendmicroblog"}, {"idList": ["RAPID7COMMUNITY:70FFE7CD88D4CCE4994B4B417E2B4960"], "type": "rapid7community"}, {"idList": ["OPENVAS:1361412562310810787"], "type": "openvas"}, {"idList": ["THREATPOST:BAC3CD99B74F1D6CD22A123ED632AA3F", "THREATPOST:FC2B25371317ED019A81553465477089"], "type": "threatpost"}, {"idList": ["MYHACK58:62201786206"], "type": "myhack58"}, {"idList": ["QUALYSBLOG:2AFF0D4E01534CA4823F85B912170FD0"], "type": "qualysblog"}, {"idList": ["SECURELIST:75F0B75D28318C525992E42495D8C5EE", "SECURELIST:F845B38B54D0C8C027B3C2728E64B367", "SECURELIST:0C40BC07DFF80D4B158D166D0DC2C870"], "type": "securelist"}, {"idList": ["FIREEYE:AA5B50E5C593F4E6EFF300E3DE9EDB85", "FIREEYE:35D0439B3D476357F4D2F51F3D5CD294"], "type": "fireeye"}, {"idList": ["SSV:93116"], "type": "seebug"}, {"idList": ["SMB_NT_MS17_MAY_OFFICE.NASL"], "type": "nessus"}, {"idList": ["KLA11010"], "type": "kaspersky"}, {"idList": ["THN:35CDED923C2A70050CA53879EA860398"], "type": "thn"}]}, "score": {"value": 6.8, "vector": "NONE"}}, "hash": "54cab22e7d10d071b2bf031bbfa47d387cd3c8bb1337ce64d5d15614c1f18355", "hashmap": [{"hash": "a2323bbbec1269474bb5afba0147298f", "key": "reporter"}, {"hash": "2076413bdcb42307d016f5286cbae795", "key": "cvss"}, {"hash": "4ca6ad331c526397f05fa5e45fd019bc", "key": "description"}, {"hash": "30dbb78528bda757d55ac71f399e1a9c", "key": "modified"}, {"hash": "251f7e82e99b45e17b6cf8e939e6b119", "key": "published"}, {"hash": "db71024efacc961fe05ae7115a86b4f3", "key": "cvelist"}, {"hash": "26462eef0f573c6efd6b620aa43317d5", "key": "title"}, {"hash": "c9898bc973bfffca5119f1a3bfa73a8d", "key": "naslFamily"}, {"hash": "7735046c566f2095074c87f22a84a6c5", "key": "pluginID"}, {"hash": "47c1f692ea47a21f716dad07043ade01", "key": "type"}, {"hash": "230e4e681e068318529dcb757e27f9e7", "key": "href"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "c46f28c93e5f40fb6da212e12667aa04", "key": "references"}, {"hash": "c8e98174f4a2cda5f13875c9afd02ffb", "key": "sourceData"}], "history": [], "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310810786", "id": "OPENVAS:1361412562310810786", "lastseen": "2019-03-15T12:25:39", "modified": "2019-03-14T00:00:00", "naslFamily": "Windows : Microsoft Bulletins", "objectVersion": "1.3", "pluginID": "1361412562310810786", "published": "2017-05-10T00:00:00", "references": ["https://support.microsoft.com/en-us/help/3172458", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0262", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0261"], "reporter": "Copyright (C) 2017 Greenbone Networks GmbH", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ms_office_suite_kb3172458.nasl 14175 2019-03-14 11:27:57Z cfischer $\n#\n# Microsoft Office Suite Remote Code Execution Vulnerabilities (KB3172458)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.810786\");\n script_version(\"$Revision: 14175 $\");\n script_cve_id(\"CVE-2017-0261\", \"CVE-2017-0262\");\n script_bugtraq_id(98104, 98279);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-14 12:27:57 +0100 (Thu, 14 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-05-10 13:29:20 +0530 (Wed, 10 May 2017)\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_name(\"Microsoft Office Suite Remote Code Execution Vulnerabilities (KB3172458)\");\n\n script_tag(name:\"summary\", value:\"This host is missing an important security\n update for Microsoft Office Suite according to Microsoft KB3172458\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaws exist in Microsoft Office software\n when the software fails to properly handle objects in memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to run arbitrary code in the context of the current user on an\n affected system.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Office 2013 Service Pack 1\");\n\n script_tag(name:\"solution\", value:\"Run Windows Update and update the listed\n hotfixes or download and update mentioned hotfixes in the advisory.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0261\");\n script_xref(name:\"URL\", value:\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0262\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_office_products_version_900032.nasl\");\n script_mandatory_keys(\"MS/Office/Ver\");\n script_require_ports(139, 445);\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/3172458\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\n## MS Office\noffVer = get_kb_item(\"MS/Office/Ver\");\nif(!offVer){\n exit(0);\n}\n\npath = registry_get_sz(key:\"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\",\n item:\"CommonFilesDir\");\nif(!path){\n exit(0);\n}\n\nif(offVer =~ \"^15\\..*\")\n{\n filePath = path + \"\\Microsoft Shared\\TextConv\";\n\n fileVer = fetch_file_version(sysPath:filePath, file_name:\"wpequ532.dll\");\n if(fileVer =~ \"^2012\")\n {\n if(version_in_range(version:fileVer, test_version:\"2012\", test_version2:\"2012.1500.4454.0999\"))\n {\n report = 'File checked: ' + filePath + \"\\wpequ532.dll\" + '\\n' +\n 'File version: ' + fileVer + '\\n' +\n 'Vulnerable range: ' + \"2012 - 2012.1500.4454.0999\" + '\\n' ;\n security_message(data:report);\n exit(0);\n }\n }\n}\n", "title": "Microsoft Office Suite Remote Code Execution Vulnerabilities (KB3172458)", "type": "openvas", "viewCount": 1}, "differentElements": ["modified", "sourceData"], "edition": 5, "lastseen": "2019-03-15T12:25:39"}, {"bulletin": {"bulletinFamily": "scanner", "cvelist": ["CVE-2017-0262", "CVE-2017-0261"], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "This host is missing an important security\n update for Microsoft Office Suite according to Microsoft KB3172458", "edition": 4, "enchantments": {"dependencies": {"modified": "2018-10-11T12:35:18", "references": [{"idList": ["SMNTC-98279", "SMNTC-98104"], "type": "symantec"}, {"idList": ["CVE-2017-0262", "CVE-2017-0261"], "type": "cve"}, {"idList": ["TRENDMICROBLOG:278CA36BE7BE1D87941A99D03E2C3D5B"], "type": "trendmicroblog"}, {"idList": ["RAPID7COMMUNITY:70FFE7CD88D4CCE4994B4B417E2B4960"], "type": "rapid7community"}, {"idList": ["OPENVAS:1361412562310810787"], "type": "openvas"}, {"idList": ["THREATPOST:BAC3CD99B74F1D6CD22A123ED632AA3F", "THREATPOST:FC2B25371317ED019A81553465477089"], "type": "threatpost"}, {"idList": ["MYHACK58:62201786206"], "type": "myhack58"}, {"idList": ["QUALYSBLOG:2AFF0D4E01534CA4823F85B912170FD0"], "type": "qualysblog"}, {"idList": ["SECURELIST:75F0B75D28318C525992E42495D8C5EE", "SECURELIST:F845B38B54D0C8C027B3C2728E64B367", "SECURELIST:0C40BC07DFF80D4B158D166D0DC2C870"], "type": "securelist"}, {"idList": ["FIREEYE:AA5B50E5C593F4E6EFF300E3DE9EDB85", "FIREEYE:35D0439B3D476357F4D2F51F3D5CD294"], "type": "fireeye"}, {"idList": ["SSV:93116"], "type": "seebug"}, {"idList": ["SMB_NT_MS17_MAY_OFFICE.NASL"], "type": "nessus"}, {"idList": ["KLA11010"], "type": "kaspersky"}, {"idList": ["THN:35CDED923C2A70050CA53879EA860398"], "type": "thn"}]}, "score": {"value": 6.8, "vector": "NONE"}}, "hash": "e4c3ba7e7371f27b9660e5c154f45f6ed234d8c5c340dfe4f5ada161ded3743b", "hashmap": [{"hash": "addc217a4de1a55f8a95ca32a96a02a1", "key": "sourceData"}, {"hash": "a2323bbbec1269474bb5afba0147298f", "key": "reporter"}, {"hash": "2076413bdcb42307d016f5286cbae795", "key": "cvss"}, {"hash": "4ca6ad331c526397f05fa5e45fd019bc", "key": "description"}, {"hash": "251f7e82e99b45e17b6cf8e939e6b119", "key": "published"}, {"hash": "db71024efacc961fe05ae7115a86b4f3", "key": "cvelist"}, {"hash": "26462eef0f573c6efd6b620aa43317d5", "key": "title"}, {"hash": "c9898bc973bfffca5119f1a3bfa73a8d", "key": "naslFamily"}, {"hash": "7735046c566f2095074c87f22a84a6c5", "key": "pluginID"}, {"hash": "47c1f692ea47a21f716dad07043ade01", "key": "type"}, {"hash": "230e4e681e068318529dcb757e27f9e7", "key": "href"}, {"hash": "9bd5dcfcb227d4b92eae337f2ff06a78", "key": "modified"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "c46f28c93e5f40fb6da212e12667aa04", "key": "references"}], "history": [], "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310810786", "id": "OPENVAS:1361412562310810786", "lastseen": "2018-10-11T12:35:18", "modified": "2018-10-10T00:00:00", "naslFamily": "Windows : Microsoft Bulletins", "objectVersion": "1.3", "pluginID": "1361412562310810786", "published": "2017-05-10T00:00:00", "references": ["https://support.microsoft.com/en-us/help/3172458", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0262", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0261"], "reporter": "Copyright (C) 2017 Greenbone Networks GmbH", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ms_office_suite_kb3172458.nasl 11816 2018-10-10 10:42:56Z mmartin $\n#\n# Microsoft Office Suite Remote Code Execution Vulnerabilities (KB3172458)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.810786\");\n script_version(\"$Revision: 11816 $\");\n script_cve_id(\"CVE-2017-0261\", \"CVE-2017-0262\");\n script_bugtraq_id(98104, 98279);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-10 12:42:56 +0200 (Wed, 10 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-05-10 13:29:20 +0530 (Wed, 10 May 2017)\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_name(\"Microsoft Office Suite Remote Code Execution Vulnerabilities (KB3172458)\");\n\n script_tag(name:\"summary\", value:\"This host is missing an important security\n update for Microsoft Office Suite according to Microsoft KB3172458\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaws exist in Microsoft Office software\n when the software fails to properly handle objects in memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to run arbitrary code in the context of the current user on an\n affected system.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Office 2013 Service Pack 1\");\n\n script_tag(name:\"solution\", value:\"Run Windows Update and update the listed\n hotfixes or download and update mentioned hotfixes in the advisory \");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0261\");\n script_xref(name:\"URL\", value:\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0262\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_office_products_version_900032.nasl\");\n script_mandatory_keys(\"MS/Office/Ver\");\n script_require_ports(139, 445);\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/3172458\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\n## MS Office\noffVer = get_kb_item(\"MS/Office/Ver\");\nif(!offVer){\n exit(0);\n}\n\npath = registry_get_sz(key:\"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\",\n item:\"CommonFilesDir\");\nif(!path){\n exit(0);\n}\n\nif(offVer =~ \"^15\\..*\")\n{\n filePath = path + \"\\Microsoft Shared\\TextConv\";\n\n fileVer = fetch_file_version(sysPath:filePath, file_name:\"wpequ532.dll\");\n if(fileVer =~ \"^2012\")\n {\n if(version_in_range(version:fileVer, test_version:\"2012\", test_version2:\"2012.1500.4454.0999\"))\n {\n report = 'File checked: ' + filePath + \"\\wpequ532.dll\" + '\\n' +\n 'File version: ' + fileVer + '\\n' +\n 'Vulnerable range: ' + \"2012 - 2012.1500.4454.0999\" + '\\n' ;\n security_message(data:report);\n exit(0);\n }\n }\n}\n", "title": "Microsoft Office Suite Remote Code Execution Vulnerabilities (KB3172458)", "type": "openvas", "viewCount": 1}, "differentElements": ["modified", "sourceData"], "edition": 4, "lastseen": "2018-10-11T12:35:18"}], "edition": 7, "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cvelist", "hash": "db71024efacc961fe05ae7115a86b4f3"}, {"key": "cvss", "hash": "d726e774add6189e33cf2ea0c61a2ba5"}, {"key": "description", "hash": "4ca6ad331c526397f05fa5e45fd019bc"}, {"key": "href", "hash": "230e4e681e068318529dcb757e27f9e7"}, {"key": "modified", "hash": "028078cc329a16c7aadaf0e9df327bfc"}, {"key": "naslFamily", "hash": "c9898bc973bfffca5119f1a3bfa73a8d"}, {"key": "pluginID", "hash": "7735046c566f2095074c87f22a84a6c5"}, {"key": "published", "hash": "251f7e82e99b45e17b6cf8e939e6b119"}, {"key": "references", "hash": "c46f28c93e5f40fb6da212e12667aa04"}, {"key": "reporter", "hash": "a2323bbbec1269474bb5afba0147298f"}, {"key": "sourceData", "hash": "db56c9867bef52d8f4d8a23afbbbc07d"}, {"key": "title", "hash": "26462eef0f573c6efd6b620aa43317d5"}, {"key": "type", "hash": "47c1f692ea47a21f716dad07043ade01"}], "hash": "4e6e5a576dd13b5dacbbfdbccc2a06a01ca579e3bec984a129cb71f15f2ec3fe", "viewCount": 2, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-0262", "CVE-2017-0261"]}, {"type": "symantec", "idList": ["SMNTC-98104", "SMNTC-98279"]}, {"type": "securelist", "idList": ["SECURELIST:0C40BC07DFF80D4B158D166D0DC2C870", "SECURELIST:F845B38B54D0C8C027B3C2728E64B367", "SECURELIST:75F0B75D28318C525992E42495D8C5EE"]}, {"type": "threatpost", "idList": ["THREATPOST:FC2B25371317ED019A81553465477089", "THREATPOST:BAC3CD99B74F1D6CD22A123ED632AA3F"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310810787"]}, {"type": "nessus", "idList": ["SMB_NT_MS17_MAY_OFFICE.NASL"]}, {"type": "myhack58", "idList": ["MYHACK58:62201786206"]}, {"type": "fireeye", "idList": ["FIREEYE:35D0439B3D476357F4D2F51F3D5CD294", "FIREEYE:AA5B50E5C593F4E6EFF300E3DE9EDB85"]}, {"type": "seebug", "idList": ["SSV:93116"]}, {"type": "kaspersky", "idList": ["KLA11010"]}, {"type": "thn", "idList": ["THN:35CDED923C2A70050CA53879EA860398"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:70FFE7CD88D4CCE4994B4B417E2B4960"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:2AFF0D4E01534CA4823F85B912170FD0"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:278CA36BE7BE1D87941A99D03E2C3D5B"]}], "modified": "2019-05-29T18:34:36"}, "score": {"value": 9.0, "vector": "NONE", "modified": "2019-05-29T18:34:36"}, "vulnersScore": 9.0}, "objectVersion": "1.3", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Office Suite Remote Code Execution Vulnerabilities (KB3172458)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.810786\");\n script_version(\"2019-05-03T10:54:50+0000\");\n script_cve_id(\"CVE-2017-0261\", \"CVE-2017-0262\");\n script_bugtraq_id(98104, 98279);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-05-03 10:54:50 +0000 (Fri, 03 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-05-10 13:29:20 +0530 (Wed, 10 May 2017)\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_name(\"Microsoft Office Suite Remote Code Execution Vulnerabilities (KB3172458)\");\n\n script_tag(name:\"summary\", value:\"This host is missing an important security\n update for Microsoft Office Suite according to Microsoft KB3172458\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaws exist in Microsoft Office software\n when the software fails to properly handle objects in memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to run arbitrary code in the context of the current user on an\n affected system.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Office 2013 Service Pack 1\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0261\");\n script_xref(name:\"URL\", value:\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0262\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_office_products_version_900032.nasl\");\n script_mandatory_keys(\"MS/Office/Ver\");\n script_require_ports(139, 445);\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/3172458\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\n## MS Office\noffVer = get_kb_item(\"MS/Office/Ver\");\nif(!offVer){\n exit(0);\n}\n\npath = registry_get_sz(key:\"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\",\n item:\"CommonFilesDir\");\nif(!path){\n exit(0);\n}\n\nif(offVer =~ \"^15\\..*\")\n{\n filePath = path + \"\\Microsoft Shared\\TextConv\";\n\n fileVer = fetch_file_version(sysPath:filePath, file_name:\"wpequ532.dll\");\n if(fileVer =~ \"^2012\")\n {\n if(version_in_range(version:fileVer, test_version:\"2012\", test_version2:\"2012.1500.4454.0999\"))\n {\n report = 'File checked: ' + filePath + \"\\wpequ532.dll\" + '\\n' +\n 'File version: ' + fileVer + '\\n' +\n 'Vulnerable range: ' + \"2012 - 2012.1500.4454.0999\" + '\\n' ;\n security_message(data:report);\n exit(0);\n }\n }\n}\n", "naslFamily": "Windows : Microsoft Bulletins", "pluginID": "1361412562310810786", "scheme": null}

{"cve": [{"lastseen": "2019-05-29T18:16:45", "bulletinFamily": "NVD", "description": "Microsoft Office 2010 SP2, Office 2013 SP1, and Office 2016 allow a remote code execution vulnerability when the software fails to properly handle objects in memory, aka \"Office Remote Code Execution Vulnerability\". This CVE ID is unique from CVE-2017-0261 and CVE-2017-0281.", "modified": "2017-05-23T19:52:00", "id": "CVE-2017-0262", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0262", "published": "2017-05-12T14:29:00", "title": "CVE-2017-0262", "type": "cve", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:16:45", "bulletinFamily": "NVD", "description": "Microsoft Office 2010 SP2, Office 2013 SP1, and Office 2016 allow a remote code execution vulnerability when the software fails to properly handle objects in memory, aka \"Office Remote Code Execution Vulnerability\". This CVE ID is unique from CVE-2017-0262 and CVE-2017-0281.", "modified": "2017-07-08T01:29:00", "id": "CVE-2017-0261", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0261", "published": "2017-05-12T14:29:00", "title": "CVE-2017-0261", "type": "cve", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "symantec": [{"lastseen": "2018-03-13T12:07:53", "bulletinFamily": "software", "description": "### Description\n\nMicrosoft Office is prone to a remote code-execution vulnerability. An attacker can leverage this issue to execute arbitrary code in the context of the affected application. Failed exploit attempts will likely result in denial-of-service conditions.\n\n### Technologies Affected\n\n * Microsoft Office 2010 Service Pack 2 (32-bit editions) \n * Microsoft Office 2010 Service Pack 2 (64-bit editions) \n * Microsoft Office 2013 Service Pack 1 (32-bit editions) \n * Microsoft Office 2013 Service Pack 1 (64-bit editions) \n * Microsoft Office 2016 (32-bit edition) \n * Microsoft Office 2016 (64-bit edition) \n\n### Recommendations\n\n**Block external access at the network boundary, unless external parties require service.** \nFilter access to the affected computer at the network boundary if global access isn't required. Restricting access to only trusted computers and networks might greatly reduce the likelihood of exploits.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for anomalous or suspicious activity. Monitor logs generated by NIDS and by the server itself for evidence of attacks against the server. \n\n**Do not accept or execute files from untrusted or unknown sources.** \nTo reduce the likelihood of successful exploits, never handle files that originate from unfamiliar or untrusted sources.\n\n**Permit privileged access for trusted individuals only.** \nPermitting access to vulnerable applications for trusted individuals only can reduce the risk of an exploit.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "modified": "2017-05-09T00:00:00", "published": "2017-05-09T00:00:00", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/98104", "id": "SMNTC-98104", "title": "Microsoft Office CVE-2017-0261 Remote Code Execution Vulnerability", "type": "symantec", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-03-12T02:29:20", "bulletinFamily": "software", "description": "### Description\n\nMicrosoft Office is prone to a remote code-execution vulnerability. An attacker can leverage this issue to execute arbitrary code in the context of the affected application. Failed exploit attempts will likely result in denial-of-service conditions.\n\n### Technologies Affected\n\n * Microsoft Office 2010 Service Pack 2 (32-bit editions) \n * Microsoft Office 2010 Service Pack 2 (64-bit editions) \n * Microsoft Office 2013 RT Service Pack 1 \n * Microsoft Office 2013 Service Pack 1 (32-bit editions) \n * Microsoft Office 2013 Service Pack 1 (64-bit editions) \n * Microsoft Office 2016 (32-bit edition) \n * Microsoft Office 2016 (64-bit edition) \n\n### Recommendations\n\n**Block external access at the network boundary, unless external parties require service.** \nFilter access to the affected computer at the network boundary if global access isn't required. Restricting access to only trusted computers and networks might greatly reduce the likelihood of exploits.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for anomalous or suspicious activity. Monitor logs generated by NIDS and by the server itself for evidence of attacks against the server. \n\n**Do not accept or execute files from untrusted or unknown sources.** \nTo reduce the likelihood of successful exploits, never handle files that originate from unfamiliar or untrusted sources.\n\n**Permit privileged access for trusted individuals only.** \nPermitting access to vulnerable applications for trusted individuals only can reduce the risk of an exploit.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "modified": "2017-05-09T00:00:00", "published": "2017-05-09T00:00:00", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/98279", "id": "SMNTC-98279", "title": "Microsoft Office CVE-2017-0262 Remote Code Execution Vulnerability", "type": "symantec", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "threatpost": [{"lastseen": "2018-10-06T22:53:43", "bulletinFamily": "info", "description": "Microsoft patched three zero day vulnerabilities actively under attack today as part of its [May Patch Tuesday release](<https://technet.microsoft.com/en-us/security/advisories>).\n\n[Researchers](<https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html>) with FireEye who uncovered the three vulnerabilities said the bugs were actively being exploited by threat actors Turla and APT28.\n\nTwo of the zero day vulnerabilities ([CVE-2017-0261](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0261>) and [CVE-2017-0262](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0262>)) were remote code execution (RCE) bugs related to how Microsoft\u2019s Office suite handled Encapsulated PostScript (EPS). FireEye said the third zero day vulnerability was tied to Windows and is an escalation of privilege vulnerability ([CVE-2017-0263](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0263>)).\n\nAccording to security experts the RCE bugs could be triggered by simply viewing a malicious image in any number of Microsoft Office applications. The elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory, according to Microsoft.\n\n\u201cAn attacker who successfully exploited this vulnerability (CVE-2017-0263) could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,\u201d Microsoft said.\n\nIn total, Microsoft released patches for 55 unique CVEs for Internet Explorer, Edge, Office, Windows and the .NET Framework as part of its May Patch Tuesday release. Fourteen of vulnerabilities were rated critical.\n\n\u201cThe use of zero-day exploits by Turla Group and APT28 underscores their capacity to apply technically sophisticated and costly methods when necessary,\u201d said Ben Read, a cyber espionage analyst with FireEye who co-authored the blog.\n\n\u201cAPT28\u2019s use of two zero days ([CVE-2017-0262](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0262>) and [CVE-2017-0263](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0263>)) continues to demonstrate they are a very capable actor. Some of the talk about them doing less technically sophisticated credential theft, shows they can bring the fast ball when they need to against a harder target,\u201d Read said in an interview with Threatpost.\n\nHe added that CVE-2017-0261 is being used by both a nation state (Turla) and an unidentified financially motivated group. This, he said, illustrated a dynamic vulnerability market where both nation states and criminals are buying from the same vendors.\n\nIn April, researchers at Kaspersky Lab said there was a link between [Moonlight Maze cyberespionage operation of the mid- and late-1990s](<https://threatpost.com/russian-speaking-turla-joins-apt-elite/124695/>) and the modern-day [Turla APT](<https://threatpost.com/agent-btz-malware-may-have-served-as-starting-point-for-red-october-turla/104735/>). The malware hides on infected systems, steals data and sends it off to a remote server, much like other cyber espionage tools. In December, the Federal Bureau of Investigation and the US Department of Homeland Security implicated hacking group APT28 (also known as Fancy Bear and Sofacy) in attacks [against several election-related targets](<https://threatpost.com/fbi-dhs-report-links-fancy-bear-to-election-hacks/122802/>).\n\nThe three zero day vulnerabilities come on the [heels of Microsoft issuing an emergency out-of-band patch](<https://threatpost.com/emergency-update-patches-zero-day-in-microsoft-malware-protection-engine/125529/>) for a zero day reported by Google Project Zero in Microsoft\u2019s Malware Protection Engine on Monday.\n\nAlso part of Patch Tuesday were updates to Microsoft Edge and Internet Explorer 11 to [block sites that are protected with a SHA-1 certificate](<https://technet.microsoft.com/library/security/4010323>) from loading and to display an invalid certificate warning.\n\n\u201cThis change will only impact SHA-1 certificates that chain to a root in the Microsoft Trusted Root Program where the end-entity certificate or the issuing intermediate uses SHA-1. Enterprise or self-signed SHA-1 certificates will not be impacted, although we recommend that all customers quickly migrate to SHA-2 based certificates,\u201d Microsoft wrote.\n\nFor the past couple of years, browser makers have raced to [migrate from SHA-1 to SHA-2 as](<https://threatpost.com/sha-1-end-times-have-arrived/123061/>) researchers have intensified warnings about collision attacks moving from theoretical to practical. Browser makers Google and Mozilla have already begun the deprecation of SHA-1.\n\nThe Microsoft updates follow in the footsteps of Adobe, who earlier in the day released a surprisingly small update, [patching just eight vulnerabilities](<https://threatpost.com/adobe-patches-seven-critical-vulnerabilities-in-flash-aem/125539/>).\n", "modified": "2017-05-17T13:04:46", "published": "2017-05-09T17:16:48", "id": "THREATPOST:FC2B25371317ED019A81553465477089", "href": "https://threatpost.com/microsoft-plugs-three-zero-day-holes-as-part-of-may-patch-tuesday/125544/", "type": "threatpost", "title": "Microsoft Plugs Three Zero Day Holes as Part of May Patch Tuesday", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:53:18", "bulletinFamily": "info", "description": "Attackers behind advanced persistent threat campaigns have kept busy over the past several months, adding new ways to bypass detection, crafting new payloads to drop, and identifying new zero days and backdoors to help them infect users and maintain persistence on machines.\n\nJuan Andres Guerrero-Saade and Brian Bartholomew, members of Kaspersky Lab\u2019s [Global Research and Analysis Team,](<https://securelist.com/apt-trends-report-q2-2017/79332/>) described some of tactics the researchers have seen in Q2 2017 in [a webinar](<https://www.brighttalk.com/webcast/15591/273279>) Tuesday morning. The company used the webinar and [the quarterly report it was based on](<https://securelist.com/apt-trends-report-q2-2017/79332/>) to help pull back the veil on threats previously covered by its private intelligence reporting service.\n\nA chunk of the presentation was spent recapping tweaks recently made by Russian-speaking groups Sofacy and Turla.\n\nSofacy, the group implicated by a December [DHS report](<https://threatpost.com/fbi-dhs-report-links-fancy-bear-to-election-hacks/122802/>) to election hacks, began using two new macro techniques in April. One abused Windows\u2019 certutil utility to extract payloads\u2014the first time the researchers had seen that technique used\u2014another embedded payloads in the EXIF metadata of malicious Office documents.\n\n\u201cAfter we started digging into this we found that they were actually using this technique dating back to December 2016,\u201d Bartholomew said, adding that what made the techniques interesting is that they were used to target French political party members prior to the French election on April 23 and May 7.\n\nIn June, the researchers noticed that Sofacy had updated a payload, written in Delphi, called Zebrocy. The new iteration, version 5.1 of Zebrocy, implemented new encryption keys and minor string obfuscations, something which helps it bypass detection capabilities, Bartholomew said.\n\nBartholomew said the researchers were able to tie Zebrocy to Sofacy in mid-2016.\n\n\u201cThere were some infrastructure ties there,\u201d Bartholomew said, \u201cThere was also another payload called Delphocy that was also written in Delphi. In late 2015 we started seeing Delphi payloads pop up from this group, which we hadn\u2019t seen before. We don\u2019t know why that\u2019s the case, it could be that they hired a developer who just refuses to write anything but Delphi. Either way, once Zebrocy was discovered, it was found in parallel to another Sofacy infection, once we started digging into it there was a little bit of shared code in the Delphi\u2014compared to the other Delphocy payload\u2014and ties to the infrastructure to Sofacy.\u201d\n\nEarlier this spring researchers said they were able to make a potential link between Turla, the APT [linked to Moonlight Maze at SAS](<http://the APT linked to Moonlight Maze at SAS earlier this year>) earlier this year, and Sofacy. Like Sofacy was doing around the same time, Turla was spotted using an EPS zero day (CVE-2017-0261) to target foreign ministries and governments.\n\n\u201cWhat\u2019s interesting about that is that it may actually indicate a shared supply chain between Turla and Sofacy,\u201d Bartholomew said.\n\nBartholomew also took time on Tuesday to discuss BlackOasis, a Middle Eastern-speaking group that\u2019s believed to be a client of Gamma Group, the UK-based firm that specializes in surveillance and monitoring equipment, such as FinFisher.\n\nHe claims the group, which he\u2019s spent the better chunk of a year and a half researching, has been spotted using several zero days in the past, including CVE-2016-4117, CVE-2016-0984, and CVE-2015-5119. Bartholomew says that what makes it interesting is that the group was the first seen using CVE-2017-0199, an OLE2Link zero-day, in the wild before it was detected. The exploit\u2019s end payload, he adds, is a new variant of FinSpy heavily fortified to prevent analysis by researchers.\n\n\u201cWe\u2019re currently trying to look into that, write some decryptors for it and will probably write another report on that in the next couple of months,\u201d Bartholomew said.\n\nCiting their technical sophistication and development, Guerrero-Saade was eager to discuss a crop of English speaking APT actors, including those behind an Equation Group backdoor, EQUATIONVECTOR. While the backdoor has been around since 2006, Guerrero-Saade said what makes it interesting is the fact that it\u2019s the first example of a NOBUS\u2014NObody But US backdoor\u2014they\u2019ve seen in the wild. The backdoor, a passive and active staging backdoor, could be used to execute shellcode payloads, according to the researcher.\n\nAnother backdoor, Gray Lambert\u2014an extension of the [Lamberts APT](<https://threatpost.com/tools-used-by-lamberts-apt-found-in-vault-7-dumps/124900/>) group\u2014is much more modern implementation, Guerrero-Saade said. It waits, sleeps, and sniffs the network until it\u2019s ready to be used.\n\n\u201cWhat makes this NOBUS backdoor particularly interesting is that it provides attackers with a sort of surgical precision over a network of multiple infected machines,\u201d Guerrero-Saade said. \u201cWith Gray Lambert installed on these machines [attackers] can essentially decide how they\u2019re going to space their payloads, their commands and attacks.\u201d\n\nThe researchers suggest that users should expect more of the same tactics, techniques, and procedures (TTPs) from APT groups going forward. It\u2019s likely countries that have upcoming elections, Germany and Norway for example, will become targets for misinformation campaigns like the one mounted by the Sofacy group. Controversial lawful surveillance tools, like those peddled by the Gamma Group to BlackOasis and those sold by the [NSO Group to the Mexican government](<https://threatpost.com/mexican-journalists-lawyers-focus-of-government-spyware/126367/>), will remain popular as well, Guerrero-Saade and Bartholomew said.\n\nThe trend of destructive malware disguised as ransomware will likely continue as well, Guerrero-Saade says, but admits it\u2019s a curious question whether or not the technique will ever be embraced by cybercriminals.\n\n\u201cWe\u2019ve been talking about incompetent people entering the ransomware space for a quite some time now,\u201d Guerrero-Saade said, \u201cWe\u2019re going to see people who are poor coders and won\u2019t even bother to buy an already prepared kit, just essentially trying to leverage something that deletes all the files, or doesn\u2019t do anything but tries to get money out of na\u00efve or unsuspecting victims. The notion of wipers as ransomware is quite different. It\u2019s an interesting phenomenon.\u201d\n\n\u201cSabotage attacks and wiper attacks are a strange occurrence, they don\u2019t happen that often. I think over the past 10 years we\u2019ve looked at 10 cases tops. They\u2019re very rare components. For the most part I think it has to do with the level of access that you\u2019re burning whenever you use them,\u201d Guerrero-Saade said, \u201cIf you\u2019re a cyberespionage actor, if you have access to a network at that point, a Sony or Saudi Aramco, where you can target thousands of machines, the idea of burning that loudly, raising the security profile of the organization as a whole and creating public fallout is extremely costly. It\u2019s a strange circumstance where the calculus pays off.\u201d\n\nWhile it may not be a popular technique for cybercriminals on a lower level, Guerrero-Saade said, it\u2019s not out of the realm of possibility for APT gangs to continue to use the vector to create havoc.\n\n\u201cLet\u2019s say we have all the means for a sabotage attack and we want to disguise it as ransomware or as something potentially treatable, it\u2019s not necessarily that different from what the Lazarus Group did with Sony, or some other South Korean targets, where first they asked for money and then dumped data anyways. It\u2019s an evolution that\u2019s particularly troubling,\u201d Guerrero-Saade said.\n", "modified": "2017-08-22T12:54:04", "published": "2017-08-08T16:34:08", "id": "THREATPOST:BAC3CD99B74F1D6CD22A123ED632AA3F", "href": "https://threatpost.com/updates-to-sofacy-turla-highlight-2017-q2-apt-activity/127297/", "type": "threatpost", "title": "Updates to Sofacy, Turla Highlight 2017 Q2 APT Activity", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securelist": [{"lastseen": "2017-08-17T12:15:14", "bulletinFamily": "blog", "description": "\n\n## Q2 figures\n\nAccording to KSN data, Kaspersky Lab solutions detected and repelled 342, 566, 061 malicious attacks from online resources located in 191 countries all over the world.\n\n33, 006, 783 unique URLs were recognized as malicious by web antivirus components.\n\nAttempted infections by malware that aims to steal money via online access to bank accounts were registered on 224, 675 user computers.\n\nCrypto ransomware attacks were blocked on 246, 675 computers of unique users.\n\nKaspersky Lab's file antivirus detected a total of 185, 801, 835 unique malicious and potentially unwanted objects.\n\nKaspersky Lab mobile security products detected:\n\n * 1, 319, 148 malicious installation packages;\n * 28, 976 mobile banker Trojans (installation packages);\n * 200, 054 mobile ransomware Trojans (installation packages).\n\n## Mobile threats\n\n### Q2 events\n\n#### SMS spam\n\nAs [we wrote](<https://securelist.com/it-threat-evolution-q1-2017-statistics/78475/>) in the previous quarter, fraudsters had begun to actively use the Trojan-Banker.AndroidOS.Asacub mobile [banker](<https://securelist.com/threats/banker-trojan-banker-glossary/?utm_source=securelist&utm_medium=blog>), distributing it via SMS spam. At the end of Q2, we detected a much larger campaign to spread it: in June, there were three times as many attacked users as in April, and judging by the first week of July, this growth continues.\n\n[](<https://securelist.com/files/2017/08/Users_Attacked_by_TrojanBanker_Q2_2017_EN.jpg>)\n\nThe number of unique users attacked by Trojan-Banker.AndroidOS.Asacub in Q2 2017\n\n#### Revamped ZTorg\n\nYet another interesting theme discussed in our report for the first quarter of 2017 remained relevant in Q2: the attackers continued to upload to Google Play new applications with the malicious Ztorg module. Interestingly, in the second quarter, we registered the cases of uploading additional Ztrog modules, not just the main ones. For example, we found the Trojan that could install and even buy apps on Google Play. We also discovered [Trojan-SMS.AndroidOS.Ztorg.a](<https://securelist.com/ztorg-from-rooting-to-sms/78775/>), which could send paid SMS.\n\nOf note is the fact that unlike the main Ztrog module, neither of the two malware samples attempted to exploit system [vulnerabilities](<https://securelist.com/threats/vulnerability-glossary/?utm_source=securelist&utm_medium=blog>) to obtain root privileges. [To recap, Trojan.AndroidOS.Ztorg](<https://securelist.com/ztorg-money-for-infecting-your-smartphone/78325/>) tries to get root privileges to display ads and secretly install new applications, including additional modules mentioned above.\n\n#### Meet the new Trojan - Dvmap\n\nIn April 2017 we [discovered a new rooting malware](<https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/>) distributed via the official Google Play Store \u2014 Trojan.AndroidOS.Dvmap.a. Dvmap is very special rooting malware: it modifies system libraries. The Trojan exploits system vulnerabilities to obtain root privileges, and then injects its malicious code into the system library.\n\n#### WAP billing subscriptions\n\nIn the second quarter of 2017, we registered an increase in the activity of Trojans designed to steal user money utilizing the mechanism of [paid subscriptions](<https://en.wikipedia.org/wiki/WAP_billing>) (two years ago we wrote about [similar attacks](<https://securelist.com/sms-trojan-bypasses-captcha/69169/>)). To recap, the services of paid subscriptions are special sites that allow users to pay for services by deducting a certain amount of money from their phone accounts. Before getting the service, the client is redirected to the site of the cellular service provider, where he is asked to confirm his operation. The provider may also use SMS to confirm the payment. The Trojans have learned to bypass these restrictions: without user's awareness they click on forms of confirmation, using special JS files. In addition, the Trojans can hide messages from the cellular service provider from the user.\n\nWe have discovered that in some cases after the infection, Trojan Ztorg can install additional modules with this functionality. Meanwhile the Trojan-Clicker.AndroidOS.Xafekopy family is capable of attacking such services in India and Russia, using JS files similar to those used by Ztrog.\n\nTwo malware samples from our Top 20 Trojan programs most popular in Q2 2017 were also attacking WAP subscriptions. They are Trojan-Clicker.AndroidOS.Autosus.a and Trojan-Dropper.AndroidOS.Agent.hb. Moreover, the most popular Trojans of the quarter detected by our machine learning-based system were also malicious programs utilizing mobile subscriptions.\n\n### Mobile threat statistics\n\nIn the second quarter of 2017, Kaspersky Lab detected 1,319, 148 malicious installation packages, which is almost as many as in two previous quarters.\n\n[](<https://securelist.com/files/2017/08/Number_of_detected_distr_.png>)\n\nNumber of detected malicious installation packages (Q3 2016 \u2013 Q2 2017)\n\n#### Distribution of mobile malware by type\n\n[](<https://securelist.com/files/2017/08/Types_of_new_detected_mob_EN.jpg>)\n\nDistribution of new mobile malware by type (Q1 and Q2 2017)\n\nIn Q2 2017, the biggest growth was demonstrated by Adware (13.31%) \u2013 its share increased by 5.99% p.p. The majority of all discovered installation packages are detected as AdWare.AndroidOS.Ewind.iz and AdWare.AndroidOS.Agent.n.\n\nTrojan-SMS malware (6.83%) ranked second in terms of the growth rate: its contribution increased by 2.15 percentage points. Most of detected installation packages belonged to the Trojan-SMS.AndroidOS.Opfake.bo and Trojan-SMS.AndroidOS.FakeInst.a families, which percentage grew more than three-fold from the previous quarter.\n\nThe biggest decline was demonstrated by Trojan-Spy (3.88%). To recap, the growth rate of this type of malware were one of the highest in Q1 2017. This was caused by the increase in the number malicious programs belonging to the [Trojan-Spy.AndroidOS.SmForw](<https://threats.kaspersky.com/en/threat/Trojan-Spy.AndroidOS.SmForw>) and [Trojan-Spy.AndroidOS.SmsThief](<https://threats.kaspersky.com/en/threat/Trojan-Spy.AndroidOS.SmsThief>) families.\n\nThe contribution of Trojan-Ransom programs, which had come first in terms of the growth rate in the first quarter of 2017, dropped by 2.55 p.p. and accounted for 15.09% in Q2.\n\n### TOP 20 mobile malware programs\n\n_Please note that this rating of malicious programs does not include potentially dangerous or unwanted programs such as RiskTool or adware._\n\n1 | DangerousObject.Multi.Generic | 62.27% \n---|---|--- \n2 | Trojan.AndroidOS.Boogr.gsh | 15.46% \n3 | Trojan.AndroidOS.Hiddad.an | 4.20% \n4 | Trojan-Dropper.AndroidOS.Hqwar.i | 3.59% \n5 | Backdoor.AndroidOS.Ztorg.c | 3.41% \n6 | Trojan-Dropper.AndroidOS.Agent.hb | 3.16% \n7 | Backdoor.AndroidOS.Ztorg.a | 3.09% \n8 | Trojan.AndroidOS.Sivu.c | 2.78% \n9 | Trojan-Dropper.AndroidOS.Lezok.b | 2.30% \n10 | Trojan.AndroidOS.Ztorg.ag | 2.09% \n11 | Trojan-Clicker.AndroidOS.Autosus.a | 2.08% \n12 | Trojan.AndroidOS.Hiddad.pac | 2.08% \n13 | Trojan.AndroidOS.Ztorg.aa | 1.74% \n14 | Trojan.AndroidOS.Agent.bw | 1.67% \n15 | Trojan.AndroidOS.Agent.gp | 1.54% \n16 | Trojan.AndroidOS.Hiddad.ao | 1.51% \n17 | Trojan-Banker.AndroidOS.Svpeng.q | 1.49% \n18 | Trojan.AndroidOS.Agent.ou | 1.39% \n19 | Trojan.AndroidOS.Loki.d | 1.38% \n20 | Trojan.AndroidOS.Agent.eb | 1.32% \n \n_* Percentage of unique users attacked by the malware in question, relative to all users of Kaspersky Lab's mobile security product that were attacked._\n\nFirst place was occupied by DangerousObject.Multi.Generic (62.27%), the verdict used for malicious programs detected using cloud technologies. Cloud technologies work when the antivirus database contains neither the signatures nor heuristics to detect a malicious program, but the cloud of the antivirus company already contains information about the object. This is basically how the very latest malware is detected.\n\nSecond came Trojan.AndroidOS.Boogr.gsh (15.46%). Such verdict is issued for files recognized as malicious by our system based on machine learning. The share of this verdict increased nearly threefold from the previous quarter which allowed it to move up from third to second place. In Q2 2017, this system most often detected Trojans which subscribed users to paid services as well as advertising Trojans which used superuser privileges.\n\nTrojan.AndroidOS.Hiddad.an (4.20%) was third. This piece of malware imitates different popular games or programs. Interestingly, once run, it downloads and installs the application it imitated. In this case, the Trojan requests administrator rights to combat its removal. The main purpose of Trojan.AndroidOS.Hiddad.an is aggressive display of adverts, its main \"audience\" is in Russia. In the previous quarter it occupied second position.\n\nTrojan-Dropper.AndroidOS.Hqwar.i (3.59%), the verdict used for the Trojans protected by a certain packer/obfuscator climbed from eighth to fourth position in the ranking. In most cases, this name hides the representatives of the [FakeToken](<https://threats.kaspersky.com/ru/threat/Trojan-Banker.AndroidOS.Faketoken>) and [Svpeng](<https://securelist.ru/grabitel-s-ruchny-m-upravleniem/3290/>) mobile banking families.\n\nOn fifth position was Trojan Backdoor.AndroidOS.Ztorg.c., one of the most active advertising Trojans which uses superuser rights. In the second quarter of 2017, our TOP 20 included eleven Trojans (highlighted in blue in the table) which tried to obtain or use root rights and which exploited advertising as the main means of monetization. Their goal is to deliver ads to the user more aggressively, applying (among other methods) hidden installation of new advertising programs. At the same time, superuser privileges help them \"hide\" in the system folder, thus making it very difficult to remove them. Of note is the fact that the number of such type of malware in the TOP 20 has been decreasing recently (in Q1 2017, there were fourteen Trojans of such type in the ranking).\n\nTrojan-Dropper.AndroidOS.Agent.hb (3.16%) was sixth in the ranking. It is a complex modular Trojan, which main malicious part should be downloaded from the server of cybercriminals. We can assume that this Trojan is designed to steal money through paid subscriptions.\n\nEleventh place is occupied by Trojan-Clicker.AndroidOS.Autosus.a (2.08%) which main task is the activation of paid subscriptions. To do this, it \"clicks\" on the buttons in web catalogs of subscriptions, as well as hides incoming SMS with the information about them.\n\nTrojan.AndroidOS.Agent.bw was fourteenth in the rating (1.67%). This Trojan, targeting primarily people in India (more than 92% of attacked users), just like Trojan.AndroidOS.Hiddad.an imitates popular programs and games, and once run, downloads and installs various applications from the fraudsters' server.\n\nFifteenth came Trojan.AndroidOS.Agent.gp (1.54%), which steals user money making paid calls. Due to the use of administrator rights, it counteracts attempts to remove it from an infected device.\n\nThe ranking also included Trojan-Banker.AndroidOS.Svpeng (1.49%), which was seventeenth in the Top 20. This family has been active for three quarters in a row and remains the most popular banking Trojan in Q2 of 2017.\n\n### The geography of mobile threats\n\n[](<https://securelist.com/files/2017/08/Map_Mobile_Malware_Infections_.jpg>)\n\nThe geography of attempted mobile malware infections in Q2 2017 (percentage of all users attacked)\n\nTOP 10 countries attacked by mobile malware (ranked by percentage of users attacked)\n\n| **Country*** | **% ****of users attacked **** \n---|---|--- \n1 | Iran | 44.78% \n2 | China | 31.49% \n3 | Bangladesh | 27.10% \n4 | Indonesia | 26.12% \n5 | Algeria | 25.22% \n6 | Nigeria | 24.81% \n7 | India | 24.53% \n8 | C\u00f4te d'Ivoire | 24.31% \n9 | Ghana | 23.20% \n10 | Kenya | 22.85% \n \n_* We eliminated countries from this rating where the number of users of Kaspersky Lab's mobile security product is relatively low (under 10,000). \n** Percentage of unique users attacked in each country relative to all users of Kaspersky Lab's mobile security product in the country._\n\nAs in the previous quarter, in Q2 2017 Iran was the country with the highest percentage of users attacked by mobile malware \u2013 44.78%. China came second: 31.49% of users there encountered a mobile threat at least once during the quarter. It was followed by Bangladesh (27.10%).\n\nRussia (12.10%) came 26th in Q2 of 2017 (vs 40th place in the previous quarter), France (6.04%) 58th, the US (4.5%) 71st, Italy (5.7%) 62nd, Germany (4.8%) 67th, Great Britain (4.3%) 73rd.\n\nThe safest countries were Denmark (2.7%), Finland (2.6%) and Japan (1.3%).\n\n### Mobile banking Trojans\n\nOver the reporting period, we detected 28, 976 installation packages for mobile banking Trojans, which is 1.1 times less than in Q1 2017. \n\n\n[](<https://securelist.com/files/2017/08/Number_of_detected_bank_ransomware_.png>)\n\nNumber of installation packages for mobile banking Trojans detected by Kaspersky Lab solutions (Q3 2016 \u2013 Q2 2017)\n\nTrojan-Banker.AndroidOS.Svpeng.q remained the most popular mobile banking Trojan for several quarters in a row. [This family](<https://securelist.com/good-morning-android/75731/>) of mobile banking Trojans uses phishing windows to steal credit card data and logins and passwords from online banking accounts. In addition, fraudsters steal money via SMS services, including mobile banking.\n\nSvpeng is followed by Trojan-Banker.AndroidOS.Hqwar.jck and Trojan-Banker.AndroidOS.Asacub.af. It is worth noting that most of users attacked by these three banking Trojans were in Russia.\n\n[](<https://securelist.com/files/2017/08/Map_Mobile_Bank_malware_.jpg>)\n\nGeography of mobile banking threats in Q2 2017 (percentage of all users attacked)\n\nTOP 10 countries attacked by mobile banker Trojans (ranked by percentage of users attacked)\n\n| **Country******* | **% ****of users attacked******** \n---|---|--- \n1 | Russia | 1.63% \n2 | Australia | 0.81% \n3 | Turkey | 0.81% \n4 | Tajikistan | 0.44% \n5 | Uzbekistan | 0.44% \n6 | Ukraine | 0.41% \n7 | Latvia | 0.38% \n8 | Kyrgryzstan | 0.34% \n9 | Moldova | 0.34% \n10 | Kazakhstan | 0.32% \n \n_* We eliminated countries from this rating where the number of users of Kaspersky Lab's mobile security product is relatively low (under 10,000). \n** Percentage of unique users in each country attacked by mobile banker Trojans, relative to all users of Kaspersky Lab's mobile security product in the country._\n\nIn Q2 2017, the TOP 10 countries attacked by mobile banker Trojans remained practically unchanged: Russia (1.63%) topped the ranking again. In second place was Australia (0.81%), where the [Trojan-Banker.AndroidOS.Acecard](<https://securelist.com/the-evolution-of-acecard/73777/>) and [Trojan-Banker.AndroidOS.Marcher](<https://threats.kaspersky.com/en/threat/Trojan-Banker.AndroidOS.Marcher>) families were the most popular threats. Turkey (0.81%) rounded off the Top 3.\n\n### Mobile Ransomware\n\nIn Q2 2017, we detected 200, 054 mobile Trojan-Ransomware installation packages which is much more than in the fourth quarter of 2016.\n\n[](<https://securelist.com/files/2017/08/Number_of_detected_mob_ransomware_.png>)\n\nNumber of mobile Trojan-Ransomware installation packages detected by Kaspersky Lab (Q3 2016 \u2013 Q2 2017)\n\nIn the first half of 2017, we discovered more mobile ransomware installation packages than for any other period. The reason was the Trojan-Ransom.AndroidOS.Congur family. Usually, the representatives of Congur have very simple functionality \u2013 they change the system password (PIN), or install it if no password was installed earlier, thus making it impossible to use the device, and then ask that user to contact the fraudsters via the QQ messenger to unblock it. It is worth noting that there are modifications of this Trojan that can take advantage of existing superuser privileges to install their module into the system folder.\n\nTrojan-Ransom.AndroidOS.Fusob.h remained the most popular mobile Trojan-Ransomware in Q2, accounting for nearly 20% of users attacked by mobile ransomware, which is half as much as in the previous quarter. Once run, the Trojan requests administrator privileges, collects information about the device, including GPS coordinates and call history, and downloads the data to a malicious server. After that, it may receive a command to block the device.\n\n[](<https://securelist.com/files/2017/08/Map_Mobile_Trojans_.jpg>)\n\nGeography of mobile Trojan-Ransomware in Q2 2017 (percentage of all users attacked)\n\nTOP 10 counties attacked by mobile Trojan-Ransomware (ranked by percentage of users attacked)\n\n| **Country******* | **% ****of users attacked******** \n---|---|--- \n1 | USA | 1.24% \n2 | China | 0.88% \n3 | Italy | 0.57% \n4 | Belgium | 0.54% \n5 | Canada | 0.41% \n6 | Kazakhstan | 0.41% \n7 | Ireland | 0.37% \n8 | Germany | 0.34% \n9 | Norway | 0.31% \n10 | Sweden | 0.29% \n \n_* We eliminated countries from this ranking where the number of users of Kaspersky Lab's mobile security product is lower than 10,000. \n** Percentage of unique users in each country attacked by mobile Trojan-Ransomware, relative to all users of Kaspersky Lab's mobile security product in the country._\n\nThe US topped the ranking of ten countries attacked by mobile Trojan-Ransomware; the most popular family there was [Trojan-Ransom.AndroidOS.Svpeng](<https://securelist.com/latest-version-of-svpeng-targets-users-in-us/63746/>). These Trojans appeared in 2014 as a modification of the Trojan-Banker.AndroidOS.Svpeng mobile banking family. They demand a ransom of $100-500 from victims to unblock their devices.\n\nIn China (0.65%), which came second in Q2 2017, most of mobile ransomware attacks involved Trojan-Ransom.AndroidOS.Congur.\n\nItaly (0.57%) came third. The main threat to users originated from Trojan-Ransom.AndroidOS.Egat.d. This Trojan is mostly spread in Europe and demands $100-200 to unblock the devilce.\n\n## Vulnerable apps exploited by cybercriminals\n\nThe second quarter of 2017, especially popular were campaigns involving in-the-wild vulnerabilities. The appearance of several 0-day vulnerabilities for Microsoft Office resulted in a significant change in the pattern of exploits used.\n\nThe logical vulnerability in processing HTA objects CVE-2017-0199, which allows an attacker to execute arbitrary code on a remote machine using a specially generated file, was detected in early April. And despite the fact that the update fixing this vulnerability was published on April 11, the number of attacked Microsoft Office users soared almost threefold, to 1.5 million. 71% of all attacks on Microsoft Office users were implemented using this vulnerability; documents with exploits for CVE-2017-0199 were very actively used in spam mailings.\n\n[](<https://securelist.com/files/2017/08/Platforms_exploits_.jpg>)\n\nDistribution of exploits used in attacks by the type of application attacked, Q2 2017\n\nThis was caused by several reasons - simplicity and reliability of its exploitation on all MS Office and Windows versions and rapid appearance of document generators with the CVE-2017-0199 exploit in open access which significantly reduced the entry threshold for exploitation of this vulnerability. In comparison, two other zero-day vulnerabilities in MS Office related to memory corruption vulnerability due to incorrect processing of EPS files - CVE-2017-0261 and CVE-2017-0262 - accounted for only 5%.\n\nHowever, the main event of Q2 was publication by the Shadow Brokers hacker group of the archive with utilities and exploits, supposedly developed by the US special services. The Lost In Translation archive contained a large number of network exploits for various Windows versions. And even though most of those vulnerabilities were not zero-day vulnerabilities and had been patched by the MS17-010 update a month before the leak, the publication had horrendous consequences. The damage from worms, Trojans and [ransomware cryptors](<https://securelist.com/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/78351/>) being distributed via the network with the help of EternalBlue and EternalRomance, as well as the number of users infected, is incalculable. In the second quarter of 2017 only Kaspersky Lab blocked more over five million attempted attacks involving network exploits from the archive. And the average number of attacks per day was constantly growing: 82% of all attacks were detected in the last 30 days.\n\nThe statistics on the IDS component using ShadowBrokers exploits over the last month.\n\n[](<https://securelist.com/files/2017/08/IDS_stats_.jpg>)\n\nA sharp peak at the end of the month was the appearance of the [ExPetr](<https://securelist.com/schroedingers-petya/78870/>) cryptor, which used modified EternalBlue and EternalRomance exploits as one of proliferation methods.\n\n## Online threats (Web-based attacks)\n\n### Online threats in the banking sector\n\n_These statistics are based on detection verdicts of Kaspersky Lab products, received from users of Kaspersky Lab products who have consented to provide their statistical data. Beginning from the first quarter of 2017 the statistics include malicious programs for ATMs and POS terminals but does not include mobile threats._\n\nKaspersky Lab solutions blocked attempts to launch one or several malicious programs capable of stealing money via online banking on 224,000 computers in Q2 2017.\n\n[](<https://securelist.com/files/2017/08/Users_Attacked_by_Bank_Malware_EN.png>)\n\nNumber of users attacked by financial malware, April \u2013 June 2017\n\n#### Geography of attacks\n\nTo evaluate and compare the risk of being infected by banking Trojans and ATM and POS-malware worldwide, we calculate the percentage of Kaspersky Lab product users in the country who encountered this type of threat during the reporting period, relative to all users of our products in that country.\n\n[](<https://securelist.com/files/2017/08/Map_bank_attacks_.jpg>)\n\nGeography of banking malware attacks in Q2 2017 (percentage of attacked users)\n\nTOP 10 countries by percentage of attacked users\n\n**Country******* | **% ****of attacked users******** \n---|--- \nGermany | 2.61 \nTogo | 2.14 \nLibya | 1.77 \nPalestine | 1.53 \nLebanon | 1.44 \nVenezuela | 1.39 \nTunisia | 1.35 \nSerbia | 1.28 \nBahrain | 1.26 \nTaiwan | 1.23 \n \n_These statistics are based on detection verdicts returned by the antivirus module, received from users of Kaspersky Lab products who have consented to provide their statistical data. \n* We excluded those countries in which the number of Kaspersky Lab product users is relatively small (under 10,000). \n** Unique users whose computers have been targeted by banking Trojan and PoS/ATM malware attacks as a percentage of all unique users of Kaspersky Lab products in the country._\n\nIn the second quarter of 2017, Germany (2.61%) had the highest proportion of users attacked by banking Trojans. It was followed by Togo (2.14%). Libya (1.77%) rounded off the Top 3.\n\n#### The TOP 10 banking malware families\n\nThe table below shows the TOP 10 malware families used in Q2 2017 to attack online banking users (as a percentage of users attacked):\n\n**Name******* | **% ****of attacked users****** ** \n---|--- \nTrojan-Spy.Win32.Zbot | 32.58 \nTrojan.Win32.Nymaim | 26.02 \nTrojan-Banker.Win32.Emotet | 7.05 \nTrojan.Win32.Neurevt | 6.08 \nTrojan-Spy.Win32.SpyEyes | 6.01 \nWorm.Win32.Cridex | 4.09 \nTrojan-Banker.Win32.Gozi | 2.66 \nBackdoor.Win32.Shiz | 2.19 \nTrojan.Multi.Capper | 1.9 \nTrojan.Win32.Tinba | 1.9 \n \n_* The detection verdicts of Kaspersky Lab products, received from users of Kaspersky Lab products who have consented to provide their statistical data. \n** Unique users whose computers have been targeted by the malware in question as a percentage of all users attacked by financial malware._\n\nIn Q2 2017, [Trojan-Spy.Win32.Zbot](<https://threats.kaspersky.com/en/threat/Trojan-Spy.Win32.Zbot>) (32.58%) remained the most popular malware family. Its source codes have been publicly available since a leak, so cybercriminals regularly enhance the family with new modifications compiled on the basis of the source code and containing minor differences from the original.\n\nSecond came [Trojan.Win32.Nymaim](<https://threats.kaspersky.com/ru/threat/Trojan.Win32.Nymaim>) (26.02%). The first modifications of malware belonging to this Trojan family were downloaders, which blocked the infected machine with the help of downloaded programs unique for each country. Later, new modifications of the Trojan.Win32.Nymaim family malware were discovered. They included a fragment of Gozi used by cybercriminals to steal user payment data in online banking systems. In Q1 2017, Gozi (2.66%) was on 7th position in the rating.\n\n### Ransomware Trojans\n\nMay of 2017 saw the break out of the unprecedented epidemic of the [Wannacry 2.0](<https://securelist.com/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/78351/>) ransomware cryptor, which spread using the worm that exploited a vulnerability in several Windows versions.\n\nNo sooner had this epidemic died down than in June 2017 a massive attack involving another Trojan \u2013 [ExPetr](<https://securelist.com/schroedingers-petya/78870/>) - occurred. Wannacry 2.0 did not have obvious geographic preferences and attacked all countries indiscriminately, while ExPetr chose Ukraine its main target. Kaspersky Lab specialists have found out that [ExPetr](<https://securelist.com/expetrpetyanotpetya-is-a-wiper-not-ransomware/78902/>) encrypts MFT (system area of the NTFS file system) irreversibly which means an affected user's computer will not be completely restored the even if he pays the ransom.\n\nApart from the large-scale epidemics that shook the world, in Q2 2017 an interesting trend emerged: several criminal groups behind different ransomware cryptors concluded their activities and published their secret keys needed to decrypt victims' files. Below is the list of families, the keys to which became public during the reporting period: \n\n * Crysis (Trojan-Ransom.Win32.Crusis);\n * AES-NI (Trojan-Ransom.Win32.AecHu);\n * xdata (Trojan-Ransom.Win32.AecHu);\n * Petya/Mischa/GoldenEye (Trojan-Ransom.Win32.Petr).\n\n#### The number of new modifications\n\nIn Q2 of 2017, we discovered 15 new ransomware families. The number of new modifications was 15,663 which is considerably less than the number of modifications appeared in the previous quarter. Also, in the first quarter most of the new modifications turned to be the Cerberus cryptor variants, while in the second quarter this verdict faded into the background, giving way to the new cryptor \u2013 the world infamous Wannacry.\n\n[](<https://securelist.com/files/2017/08/New_Ransomware_Modifications_.png>)\n\nThe number of new ransomware modifications, Q2 2016 - Q2 2017\n\nCurrently we observe a sharp decrease in the number of new Cerber samples. Probably, it means that the development and distribution of this malware family is coming to an end. Time will tell whether that is true or not. Along with Cerber, the total number of ransomware modifications is going down in the second quarter of 2017.\n\n#### The number of users attacked by ransomware\n\nIn Q2 2017, 246, 675 unique KSN users were attacked by cryptors which is almost as many as of the previous quarter. Despite the drop in the quantity of new modifications, the number of protected users grew.\n\n[](<https://securelist.com/files/2017/08/Users_Attacked_by_Ransomware_EN.png>)\n\nNumber of unique users attacked by Trojan-Ransom cryptor malware (Q2 2017)\n\n### The geography of attacks\n\n[](<https://securelist.com/files/2017/08/Map_Geography_Attacks_.jpg>)\n\n#### Top 10 countries attacked by cryptors\n\n| **Country******* | **% of users attacked by cryptors **** \n---|---|--- \n1 | Brazil | 1.07% \n2 | Italy | 1.06% \n3 | Japan | 0.96% \n4 | Vietnam | 0.92% \n5 | South Korea | 0.78% \n6 | China | 0.75% \n7 | Cambodia | 0.75% \n8 | Taiwan | 0.73% \n9 | Hong Kong | 0.66% \n10 | Russia | 0.65% \n \n_* We excluded those countries where the number of Kaspersky Lab product users is relatively small (under 50,000) \n** Unique users whose computers have been targeted by ransomware as a percentage of all unique users of Kaspersky Lab products in the country._\n\n### Top 10 most widespread cryptor families\n\n| **Name** | **Verdict******* | **% ****of attacked users******** \n---|---|---|--- \n1 | Wannacry | Trojan-Ransom.Win32.Wanna | 16,90% \n2 | Locky | Trojan-Ransom.Win32.Locky | 14,91% \n3 | Cerber | Trojan-Ransom.Win32.Zerber | 13,54% \n4 | Jaff | Trojan-Ransom.Win32.Jaff | 11,00% \n5 | Cryrar/ACCDFISA | Trojan-Ransom.Win32.Cryrar | 3,54% \n6 | Spora | Trojan-Ransom.Win32.Spora | 3,08% \n7 | ExPetr | Trojan-Ransom.Win32.ExPetr | 2,90% \n8 | Shade | Trojan-Ransom.Win32.Shade | 2,44% \n9 | Purgen/GlobeImposter | Trojan-Ransom.Win32.Purgen | 1,85% \n10 | (generic verdict) | Trojan-Ransom.Win32.CryFile | 1,67% \n \n_* These statistics are based on detection verdicts received from users of Kaspersky Lab products who have consented to provide their statistical data. \n** Unique users whose computers have been targeted by a specific Trojan-Ransom family as a percentage of all users of Kaspersky Lab products attacked by Trojan-Ransom malware._\n\nIn addition to the abovementioned Wannacry and ExPetr, the Top 10 most popular cryptors included another two \"newcomers\": Jaff and Purgen. Jaff was 4th followed by Cryrar. Kaspersky Lab specialists carried out a detailed analysis of the Trojan and discovered a flaw in its implementation of cryptographic algorithms which allowed creating a utility for decrypting files.\n\nOther positions were occupied by Cerber, Locky, Spora and Shade.\n\n### Top 10 countries where online resources are seeded with malware\n\n_The following statistics are based on the physical location of the online resources used in attacks and blocked by our antivirus components (web pages containing redirects to exploits, sites containing exploits and other malware, botnet command centers, etc.). Any unique host could be the source of one or more web attacks._\n\nIn order to determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established.\n\nIn Q2 2017, Kaspersky Lab solutions blocked 342, 566, 061 attacks launched from web resources located in 191 countries around the world. 33, 006, 783 unique URLs were recognized as malicious by web antivirus components.\n\n[](<https://securelist.com/files/2017/08/Webattacks_countries_EN.jpg>)\n\nDistribution of web attack sources by country, Q2 2017\n\nIn Q2 2017, the US took the lead in the number of web attack sources. The sourced in France turned more \"popular\" that those in Russia and Germany.\n\n### Countries where users faced the greatest risk of online infection\n\nIn order to assess the risk of online infection faced by users in different countries, we calculated the percentage of Kaspersky Lab users in each country who encountered detection verdicts on their machines during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers work in different countries.\n\nThis rating only includes attacks by malicious programs that fall under the Malware class. The rating does not include web antivirus module detections of potentially dangerous or unwanted programs such as RiskTool or adware.\n\n| **Country******* | **% ****of users attacked******** \n---|---|--- \n1 | Algeria | 29.15 \n2 | Albania | 26.57 \n3 | Belarus | 25.62 \n4 | Qatar | 24.54 \n5 | Ukraine | 24.28 \n6 | India | 23.71 \n7 | Romania | 22.86 \n8 | Azerbaijan | 22.81 \n9 | Tunisia | 22.75 \n10 | Greece | 22.38 \n11 | Brazil | 22.05 \n12 | Moldova | 21.90 \n13 | Russia | 21.86 \n14 | Vietnam | 21.67 \n15 | Armenia | 21.58 \n16 | Taiwan | 20.67 \n17 | Morocco | 20.34 \n18 | Kazakhstan | 20.33 \n19 | Kyrgyzstan | 19.99 \n20 | Georgia | 19.92 \n \n_ These statistics are based on detection verdicts returned by the web antivirus module, received from users of Kaspersky Lab products who have consented to provide their statistical data. \n* These calculations excluded countries where the number of Kaspersky Lab users is relatively small (under 10,000 users). \n**Unique users whose computers have been targeted by Malware-class attacks as a percentage of all unique users of Kaspersky Lab products in the country._\n\nOn average, 17.26% of computers connected to the Internet globally were subjected to at least one Malware-class web attack during the quarter.\n\n[](<https://securelist.com/files/2017/08/Map_Infection_Internet_.jpg>)\n\nGeography of malicious web attacks in Q2 2017 (ranked by percentage of users attacked)\n\nThe countries with the safest online surfing environments included Cuba (5%), Finland (11.32%), Singapore (11.49%), Israel (13.81%) and Japan (7.56%).\n\n## Local threats\n\n_Local infection statistics for user computers are a very important indicator: they reflect threats that have penetrated computer systems by infecting files or removable media, or initially got on the computer in an encrypted format (for example, programs integrated in complex installers, encrypted files, etc.)._\n\n_Data in this section is based on analyzing statistics produced by antivirus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media._\n\nIn Q2 2017, Kaspersky Lab's file antivirus detected 185, 801, 835 unique malicious and potentially unwanted objects.\n\n### Countries where users faced the highest risk of local infection\n\nFor each country, we calculated the percentage of Kaspersky Lab product users on whose computers the file antivirus was triggered during the quarter. These statistics reflect the level of personal computer infection in different countries.\n\nThe rating of malicious programs only includes Malware-class attacks. The rating does not include web antivirus module detections of potentially dangerous or unwanted programs such as RiskTool or adware.\n\nThe Top 20 countries where users faced the highest risk of local infection remained almost unchanged from the previous quarter, however Kazakhstan and Belarus were replaced by Mozambique and Mauritania:\n\n| **Country******* | **% ****of users attacked******** \n---|---|--- \n1 | Afghanistan | 52.08 \n2 | Uzbekistan | 51.15 \n3 | Yemen | 50.86 \n4 | Tajikistan | 50.66 \n5 | Algeria | 47.19 \n6 | Ethiopia | 47.12 \n7 | Laos | 46.39 \n8 | Vietnam | 45.98 \n9 | Turkmenistan | 45.23 \n10 | Mongolia | 44.88 \n11 | Syria | 44.69 \n12 | Djibouti | 44.26 \n13 | Iraq | 43.83 \n14 | Rwanda | 43.59 \n15 | Sudan | 43.44 \n16 | Nepal | 43.39 \n17 | Somalia | 42.90 \n18 | Mozambique | 42.88 \n19 | Bangladesh | 42.38 \n20 | Mauritania | 42.05 \n \n_These statistics are based on detection verdicts returned by on-access and on-demand antivirus modules, received from users of Kaspersky Lab products who have consented to provide their statistical data. The data include detections of malicious programs located on users' computers or on removable media connected to the computers, such as flash drives, camera and phone memory cards, or external hard drives. \n* These calculations exclude countries where the number of Kaspersky Lab users is relatively small (under 10,000 users). \n** The percentage of unique users in the country with computers that blocked Malware-class local threats as a percentage of all unique users of Kaspersky Lab products._\n\nAn average of 20.97% of computers globally faced at least one Malware-class local threat during the second quarter. Russia's contribution to this rating accounted for 25.82%. \n[](<https://securelist.com/files/2017/08/Map_Infection_Local_.jpg>) \nThe safest countries in terms of local infection risks were: Chile (15.06%), Latvia (14.03%), Portugal (12.27%), Australia (9.46%), Great Britain (8.59%), Ireland (6.30%) and Puerto Rico (6.15%).", "modified": "2017-08-15T09:00:29", "published": "2017-08-15T09:00:29", "id": "SECURELIST:0C40BC07DFF80D4B158D166D0DC2C870", "href": "https://securelist.com/it-threat-evolution-q2-2017-statistics/79432/", "title": "IT threat evolution Q2 2017. Statistics", "type": "securelist", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-03-07T22:51:46", "bulletinFamily": "blog", "description": "\n\nSofacy, also known as APT28, Fancy Bear, and Tsar Team, is a highly active and prolific [APT](<https://securelist.com/threats/apt-advanced-persistent-threats-glossary?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>). From their high volume 0day deployment to their innovative and broad malware set, Sofacy is one of the top groups that we monitor, report, and protect against. 2017 was not any different in this regard. Our private reports subscription customers receive a steady stream of [YARA](<https://securelist.com/threats/yara-glossary?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>), IOC, and reports on Sofacy, our most reported APT for the year.\n\nThis high level of cyber-espionage activity goes back years. In 2011-2012, the group used a relatively tiny implant (known as \"Sofacy\" or SOURFACE) as their first stage malware, which at the time had similarities with the old Miniduke implants. This made us believe the two groups were connected, although it looks they split ways at a certain point, with the original Miniduke group switching to the CosmicDuke implant in 2014. The division in malware was consistent and definitive at that point.\n\nIn 2013, the Sofacy group expanded their arsenal and added more backdoors and tools, including CORESHELL, SPLM (aka Xagent, aka CHOPSTICK), JHUHUGIT (which is built with code from the Carberp sources), AZZY (aka ADVSTORESHELL, NETUI, EVILTOSS, and spans across 4-5 generations) and a few others. We've seen quite a few versions of these implants, which were relatively widespread at some point or still are. In 2015 we noticed [another wave of attacks](<https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/>) which took advantage of a new release of the AZZY implant, largely undetected by antivirus products. The new wave of attacks included a new generation of USB stealers deployed by Sofacy, with initial versions dating to February 2015. It appeared to be geared exclusively towards high profile targets.\n\nSofacy's reported presence in the DNC network alongside APT29 brought possibly the highest level of public attention to the group's activities in 2016, especially when data from the compromise was leaked and \"weaponized\". And later 2016, their focus turned towards the Olympics' and the World Anti-Doping Agency (WADA) and Court of Arbitration for Sports (CAS), when individuals and servers in these organizations were phished and compromised. In a similar vein with past CyberBerkut activity, attackers hid behind anonymous activist groups like \"anonpoland\", and data from victimized organizations were similarly leaked and \"weaponized\".\n\nThis write-up will survey notables in the past year of 2017 Sofacy activity, including their targeting, technology, and notes on their infrastructure. No one research group has 100% global visibility, and our collected data is presented accordingly. Here, external APT28 reports on 2017 [Darkhotel](<https://securelist.com/the-darkhotel-apt/66779/>)-style activity [in Europe](<https://www.fireeye.com/blog/threat-research/2017/08/apt28-targets-hospitality-sector.html>) and [Dealer's Choice](<https://researchcenter.paloaltonetworks.com/2016/12/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/>) spearphishing are of interest. From where we sit, 2017 Sofacy activity starts with a heavy focus on NATO and Ukrainian partners, coinciding with lighter interest in Central Asian targets, and finishing the second half of the year with a heavy focus on Central Asian targets and some shift further East.\n\n[](<https://s3-eu-west-1.amazonaws.com/khub-media/wp-content/uploads/sites/43/2018/02/07163041/180220-sofacy-review-1.png>)\n\n## **Dealer's Choice**\n\nThe beginning of 2017 began with a slow cleanup following the Dealer's Choice campaign, with technical characteristics documented by our colleagues at Palo Alto in several stages at the end of 2016. The group spearphished targets in several waves with Flash exploits leading to their carberp based JHUHUGIT downloaders and further stages of malware. It seems that many folks did not log in and pull down their emails until Jan 2017 to retrieve the Dealer's Choice spearphish. Throughout these waves, we observed that the targets provided connection, even tangential, to Ukraine and NATO military and diplomatic interests.\n\nIn multiple cases, Sofacy spoofs the identity of a target, and emails a spearphish to other targets of interest. Often these are military or military-technology and manufacturing related, and here, the DealersChoice spearphish is again NATO related:\n\n[](<https://s3-eu-west-1.amazonaws.com/khub-media/wp-content/uploads/sites/43/2018/02/07163036/180220-sofacy-review-2.png>)\n\nThe global reach that coincided with this focus on NATO and the Ukraine couldn't be overstated. Our KSN data showed spearphishing targets geolocated across the globe into 2017. \nAM, AZ, FR, DE, IQ, IT, KG, MA, CH, UA, US, VN\n\nDealersChoice emails, like the one above, that we were able to recover from third party sources provided additional targeting insight, and confirmed some of the targeting within our KSN data: \nTR, PL, BA, AZ, KR, LV, GE, LV, AU, SE, BE\n\n## **0day Deployment(s)**\n\nSofacy kicked off the year deploying two 0day in a spearphish document, both a Microsoft Office encapsulated postscript type confusion exploit (abusing [CVE-2017-0262](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0262>)) and an escalation of privilege use-after-free exploit (abusing [CVE-2017-0263](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0263>)). The group attempted to deploy this spearphish attachment to push a small 30kb backdoor known as GAMEFISH to targets in Europe at the beginning of 2017. They took advantage of the Syrian military conflict for thematic content and file naming \"Trump's_Attack_on_Syria_English.docx\". Again, this deployment was likely a part of their focus on NATO targets.\n\n## **Light SPLM deployment in Central Asia and Consistent Infrastructure**\n\nMeanwhile in early-to-mid 2017, SPLM/CHOPSTICK/XAgent detections in Central Asia provided a glimpse into ongoing focus on ex-Soviet republics in Central Asia. These particular detections are interesting because they indicate an attempted selective 2nd stage deployment of a backdoor maintaining filestealer, keylogger, and remoteshell functionality to a system of interest. As the latest revision of the backdoor, portions of SPLM didn't match previous reports on SPLM/XAgent while other similarities were maintained. SPLM 64-bit modules already appeared to be at version 4 of the software by May of the year. Targeting profiles included defense related commercial and military organizations, and telecommunications.\n\nTargeting included TR, KZ, AM, KG, JO, UK, UZ\n\n[](<https://s3-eu-west-1.amazonaws.com/khub-media/wp-content/uploads/sites/43/2018/02/07163030/180220-sofacy-review-3.png>)\n\n## **Heavy Zebrocy deployments**\n\nSince mid-November 2015, the threat actor referred to as \"Sofacy\" or \"APT28\" has been utilizing a unique payload and delivery mechanism written in Delphi and AutoIT. We collectively refer to this package and related activity as \"Zebrocy\" and had written a few reports on its usage and development by June 2017 - Sofacy developers modified and redeployed incremented versions of the malware. The Zebrocy chain follows a pattern: spearphish attachment -&gt; compiled Autoit script (downloader) -&gt; Zebrocy payload. In some deployments, we observed Sofacy actively developing and deploying a new package to a much smaller, specific subset of targets within the broader set.\n\nTargeting profiles, spearphish filenames, and lures carry thematic content related to visa applications and scanned images, border control administration, and various administrative notes. Targeting appears to be widely spread across the Middle East, Europe, and Asia:&lt;/p style=\"margin-bottom:0!important\"&gt;\n\n * Business accounting practices and standards\n * Science and engineering centers\n * Industrial and hydrochemical engineering and standards/certification\n * Ministry of foreign affairs\n * Embassies and consulates\n * National security and intelligence agencies\n * Press services\n * Translation services\n * NGO - family and social service\n * Ministry of energy and industry\n\nWe identified new MSIL components deployed by Zebrocy. While recent Zebrocy versioning was 7.1, some of the related Zebrocy modules that drop file-stealing MSIL modules we call Covfacy were v7.0. The components were an unexpected inclusion in this particular toolset. For example, one sent out to a handful of countries identifies network drives when they are added to target systems, and then RC4-like-encrypts and writes certain file metadata and contents to a local path for later exfiltration. The stealer searches for files 60mb and less with these extensions:&lt;/p style=\"margin-bottom:0!important\"&gt;\n\n * .doc\n * .docx\n * .xls\n * .xlsx\n * .ppt\n * .pptx\n * .exe\n * .zip\n * .rar\n\nAt execution, it installs an application-defined Windows hook. The hook gets windows messages indicating when a network drive has been attached. Upon adding a network drive, the hook calls its \"RecordToFile\" file stealer method.\n\n[](<https://s3-eu-west-1.amazonaws.com/khub-media/wp-content/uploads/sites/43/2018/02/07163025/180220-sofacy-review-4.png>)\n\nZebrocy spearphishing targets: \nAF, AM, AU, AZ, BD, BE, CN, DE, ES, FI, GE, IL, IN, JO, KW, KG, KZ, LB, LT, MN, MY, NL, OM, PK, PO, SA, ZA, SK, SE, CH, TJ, TM, TR, UA, UAE, UK, US, UZ\n\n## **SPLM deployment in Central Asia**\n\nSPLM/CHOPSTICK components deployed throughout 2017 were native 64-bit modular C++ Windows COM backdoors supporting http over fully encrypted TLSv1 and TLSv1.2 communications, mostly deployed in the second half of 2017 by Sofacy. Earlier SPLM activity deployed 32-bit modules over unencrypted http (and sometimes smtp) sessions. In 2016 we saw fully functional, very large SPLM/X-Agent modules supporting OS X.\n\nThe executable module continues to be part of a framework supporting various internal and external components communicating over internal and external channels, maintaining slightly morphed encryption and functionality per deployment. Sofacy selectively used SPLM/CHOPSTICK modules as second stage implants to high interest targets for years now. In a change from previous compilations, the module was structured and used to inject remote shell, keylogger, and filesystem add-ons into processes running on victim systems and maintaining functionality that was originally present within the main module.\n\nThe newer SPLM modules are deployed mostly to Central Asian based targets that may have a tie to NATO in some form. These targets include foreign affairs government organizations both localized and abroad, and defense organizations' presence localized, located in Europe and also located in Afghanistan. One outlier SPLM target profile within our visibility includes an audit and consulting firm in Bosnia and Herzegovina.\n\nMinor changes and updates to the code were released with these deployments, including a new mutex format and the exclusive use of encrypted HTTP communications over TLS. The compiled code itself already is altered per deployment in multiple subtle ways, in order to stymie identification and automated analysis and accommodate targeted environments. Strings (c2 domains and functionality, error messages, etc) are custom encrypted per deployment.\n\nTargets: TR, KZ, BA, TM, AF, DE, LT, NL\n\n## **SPLM/CHOPSTICK/XAgent Modularity and Infrastructure**\n\nThis subset of SPLM/CHOPSTICK activity leads into several small surprises that take us into 2018, to be discussed in further detail at SAS 2018. The group demonstrates malleability and innovation in maintaining and producing familiar SPLM functionality, but the pragmatic and systematic approach towards producing undetected or difficult-to-detect malware continues. Changes in the second stage SPLM backdoor are refined, making the code reliably modular.\n\n## **Infrastructure Notes**\n\nSofacy set up and maintained multiple servers and c2 for varying durations, registering fairly recognizable domains with privacy services, registrars that accept bitcoin, fake phone numbers, phony individual names, and 1 to 1 email address to domain registration relationships. Some of this activity and patterns were publicly disclosed, so we expect to see more change in their process in 2018. Also, throughout the year and in previous years, researchers began to comment publicly on Sofacy's fairly consistent infrastructure setup.\n\nAs always, attackers make mistakes and give away hints about what providers and registrars they prefer. It's interesting to note that this version of SPLM implements communications that are fully encrypted over HTTPS. As an example, we might see extraneous data in their SSL/TLS certificates that give away information about their provider or resources. Leading up to summer 2017, infrastructure mostly was created with PDR and Internet Domain Service BS Corp, and their resellers. Hosting mostly was provided at Fast Serv Inc and resellers, in all likelihood related to bitcoin payment processing.\n\nAccordingly, the server side certificates appear to be generated locally on VPS hosts that exclusively are paid for at providers with bitcoin merchant processing. One certificate was generated locally on what appeared to be a HP-UX box, and another was generated on \"8569985.securefastserver[.]com\" with an email address \"root@8569985.securefastserver[.]com\", as seen here for their nethostnet[.]com domain. This certificate configuration is ignored by the malware.\n\n[](<https://s3-eu-west-1.amazonaws.com/khub-media/wp-content/uploads/sites/43/2018/02/07163021/180220-sofacy-review-5.png>)\n\nIn addition to other ip data, this data point suggested that Qhoster at https://www.qhoster[.]com was a VPS hosting reseller of choice at the time. It should be noted that the reseller accepted Alfa Click, PayPal, Payza, Neteller, Skrill, WebMoney, Perfect Money, Bitcoin, Litecoin, SolidTrust Pay, CashU, Ukash, OKPAY, EgoPay, paysafecard, Alipay, MG, Western Union, SOFORT Banking, QIWI, Bank transfer for payment.\n\n## **Conclusion**\n\nSofacy, one of the most active APT we monitor, continues to spearphish their way into targets, reportedly widely phishes for credentials, and infrequently participates in server side activity (including host compromise with [BeEF deployment](<https://www.youtube.com/watch?v=yQ0zZ6Anb64&feature=youtu.be>), for example). KSN visibility and detections suggests a shift from their early 2017 high volume NATO spearphish targeting towards the middle east and Central Asia, and finally moving their focus further east into late 2017. Their operational security is good. Their campaigns appear to have broken out into subsets of activity and malware involving GAMEFISH, Zebrocy, and SPLM, to name a few. Their evolving and modified SPLM/CHOPSTICK/XAgent code is a long-standing part of Sofacy activity, however much of it is changing. We'll cover more recent 2018 change in their targeting and the malware itself at [SAS 2018](<https://sas.kaspersky.com/>).\n\nWith a group like Sofacy, once their attention is detected on a network, it is important to review logins and unusual administrator access on systems, thoroughly scan and sandbox incoming attachments, and maintain two factor authentication for services like email and vpn access. In order to identify their presence, not only can you gain valuable insight into their targeting from intelligence reports and gain powerful means of detections with hunting tools like YARA, but out-of-band processing with a solution like KATA is important.\n\n## **Technical Appendix**\n\n### **Related md5**\n\n8f9f697aa6697acee70336f66f295837 \n1a4b9a6b321da199aa6d10180e889313 \n842454b48f5f800029946b1555fba7fc \nd4a5d44184333442f5015699c2b8af28 \n1421419d1be31f1f9ea60e8ed87277db \nb1d1a2c64474d2f6e7a5db71ccbafa31 \n953c7321c4959655fdd53302550ce02d \n57601d717fcf358220340675f8d63c8a \n02b79c468c38c4312429a499fa4f6c81 \n85cd38f9e2c9397a18013a8921841a04 \nf8e92d8b5488ea76c40601c8f1a08790 \n66b4fb539806ce27be184b6735584339 \ne8e1fcf757fe06be13bead43eaa1338c \n953c7321c4959655fdd53302550ce02d \naa2aac4606405d61c7e53140d35d7671 \n85cd38f9e2c9397a18013a8921841a04 \n57601d717fcf358220340675f8d63c8a \n16e1ca26bc66e30bfa52f8a08846613d \nf8e92d8b5488ea76c40601c8f1a08790 \nb137c809e3bf11f2f5d867a6f4215f95 \n237e6dcbc6af50ef5f5211818522c463 \n88009adca35560810ec220544e4fb6aa \n2163a33330ae5786d3e984db09b2d9d2 \n02b79c468c38c4312429a499fa4f6c81 \n842454b48f5f800029946b1555fba7fc \nd4a5d44184333442f5015699c2b8af28 \nb88633376fbb144971dcb503f72fd192 \n8f9f697aa6697acee70336f66f295837 \nb6f77273cbde76896a36e32b0c0540e1 \n1a4b9a6b321da199aa6d10180e889313 \n1421419d1be31f1f9ea60e8ed87277db \n1a4b9a6b321da199aa6d10180e889313 \n9b10685b774a783eabfecdb6119a8aa3 \naa34fb2e5849bff4144a1c98a8158970 \naced5525ba0d4f44ffd01c4db2730a34 \nb1d1a2c64474d2f6e7a5db71ccbafa31 \nb924ff83d9120d934bb49a7a2e3c4292 \ncdb58c2999eeda58a9d0c70f910d1195 \nd4a5d44184333442f5015699c2b8af28 \nd6f2bf2066e053e58fe8bcd39cb2e9ad \n34dc9a69f33ba93e631cd5048d9f2624 \n1c6f8eba504f2f429abf362626545c79 \n139c9ac0776804714ebe8b8d35a04641 \ne228cd74103dc069663bb87d4f22d7d5 \nbed5bc0a8aae2662ea5d2484f80c1760 \n8c3f5f1fff999bc783062dd50357be79 \n5882a8dd4446abd137c05d2451b85fea \n296c956fe429cedd1b64b78e66797122 \n82f06d7157dd28a75f1fbb47728aea25 \n9a975e0ddd32c0deef1318c485358b20 \n529424eae07677834a770aaa431e6c54 \n4cafde8fa7d9e67194d4edd4f2adb92b \nf6b2ef4daf1b78802548d3e6d4de7ba7 \nede5d82bb6775a9b1659dccb699fadcb \n116d2fc1665ce7524826a624be0ded1c \n20ff290b8393f006eaf4358f09f13e99 \n4b02dfdfd44df3c88b0ca8c2327843a4 \nc789ec7537e300411d523aef74407a5e \n0b32e65caf653d77cab2a866ee2d9dbc \n27faa10d1bec1a25f66e88645c695016 \n647edddf61954822ddb7ab3341f9a6c5 \n2f04b8eb993ca4a3d98607824a10acfb \n9fe3a0fb3304d749aeed2c3e2e5787eb \n62deab0e5d61d6bf9e0ba83d9e1d7e2b \n86b607fe63c76b3d808f84969cb1a781 \nf62182cf0ab94b3c97b0261547dfc6cf \n504182aaa5575bb38bf584839beb6d51 \nd79a21970cad03e22440ea66bd85931f\n\n### **Related domains**\n\nnethostnet[.]com \nhostsvcnet[.]com \netcrem[.]net \nmovieultimate[.]com \nnewfilmts[.]com \nfastdataexchange[.]org \nliveweatherview[.]com \nanalyticsbar[.]org \nanalyticstest[.]net \nlifeofmentalservice[.]com \nmeteost[.]com \nrighttopregnantpower[.]com \nkiteim[.]org \nadobe-flash-updates[.]org \ngeneralsecurityscan[.]com \nglobalresearching[.]org \nlvueton[.]com \naudiwheel[.]com \nonline-reggi[.]com \nfsportal[.]net \nnetcorpscanprotect[.]com \nmvband[.]net \nmvtband[.]net \nviters[.]org \ntreepastwillingmoment[.]com \nsendmevideo[.]org \nsatellitedeluxpanorama[.]com \nppcodecs[.]com \nencoder-info[.]tk \nwmdmediacodecs[.]com \npostlkwarn[.]com \nshcserv[.]com \nversiontask[.]com \nwebcdelivery[.]com \nmiropc[.]org \nsecurityprotectingcorp[.]com \nuniquecorpind[.]com \nappexsrv[.]net \nadobeupgradeflash[.]com", "modified": "2018-02-20T14:00:06", "published": "2018-02-20T14:00:06", "id": "SECURELIST:F845B38B54D0C8C027B3C2728E64B367", "href": "https://securelist.com/a-slice-of-2017-sofacy-activity/83930/", "type": "securelist", "title": "A Slice of 2017 Sofacy Activity", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-08-29T03:16:10", "bulletinFamily": "blog", "description": "\n\n## Introduction\n\nSince 2014, Kaspersky Lab's Global Research and Analysis Team (GReAT) has been providing threat intelligence reports to a wide-range of customers worldwide, leading to the delivery of a full and dedicated private reporting service. Prior to the new service offering, GReAT published research online for the general public in an effort to help combat the ever-increasing threat from nation-state and other advanced actors. Since we began offering a threat intelligence service, all deep technical details on advanced campaigns are first pushed to our subscriber base. At the same time, to remain true to our efforts to help make the internet safer, important incidents, such as WannaCry or Petya are covered in both private and public reports.\n\n[](<https://securelist.com/files/2017/08/APT-report-Q2-2017-1.png>)\n\nKaspersky's Private Threat Intelligence Portal (TIP)\n\nIn Q1 of 2017 we published our [first APT Trends report](<https://securelist.com/apt-trends-report-q1-2017/78169/>), highlighting our top research findings over the last few months. We will continue to publish quarterly reports as a representative snapshot of what has been offered in greater detail in our private reports in order to highlight significant events and findings we feel most users should be aware of. If you would like to learn more about our intelligence reports or request more information for a specific report, readers are encouraged to contact: **intelreports@kaspersky.com**.\n\n## Russian-Speaking Actors\n\nThe second quarter of 2017 has seen multiple incidents involving Russian-speaking threat actors. Topping the list of 'attention grabbers' were the Sofacy and Turla threat actors.\n\nMarch and April started off with a bang, with the discovery of three zero-day exploits being used in-the-wild by Sofacy and Turla: two of these targeted Microsoft Office's Encapsulated PostScript (EPS) and the third being a Microsoft Windows Local Privilege Escalation (LPE). Sofacy was discovered utilizing both CVE-2017-0262 (an EPS vulnerability) and CVE-2017-0263 (LPE) over the Easter holiday, targeting a swath of users throughout Europe. Prior to this attack, Turla was also discovered using CVE-2017-0261 (a different EPS vulnerability). Neither actor appeared to deviate from their usual payload repertoire, with Sofacy dropping their typical GAMEFISH payload and Turla utilizing what we refer to as ICEDCOFFEE (a.k.a. Shirime). Targeting for these attacks was also directly within the normal wheelhouse for both actors, focusing mainly on foreign ministries, governments, and other government-affiliated organizations.\n\nGReAT produced additional reports on Sofacy and Turla beyond those mentioned above. In April, we notified customers of two new experimental macro techniques utilized by Sofacy. These techniques, while not particularly sophisticated, caught our attention as they had not been seen before in-the-wild. The first technique involved using the built-in 'certutil' utility in Microsoft Windows to extract a hardcoded payload within a macro. The second technique involved embedding Base64-encoded payloads within the EXIF metadata of the malicious documents. While the targeting for this new set of activity was again fairly standard, we discovered some noteworthy targeting against a French political party member prior to the 2017 elections. Moving into May and June, we wrote two additional reports of interest involving these two actors: the first was an update on the long running \"Mosquito Turla\" campaign showing the usage of fake Adobe Flash installers and continued targeting of foreign Ministries. The other documented yet another update on Sofacy's unique Delphi payload we call 'Zebrocy'.\n\nJune saw the massive outbreak of a piece of malware [dubbed](<https://securelist.com/schroedingers-petya/78870/>) \"ExPetr\". While initial assessments presumed that this was yet another ransomware attack \u00e0 la WannaCry, a deeper assessment by GReAT places the initial intent as constituting an operation destructive in nature. We were also able to confidently identify the initial distribution of the malware, as well as indicate a _low confidence _assessment that the attacks may share traits with the BlackEnergy actors. \n\n[](<https://securelist.com/files/2017/08/APT-report-Q2-2017-2.png>)\n\nBelow is a summary of report titles produced for the Eastern European region only. As stated above, if you would like to learn more about our threat intelligence products or request more information on a specific report, please direct inquiries to **intelreports@kaspersky.com**.\n\n 1. Sofacy Dabbling in New Macro Techniques\n 2. Sofacy Using Two Zero Days in Recent Targeted Attacks - early warning\n 3. Turla EPS Zero Day - early warning\n 4. Mosquito Turla Targets Foreign Affairs Globally\n 5. Update on Zebrocy Activity June 2017\n 6. ExPetr motivation and attribution - Early alert\n 7. BlackBox ATM attacks using SDC bus injection\n\n## English-Speaking Actors\n\nEnglish-speaking actors are always particularly fascinating due to their history of complex tooling and campaigns. Actors like Regin and Project Sauron have proven fascinating examples of new techniques leveraged in long-lasting, hard to catch campaigns and as such make ideal subjects for further research. Not to be outdone, Equation and the Lamberts were the subjects of our most recent investigations.\n\nContinuing our practice of conducting malware paleontology while integrating new discoveries, we published a report on EQUATIONVECTOR, an Equation backdoor first used as early as 2006. This backdoor is a fascinating passive-active shellcode staging implant. It's one of the earliest noted instances of a NObody But US ('NOBUS') backdoor for staging further attacks. Despite its age, the EQUATIONVECTOR backdoor (identified as 'PeddleCheap' in the latest ShadowBrokers disclosures) incorporates many advanced techniques for prolonged stealthy operations in victim networks, allowing the Equation operators to deliver further payloads without arousing suspicion. The report tracks the development of these tools through subsequent iterations year-by-year.\n\nOur tracking of the Lamberts toolkit continues with the publication of the Gray Lambert report in June, the most advanced Lambert known to date. This too is a NOBUS backdoor, a passive implant operating strictly in user-land. The intricate usefulness of Gray Lambert lies in its ability to orchestrate multiple sniffer victims on a network via broadcast, multicast, and unicast commands, allowing the operators to employ surgical precision in networks with many infected machines. The sniffers double as next-stage payload delivery mechanisms for an infected network. A notable feature of the Lambert campaigns is the level of precision with which targets are chosen; Gray Lambert's victimology is primarily focused on strategic verticals in Asia and Middle East. During this investigation, GReAT researchers have also discovered two additional Lambert families (Red Lambert and Brown Lambert) currently under investigation for Q3. Below is a list of report titles for reference:\n\n 1. EQUATIONVECTOR - A Generational Breakdown of the PeddleCheap Multifunctional Backdoor\n 2. The Gray Lambert \u2013 A Leap in Sophistication to User-land NOBUS Passive Implants\n\n## Korean-speaking Actors\n\nOur researchers focusing on attacks with a Korean nexus also had a very busy quarter, producing seven reports on the Lazarus group and WannaCry attacks. Most of the reports on Lazarus directly involved a sub-group we refer to as BlueNoroff. They are the arm that focuses mainly on financial gain, targeting banks, ATMs, and other \"money-makers\". We revealed to customers a previously unknown piece of malware dubbed 'Manuscrypt' used by Lazarus to target not only diplomatic targets in South Korea, but also people using virtual currency and electronic payment sites. Most recently, 'Manuscrypt' has become the primary backdoor used by the BlueNoroff sub-group to target financial institutions.\n\nWannaCry also created quite a stir in the second quarter, with our analysts producing three reports and multiple blog posts on this emerging threat. What proved most interesting to us, was the probable linkage to Lazarus group as the source of the attacks, as well as the origins of the malware. GReAT researchers were able to trace back some of its earliest usage and show that before the 'EternalBlue' exploit was added to version 2, WannaCry v1 was used in spearphishing attacks months prior. Here is a listing of our reports from Q2 on actors with a Korean nexus:\n\n 1. Manuscrypt - malware family distributed by Lazarus\n 2. Lazarus actor targets carders\n 3. Lazarus-linked ATM Malware On the Loose In South Korea\n 4. Lazarus targets electronic currency operators\n 5. WannaCry - major ransomware attack hitting businesses worldwide - early alert\n 6. WannaCry possibly tied to the Lazarus APT Group\n 7. The First WannaCry Spearphish and Module Distribution\n\n## Middle Eastern Actors\n\nWhile there wasn't much high-end activity involving Middle Eastern actors, we did produce two reports revolving around the use of a zero-day exploit (CVE-2017-0199). The most notable involved an actor we refer to as BlackOasis and their usage of the exploit in-the-wild prior to its discovery. We have previously reported on BlackOasis using other zero-days in the past; CVE-2016-4117 in May 2016, CVE-2016-0984 in June 2015, and CVE-2015-5119 in June 2015. It is believed that BlackOasis is a customer of Gamma Group and utilizes the popular 'lawful surveillance' kit FinSpy. Other than the usage of the exploit, this report was significant because it also showed one of the earliest known uses of a new version of FinSpy, which is still being analyzed by our researchers.\n\nAfter the discovery of CVE-2017-0199, a plethora of threat actors also began to leverage this exploit in their attacks. We reported to customers on the usage of this exploit by a well-known Middle Eastern actor dubbed 'OilRig'. OilRig has actively targeted many organizations in Israel with the exploit via spearphishes appearing to originate from well-known doctors within Ben Gurion University. While their execution was less than stellar, it highlighted the widespread usage of this exploit shortly after its discovery.\n\n 1. OilRig exploiting CVE-2017-0199 in new campaign\n 2. BlackOasis using Ole2Link zero day exploit in the wild\n\n## Chinese-Speaking Actors\n\nOn the Chinese speaking front, we felt it necessary to produce two reports to our customers. While Chinese speaking actors are active on a daily basis, not much has changed and we prefer to avoid producing reports on 'yet another instance of APTxx' for the sake of padding our numbers. Instead we try to focus on new and exciting campaigns that warrant special attention.\n\nOne of those reports detailed a new finding regarding a fileless version of the well-known 'HiKit' malware dubbed 'Hias'. We have reported on Hias in the past, and one of our researchers was finally able to discover the persistence mechanism used, which also allowed us to tie the activity to an actor we call 'CloudComputating'.\n\nAnother report detailed a new campaign we referred to as 'IndigoZebra'. This campaign was targeting former Soviet Republics with a wide swath of malware including Meterpreter, Poison Ivy, xDown, and a previously unknown malware called 'xCaon'. This campaign shares ties with other well-known Chinese-speaking actors, but no definitive attribution has been made at this time.\n\n 1. Updated technical analysis of Hias RAT\n 2. IndigoZebra - Intelligence preparation to high-level summits in Middle Asia\n\n## Best of the rest\n\nSometimes we find new and exciting campaigns or entirely new threat actors to report to our subscribers without being able to make an immediate or definitive determination on regional provenance. Several reports fell into this category in the last quarter. ChasingAdder is a report describing a new persistence technique that hijacked a legitimate WMI DLL for the purposes of loading a malicious payload. This activity targeted high-profile diplomatic, military, and research organizations beginning in the fall of 2016, but to date we have not been able to pinpoint the specific actor responsible.\n\nDemsty is a new piece of MacOS malware that is targeting University researchers in Hong Kong, among others. At the time of writing, we have a low confidence assessment that the campaign was conducted by Chinese-speaking actors, and thus categorize this as 'Unknown' until greater evidence comes to light.\n\nDuring Q2, the mischievous ShadowBrokers also continued their regular activities dumping multiple tools and documentation allegedly stolen from Equation Group. In April, the ShadowBrokers released another dump of information detailing the alleged targeting of SWIFT service bureaus and other banks by Equation Group. Since some of our customers are financial entities, we found it necessary to evaluate the data and provide an expert's opinion on the validity of the dump.\n\nReports in the 'unknown' category:\n\n 1. ShadowBrokers' Lost in translation leak - SWIFT attacks analysis\n 2. ChasingAdder - WMI DLL Hijacking Trojan Targeting High Profile Victims\n 3. University Researchers Located in Hong Kong Targeted with Demsty\n\n## Predictions\n\nBased on the trends we've seen over the last three months, as well as foreseeable geopolitical events, we have listed a few predictions for the upcoming quarter (Q3). As always, this isn't an exact science and some cases won't come to fruition. Analyzing current and future events and combining those with the motivations of known active actors can help organizations prepare for likely forthcoming activity:\n\n 1. Misinformation campaigns will remain a threat to countries with upcoming elections, specifically Germany and Norway, as they have been previous targets for Eastern European based actors.\n 2. 'Lawful Surveillance' tools will continue to be utilized by governments that don't have well-established Cyber Operations capabilities, mainly based out of the Middle East. Companies such as Gamma Group, Hacking Team, and NSO will continue to offer new zero-day exploits to those customers. As prices increase and exchanges thrive, new organizations and marketplaces will continue popping up.\n 3. Destructive malware disguised as ransomware will continue to be a problem. In the last quarter we've seen two instances of this, and with the continued release of tools / exploits from dumps like Vault7 and ShadowBrokers, this is going to be a new alarming trend to deal with.\n 4. In China, the past months have been marked by the dwindling economic growth, rising tensions with North Korea and the US, and increased exchanges between South Korean / Japanese / American organizations. In addition to these, the 19th Party Congress is set to be held in the fall of 2017 and according to multiple public predictions, it is likely that some major changes will happen in the leadership. It's possible that these events will have wide regional influences that could affect the way that threat actors operate in Asia, both in terms of targeting and TTPs.\n 5. Targeting energy-related companies and organizations will be on the rise. Countries such as Norway may be a top target moving forward given their control on oil and gas in the region in the buildup to an election. Saudi Arabia will also top the charts for potential targeting as they have in years past.\n 6. Lower-tier threat actors continue to increase cyber-espionage efforts and capabilities both in complexity and size. Expect more activity with varied technical capabilities coming from lesser known or previously unseen actors.\n\n## How to keep yourself protected\n\nOne of the biggest problems when it comes to leveraging threat intelligence is judging the quality of the data and how it can be used for defense. For instance, we may observe an increase in the number of fileless attacks or attacks in which all IOCs are unique or specific per victim. In such situations, having not only host-based IOCs, but also network IOCs and Yara rules that can help identify malware in all cases is very important.\n\nAnother problem comes from the fact that many threat intelligence providers have a limited world view and their data covers only a small set of threats. It's easy for an enterprise to fall into the trap of thinking that 'actor X' is not something they need to worry because their focus has been only certain countries or certain industry sectors; only to discover later that their ignorance left them blind to those attacks.\n\nAs shown by many incidents, but especially by WannaCry and ExPetr's EternalBlue-based spreading subroutines, vulnerabilities remain a key approach to infecting systems. Therefore timely patching is of utmost importance \u2013 which, being one of the most tedious IT maintenance tasks, works much better with good automation. Kaspersky Endpoint Security for Business Advanced and Kaspersky Total Security include Vulnerability &amp; Patch management components, offering convenient tools for making patching much easier, and much less time-consuming for IT staff.\n\nGiven the above, it is highly recommended that prevention (such as endpoint protection) along with advanced detection capabilities, such as a solution that can detect all types of anomalies and scrutinize suspicious files at a deeper level, be present on users' systems. The Kaspersky Anti Targeted Attack solution (KATA) matches events coming from different infrastructure levels, discerns anomalies and aggregates them into incidents, while also studying related artifacts in a safe environment of a sandbox. As with most Kaspersky products, KATA is powered by HuMachine Intelligence, which is backed by on premise and in lab-running machine learning processes coupled with real-time analyst expertise and our understanding of threat intelligence big data.\n\nThe best way to prevent attackers from finding and leveraging security holes, is to eliminate the holes altogether, including those involving improper system configurations or errors in proprietary applications. For this, Kaspersky Penetration Testing and Application Security Assessment services can become a convenient and highly effective solution, providing not only data on found vulnerabilities, but also advising on how to fix it, further strengthening corporate security.", "modified": "2017-08-08T14:00:40", "published": "2017-08-08T14:00:40", "href": "https://securelist.com/apt-trends-report-q2-2017/79332/", "id": "SECURELIST:75F0B75D28318C525992E42495D8C5EE", "title": "APT Trends report Q2 2017", "type": "securelist", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2019-05-29T18:34:17", "bulletinFamily": "scanner", "description": "This host is missing an important security\n update for Microsoft Office Suite according to Microsoft KB3118310", "modified": "2019-05-03T00:00:00", "published": "2017-05-10T00:00:00", "id": "OPENVAS:1361412562310810787", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310810787", "title": "Microsoft Office Suite Remote Code Execution Vulnerabilities (KB3118310)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Office Suite Remote Code Execution Vulnerabilities (KB3118310)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.810787\");\n script_version(\"2019-05-03T10:54:50+0000\");\n script_cve_id(\"CVE-2017-0261\", \"CVE-2017-0262\", \"CVE-2017-8510\");\n script_bugtraq_id(98104, 98279, 98813);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-05-03 10:54:50 +0000 (Fri, 03 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-05-10 13:49:53 +0530 (Wed, 10 May 2017)\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_name(\"Microsoft Office Suite Remote Code Execution Vulnerabilities (KB3118310)\");\n\n script_tag(name:\"summary\", value:\"This host is missing an important security\n update for Microsoft Office Suite according to Microsoft KB3118310\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaws exist in Microsoft Office software\n when the software fails to properly handle objects in memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to run arbitrary code in the context of the current user on an\n affected system.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Office 2010 Service Pack 2\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/3118310\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/3203461\");\n script_xref(name:\"URL\", value:\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0261\");\n script_xref(name:\"URL\", value:\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0262\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_office_products_version_900032.nasl\");\n script_mandatory_keys(\"MS/Office/Ver\");\n script_require_ports(139, 445);\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/3118310\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\n## MS Office\noffVer = get_kb_item(\"MS/Office/Ver\");\nif(!offVer){\n exit(0);\n}\n\npath = registry_get_sz(key:\"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\",\n item:\"CommonFilesDir\");\nif(!path){\n exit(0);\n}\n\nif(offVer =~ \"^14\\..*\")\n{\n filePath = path + \"\\Microsoft Shared\\RPHFLT\";\n\n fileVer = fetch_file_version(sysPath:filePath, file_name:\"epsimp32.flt\");\n if(fileVer =~ \"^2010\")\n {\n if(version_in_range(version:fileVer, test_version:\"2010\", test_version2:\"2010.1400.4740.0999\"))\n {\n report = 'File checked: ' + filePath + \"\\epsimp32.flt\" + '\\n' +\n 'File version: ' + fileVer + '\\n' +\n 'Vulnerable range: ' + \"2010 - 2010.1400.4740.0999\" + '\\n' ;\n security_message(data:report);\n exit(0);\n }\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2019-02-21T01:30:49", "bulletinFamily": "scanner", "description": "The Microsoft Office application, Office Web Apps, or SharePoint Server installed on the remote Windows host is missing a security update. It is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability exists in Microsoft Office software due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to open a specially crafted Office document, to execute arbitrary code in the context of the current user. (CVE-2017-0254)\n\n - A cross-site scripting (XSS) vulnerability exists in Microsoft SharePoint Server due improper validation of user-supplied input in web requests. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary script code in a user's browser session. (CVE-2017-0255)\n\n - A remote code execution vulnerability exists in Microsoft Office due to improper handling of malformed graphics images. An unauthenticated, remote attacker can exploit this, by convincing a user to open a specially crafted EPS file, to execute arbitrary code in the context of the current user. (CVE-2017-0261)\n\n - A remote code execution vulnerability exists in Microsoft Office when handling malformed graphics images. An unauthenticated, remote attacker can exploit this, by convincing a user to open a specially crafted EPS file or visit a specially crafted website, to execute arbitrary code. (CVE-2017-0262)\n\n - A remote code execution vulnerability exists in Microsoft Office due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to open a specially crafted file, to execute arbitrary code in the context of the current user. (CVE-2017-0281)", "modified": "2018-09-17T00:00:00", "id": "SMB_NT_MS17_MAY_OFFICE.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=100103", "published": "2017-05-10T00:00:00", "title": "Security Update for Microsoft Office Products (May 2017)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(100103);\n script_version(\"1.15\");\n script_cvs_date(\"Date: 2018/09/17 21:46:53\");\n\n script_cve_id(\n \"CVE-2017-0254\",\n \"CVE-2017-0255\",\n \"CVE-2017-0261\",\n \"CVE-2017-0262\",\n \"CVE-2017-0281\"\n );\n script_bugtraq_id(\n 98101,\n 98104,\n 98107,\n 98279,\n 98297\n );\n script_xref(name:\"MSKB\", value:\"2596904\");\n script_xref(name:\"MSFT\", value:\"MS17-2596904\");\n script_xref(name:\"MSKB\", value:\"3114375\");\n script_xref(name:\"MSFT\", value:\"MS17-3114375\");\n script_xref(name:\"MSKB\", value:\"3118310\");\n script_xref(name:\"MSFT\", value:\"MS17-3118310\");\n script_xref(name:\"MSKB\", value:\"3162040\");\n script_xref(name:\"MSFT\", value:\"MS17-3162040\");\n script_xref(name:\"MSKB\", value:\"3162054\");\n script_xref(name:\"MSFT\", value:\"MS17-3162054\");\n script_xref(name:\"MSKB\", value:\"3162069\");\n script_xref(name:\"MSFT\", value:\"MS17-3162069\");\n script_xref(name:\"MSKB\", value:\"3172458\");\n script_xref(name:\"MSFT\", value:\"MS17-3172458\");\n script_xref(name:\"MSKB\", value:\"3172475\");\n script_xref(name:\"MSFT\", value:\"MS17-3172475\");\n script_xref(name:\"MSKB\", value:\"3172482\");\n script_xref(name:\"MSFT\", value:\"MS17-3172482\");\n script_xref(name:\"MSKB\", value:\"3172532\");\n script_xref(name:\"MSFT\", value:\"MS17-3172532\");\n script_xref(name:\"MSKB\", value:\"3172536\");\n script_xref(name:\"MSFT\", value:\"MS17-3172536\");\n script_xref(name:\"MSKB\", value:\"3178633\");\n script_xref(name:\"MSFT\", value:\"MS17-3178633\");\n script_xref(name:\"MSKB\", value:\"3178638\");\n script_xref(name:\"MSFT\", value:\"MS17-3178638\");\n script_xref(name:\"MSKB\", value:\"3178729\");\n script_xref(name:\"MSFT\", value:\"MS17-3178729\");\n script_xref(name:\"MSKB\", value:\"3191835\");\n script_xref(name:\"MSFT\", value:\"MS17-3191835\");\n script_xref(name:\"MSKB\", value:\"3191836\");\n script_xref(name:\"MSFT\", value:\"MS17-3191836\");\n script_xref(name:\"MSKB\", value:\"3191839\");\n script_xref(name:\"MSFT\", value:\"MS17-3191839\");\n script_xref(name:\"MSKB\", value:\"3191841\");\n script_xref(name:\"MSFT\", value:\"MS17-3191841\");\n script_xref(name:\"MSKB\", value:\"3191843\");\n script_xref(name:\"MSFT\", value:\"MS17-3191843\");\n script_xref(name:\"MSKB\", value:\"3191858\");\n script_xref(name:\"MSFT\", value:\"MS17-3191858\");\n script_xref(name:\"MSKB\", value:\"3191863\");\n script_xref(name:\"MSFT\", value:\"MS17-3191863\");\n script_xref(name:\"MSKB\", value:\"3191865\");\n script_xref(name:\"MSFT\", value:\"MS17-3191865\");\n script_xref(name:\"MSKB\", value:\"3191880\");\n script_xref(name:\"MSFT\", value:\"MS17-3191880\");\n script_xref(name:\"MSKB\", value:\"3191881\");\n script_xref(name:\"MSFT\", value:\"MS17-3191881\");\n script_xref(name:\"MSKB\", value:\"3191885\");\n script_xref(name:\"MSFT\", value:\"MS17-3191885\");\n script_xref(name:\"MSKB\", value:\"3191886\");\n script_xref(name:\"MSFT\", value:\"MS17-3191886\");\n script_xref(name:\"MSKB\", value:\"3191887\");\n script_xref(name:\"MSFT\", value:\"MS17-3191887\");\n script_xref(name:\"MSKB\", value:\"3191888\");\n script_xref(name:\"MSFT\", value:\"MS17-3191888\");\n script_xref(name:\"MSKB\", value:\"3191890\");\n script_xref(name:\"MSFT\", value:\"MS17-3191890\");\n script_xref(name:\"MSKB\", value:\"3191895\");\n script_xref(name:\"MSFT\", value:\"MS17-3191895\");\n script_xref(name:\"MSKB\", value:\"3191899\");\n script_xref(name:\"MSFT\", value:\"MS17-3191899\");\n script_xref(name:\"MSKB\", value:\"3191904\");\n script_xref(name:\"MSFT\", value:\"MS17-3191904\");\n script_xref(name:\"MSKB\", value:\"3191909\");\n script_xref(name:\"MSFT\", value:\"MS17-3191909\");\n script_xref(name:\"MSKB\", value:\"3191913\");\n script_xref(name:\"MSFT\", value:\"MS17-3191913\");\n script_xref(name:\"MSKB\", value:\"3191914\");\n script_xref(name:\"MSFT\", value:\"MS17-3191914\");\n script_xref(name:\"MSKB\", value:\"3191915\");\n script_xref(name:\"MSFT\", value:\"MS17-3191915\");\n script_xref(name:\"IAVA\", value:\"2017-A-0143\");\n\n script_name(english:\"Security Update for Microsoft Office Products (May 2017)\");\n script_summary(english:\"Checks the file versions.\");\n\n script_set_attribute(attribute:\"synopsis\",value:\n\"An application installed on the remote Windows host is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\",value:\n\"The Microsoft Office application, Office Web Apps, or SharePoint\nServer installed on the remote Windows host is missing a security\nupdate. It is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability exists in\n Microsoft Office software due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, by convincing a user to open a\n specially crafted Office document, to execute arbitrary\n code in the context of the current user. (CVE-2017-0254)\n\n - A cross-site scripting (XSS) vulnerability exists in\n Microsoft SharePoint Server due improper validation of\n user-supplied input in web requests. An unauthenticated,\n remote attacker can exploit this, via a specially\n crafted request, to execute arbitrary script code in a\n user's browser session. (CVE-2017-0255)\n\n - A remote code execution vulnerability exists in\n Microsoft Office due to improper handling of malformed\n graphics images. An unauthenticated, remote attacker can\n exploit this, by convincing a user to open a specially\n crafted EPS file, to execute arbitrary code in the\n context of the current user. (CVE-2017-0261)\n\n - A remote code execution vulnerability exists in\n Microsoft Office when handling malformed graphics\n images. An unauthenticated, remote attacker can exploit\n this, by convincing a user to open a specially crafted\n EPS file or visit a specially crafted website, to\n execute arbitrary code. (CVE-2017-0262)\n\n - A remote code execution vulnerability exists in\n Microsoft Office due to improper handling of objects in\n memory. An unauthenticated, remote attacker can exploit\n this, by convincing a user to open a specially crafted\n file, to execute arbitrary code in the context of the\n current user. (CVE-2017-0281)\");\n script_set_attribute(attribute:\"see_also\",value:\"https://portal.msrc.microsoft.com/en-us/security-guidance/summary\");\n script_set_attribute(attribute:\"solution\",value:\n\"Microsoft has released a set of patches for Microsoft Office 2007,\n2010, 2013, and 2016; Microsoft Word 2007, 2010, 2013, and 2016; Skype\nfor Business 2016; Microsoft Word Viewer; Microsoft Office\nCompatibility Pack; SharePoint Server 2010; SharePoint Enterprise\nServer 2013 and 2016; SharePoint Foundation 2013; Word Automation\nServices on Microsoft SharePoint Server 2010 and 2013; Microsoft\nOffice Project Server 2013; Microsoft Office Web Apps Server 2010 and\n2013; and Office Online Server.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-0254\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/05/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/10\");\n\n script_set_attribute(attribute:\"plugin_type\",value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:office\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:word\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:word_viewer\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:office_compatibility_pack\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:office_web_apps\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:office_online_server\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:sharepoint_server\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:sharepoint_foundation\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:project\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:skype_for_business\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\n \"office_installed.nasl\",\n \"microsoft_sharepoint_installed.nbin\",\n \"microsoft_owa_installed.nbin\",\n \"microsoft_office_compatibility_pack_installed.nbin\",\n \"microsoft_lync_server_installed.nasl\",\n \"smb_hotfixes.nasl\",\n \"ms_bulletin_checks_possible.nasl\"\n );\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_reg_query.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"install_func.inc\");\n\nglobal_var vuln;\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS17-05\";\nkbs = make_list(\n '2596904', # Office 2007 SP3\n '3114375', # Office 2016\n '3118310', # Office 2010 SP2\n '3162040', # Word Automation Services on SharePoint Server 2013 SP1\n '3162054', # SharePoint Foundation 2013 SP1\n '3162069', # SharePoint Server 2013 SP1\n '3172458', # Office 2013 SP1\n '3172475', # Sharepoint Server 2013 SP1\n '3172482', # SharePoint Server 2013 SP1\n '3172532', # SharePoint Server 2013 SP1\n '3172536', # SharePoint Server 2013 SP1\n '3178633', # SharePoint Server 2013 SP1\n '3178638', # SharePoint Server 2013 SP1\n '3178729', # Word 2013 SP1\n '3191835', # Office Compatibility Pack SP3\n '3191836', # Word 2007 SP3\n '3191839', # SharePoint Server 2010 SP2\n '3191839', # Word Automation Services on SharePoint Server 2010 SP2\n '3191841', # Office 2010 SP2\n '3191841', # Word 2010 SP2\n '3191843', # Word 2010 SP2\n '3191858', # Skype for Business 2016\n '3191863', # Office 2016\n '3191865', # Word 2016\n '3191880', # SharePoint Enterprise Server 2016\n '3191881', # Office 2016\n '3191885', # Office 2013 SP1\n '3191886', # SharePoint Server 2013 SP1\n '3191887', # Excel Services on SharePoint Server 2013\n '3191888', # Office Web Apps 2013 SP1\n '3191890', # Project Server 2013 SP1\n '3191895', # Office 2007 SP3\n '3191899', # Office 2010 SP2\n '3191904', # Office Web Apps 2010 SP2\n '3191909', # Office Word Viewer\n '3191913', # SharePoint Enterprise Server 2013 SP1\n '3191914', # SharePoint Foundation 2013 SP1\n '3191915' # Office Online Server 2016\n);\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\", exit_code:1);\n\n# Get path information for Windows.\nwindir = hotfix_get_systemroot();\nif (isnull(windir)) exit(1, \"Failed to determine the location of %windir%.\");\n\nregistry_init();\nhklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE);\nglobal_var office_online_server_path = get_registry_value(\n handle : hklm,\n item : \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Office16.WacServer\\InstallLocation\"\n);\nRegCloseKey(handle:hklm);\nclose_registry(close:FALSE);\n\nvuln = FALSE;\nxss = FALSE;\nport = kb_smb_transport();\n\n######################################################################\n# Office 2007, 2010, 2013, 2016\n######################################################################\nfunction perform_office_checks()\n{\n local_var office_vers, office_sp, common_path, path, prod, file, kb;\n office_vers = hotfix_check_office_version();\n\n ####################################################################\n # Office 2007 SP3 Checks\n ####################################################################\n if (office_vers[\"12.0\"])\n {\n office_sp = get_kb_item(\"SMB/Office/2007/SP\");\n if (!isnull(office_sp) && office_sp == 3)\n {\n prod = \"Microsoft Office 2007 SP3\";\n path = hotfix_append_path(\n path : hotfix_get_officecommonfilesdir(officever:\"12.0\"),\n value : \"Microsoft Shared\\Office12\"\n );\n if (hotfix_check_fversion(file:\"mso.dll\", version:\"12.0.6768.5000\", path:path, kb:\"3191895\", bulletin:bulletin, product:prod) == HCF_OLDER)\n vuln = TRUE;\n if (hotfix_check_fversion(file:\"riched20.dll\", version:\"12.0.6768.5000\", path:path, kb:\"2596904\", bulletin:bulletin, product:prod) == HCF_OLDER)\n vuln = TRUE;\n }\n }\n\n ####################################################################\n # Office 2010 SP2 Checks\n # wwlibcxm.dll only exists if KB2428677 is installed\n ####################################################################\n if (office_vers[\"14.0\"])\n {\n office_sp = get_kb_item(\"SMB/Office/2010/SP\");\n if (!isnull(office_sp) && office_sp == 2)\n {\n prod = \"Microsoft Office 2010 SP2\";\n common_path = hotfix_get_officecommonfilesdir(officever:\"14.0\");\n\n path = hotfix_append_path(\n path : common_path,\n value : \"Microsoft Shared\\Office14\"\n );\n if (hotfix_check_fversion(file:\"mso.dll\", version:\"14.0.7181.5000\", path:path, kb:\"3191899\", bulletin:bulletin, product:prod) == HCF_OLDER)\n vuln = TRUE;\n\n path = hotfix_append_path(\n path : common_path,\n value : \"\\Microsoft Shared\\GRPHFLT\"\n );\n if (hotfix_check_fversion(file:\"epsimp32.flt\", version:\"2010.1400.7181.5002\", min_version:\"2010.1400.0.0\", path:path, kb:\"3118310\", bulletin:bulletin, product:prod) == HCF_OLDER)\n vuln = TRUE;\n\n path = hotfix_get_officeprogramfilesdir(officever:\"14.0\");\n if (hotfix_check_fversion(file:\"wwlibcxm.dll\", version:\"14.0.7181.5000\", path:path, kb:\"3191841\", bulletin:bulletin, product:prod) == HCF_OLDER)\n vuln = TRUE;\n }\n }\n\n ####################################################################\n # Office 2013 SP1 Checks\n ####################################################################\n if (office_vers[\"15.0\"])\n {\n office_sp = get_kb_item(\"SMB/Office/2013/SP\");\n if (!isnull(office_sp) && office_sp == 1)\n {\n prod = \"Microsoft Office 2013 SP1\";\n common_path = hotfix_get_officecommonfilesdir(officever:\"15.0\");\n\n path = hotfix_append_path(\n path : common_path,\n value : \"Microsoft Shared\\Office15\"\n );\n if (hotfix_check_fversion(file:\"mso.dll\", version:\"15.0.4927.1000\", path:path, kb:\"3191885\", bulletin:bulletin, product:prod) == HCF_OLDER)\n vuln = TRUE;\n\n path = hotfix_append_path(\n path : common_path,\n value : \"Microsoft Shared\\GRPHFLT\"\n );\n if (hotfix_check_fversion(file:\"epsimp32.flt\", version:\"2012.1500.4927.1002\", min_version:\"2012.1500.0.0\", path:path, kb:\"3172458\", bulletin:bulletin, product:prod) == HCF_OLDER)\n vuln = TRUE;\n }\n }\n\n ####################################################################\n # Office 2016 Checks\n ####################################################################\n if (office_vers[\"16.0\"])\n {\n office_sp = get_kb_item(\"SMB/Office/2016/SP\");\n if (!isnull(office_sp) && office_sp == 0)\n {\n prod = \"Microsoft Office 2016\";\n common_path = hotfix_get_officecommonfilesdir(officever:\"16.0\");\n\n kb = \"3191881\";\n file = \"mso.dll\";\n path = hotfix_append_path(\n path : common_path,\n value : \"Microsoft Shared\\Office16\"\n );\n if (\n hotfix_check_fversion(file:file, version:\"16.0.4534.1000\", channel:\"MSI\", channel_product:\"Office\", path:path, kb:kb, bulletin:bulletin, product:prod) == HCF_OLDER ||\n hotfix_check_fversion(file:file, version:\"16.0.6925.1059\", channel:\"Deferred\", channel_product:\"Office\", path:path, kb:kb, bulletin:bulletin, product:prod) == HCF_OLDER ||\n hotfix_check_fversion(file:file, version:\"16.0.7329.1054\", channel:\"Deferred\", channel_version:\"1609\", channel_product:\"Office\", path:path, kb:kb, bulletin:bulletin, product:prod) == HCF_OLDER ||\n hotfix_check_fversion(file:file, version:\"16.0.7726.1036\", channel:\"First Release for Deferred\", channel_product:\"Office\", path:path, kb:kb, bulletin:bulletin, product:prod) == HCF_OLDER ||\n hotfix_check_fversion(file:file, version:\"16.0.7927.1024\", channel:\"Current\", channel_product:\"Office\", path:path, kb:kb, bulletin:bulletin, product:prod) == HCF_OLDER\n )\n vuln = TRUE;\n\n kb = \"3191863\";\n file = \"mso99lres.dll\";\n path = hotfix_append_path(\n path : common_path,\n value : \"Microsoft Shared\\Office16\"\n );\n if (\n hotfix_check_fversion(file:file, version:\"16.0.4519.1000\", channel:\"MSI\", channel_product:\"Office\", path:path, kb:kb, bulletin:bulletin, product:prod) == HCF_OLDER ||\n hotfix_check_fversion(file:file, version:\"16.0.6925.1059\", channel:\"Deferred\", channel_product:\"Office\", path:path, kb:kb, bulletin:bulletin, product:prod) == HCF_OLDER ||\n hotfix_check_fversion(file:file, version:\"16.0.7329.1054\", channel:\"Deferred\", channel_version:\"1609\", channel_product:\"Office\", path:path, kb:kb, bulletin:bulletin, product:prod) == HCF_OLDER ||\n hotfix_check_fversion(file:file, version:\"16.0.7766.7054\", channel:\"First Release for Deferred\", channel_product:\"Office\", path:path, kb:kb, bulletin:bulletin, product:prod) == HCF_OLDER ||\n hotfix_check_fversion(file:file, version:\"16.0.7927.1024\", channel:\"Current\", channel_product:\"Office\", path:path, kb:kb, bulletin:bulletin, product:prod) == HCF_OLDER\n )\n vuln = TRUE;\n\n kb = \"3114375\";\n file = \"epsimp32.flt\";\n path = hotfix_append_path(\n path : common_path,\n value : \"Microsoft Shared\\GRPHFLT\"\n );\n if (\n hotfix_check_fversion(file:file, version:\"16.0.4534.1002\", channel:\"MSI\", channel_product:\"Office\", path:path, kb:kb, bulletin:bulletin, product:prod) == HCF_OLDER ||\n hotfix_check_fversion(file:file, version:\"16.0.6925.1059\", channel:\"Deferred\", channel_product:\"Office\", path:path, kb:kb, bulletin:bulletin, product:prod) == HCF_OLDER ||\n hotfix_check_fversion(file:file, version:\"16.0.7329.1054\", channel:\"Deferred\", channel_version:\"1609\", channel_product:\"Office\", path:path, kb:kb, bulletin:bulletin, product:prod) == HCF_OLDER ||\n hotfix_check_fversion(file:file, version:\"16.0.7726.1036\", channel:\"First Release for Deferred\", channel_product:\"Office\", path:path, kb:kb, bulletin:bulletin, product:prod) == HCF_OLDER ||\n hotfix_check_fversion(file:file, version:\"16.0.7927.1024\", channel:\"Current\", channel_product:\"Office\", path:path, kb:kb, bulletin:bulletin, product:prod) == HCF_OLDER\n )\n vuln = TRUE;\n }\n }\n}\n\n######################################################################\n# Word 2007, 2010, 2013, 2016\n######################################################################\nfunction perform_word_checks()\n{\n local_var word_checks, kb16;\n\n kb16 = \"3191865\";\n word_checks = make_array(\n \"12.0\", make_array(\"sp\", 3, \"version\", \"12.0.6768.5000\", \"kb\", \"3191836\"),\n \"14.0\", make_array(\"sp\", 2, \"version\", \"14.0.7181.5000\", \"kb\", \"3191843\"),\n \"15.0\", make_array(\"sp\", 1, \"version\", \"15.0.4927.1000\", \"kb\", \"3178729\"),\n \"16.0\", make_nested_list(\n make_array(\"sp\", 0, \"version\", \"16.0.4534.1000\", \"channel\", \"MSI\", \"kb\", kb16),\n make_array(\"sp\", 0, \"version\", \"16.0.6965.2150\", \"channel\", \"Deferred\", \"kb\", kb16),\n make_array(\"sp\", 0, \"version\", \"16.0.7369.2130\", \"channel\", \"Deferred\", \"channel_version\", \"1609\", \"kb\", kb16),\n make_array(\"sp\", 0, \"version\", \"16.0.7766.2084\", \"channel\", \"First Release for Deferred\", \"kb\", kb16),\n make_array(\"sp\", 0, \"version\", \"16.0.7967.2161\", \"channel\", \"Current\", \"kb\", kb16)\n )\n );\n if (hotfix_check_office_product(product:\"Word\", checks:word_checks, bulletin:bulletin))\n vuln = TRUE;\n}\n\n######################################################################\n# Compatibility Pack\n######################################################################\nfunction perform_comppack_checks()\n{\n local_var install, installs, path;\n\n ####################################################################\n # Word Compatibility Pack\n ####################################################################\n installs = get_kb_list(\"SMB/Office/WordCnv/*/ProductPath\");\n foreach install (keys(installs))\n {\n path = installs[install];\n path = ereg_replace(pattern:'^(.+)\\\\\\\\[^\\\\\\\\]+\\\\.exe$', replace:\"\\1\\\", string:path, icase:TRUE);\n if(hotfix_check_fversion(path:path, file:\"wordcnv.dll\", version:\"12.0.6768.5000\", kb:\"3191835\", bulletin:bulletin, min_version:\"12.0.0.0\", product:\"Microsoft Office Compatibility Pack\") == HCF_OLDER)\n vuln = TRUE;\n }\n}\n\n######################################################################\n# Word Viewer\n######################################################################\nfunction perform_viewer_checks()\n{\n var word_vwr_checks = make_array(\n \"11.0\", make_array(\"version\", \"11.0.8441.0\", \"kb\", \"3191909\")\n );\n if (hotfix_check_office_product(product:\"WordViewer\", display_name:\"Word Viewer\", checks:word_vwr_checks, bulletin:bulletin))\n vuln = TRUE;\n}\n\n######################################################################\n# Skype for Business 2016\n######################################################################\nfunction perform_skype_checks()\n{\n if (int(get_install_count(app_name:\"Microsoft Lync\")) <= 0)\n return NULL;\n\n var lync_install, lync_installs, kb, file, prod;\n\n kb = \"3191858\";\n file = \"Lync.exe\";\n prod = \"Skype for Business 2016\";\n lync_installs = get_installs(app_name:\"Microsoft Lync\");\n foreach lync_install (lync_installs[1])\n {\n if (lync_install[\"version\"] !~ \"^16\\.0\\.\") continue;\n if (\"Server\" >< lync_install[\"Product\"]) continue;\n\n # MSI\n if (lync_install['Channel'] == \"MSI\" || empty_or_null(lync_install['Channel']))\n {\n if (hotfix_check_fversion(file:file, version:\"16.0.4534.1000\", channel:\"MSI\", channel_product:\"Lync\", path:lync_install[\"path\"], kb:kb, bulletin:bulletin, product:prod) == HCF_OLDER)\n vuln = TRUE;\n }\n # Deferred\n else if (lync_install['Channel'] == \"Deferred\")\n {\n if (\n hotfix_check_fversion(file:file, version:\"16.0.6965.2150\", channel:\"Deferred\", channel_product:\"Lync\", path:lync_install[\"path\"], kb:kb, bulletin:bulletin, product:prod) == HCF_OLDER ||\n hotfix_check_fversion(file:file, version:\"16.0.7369.2130\", channel:\"Deferred\", channel_version:\"1609\", channel_product:\"Lync\", path:lync_install[\"path\"], kb:kb, bulletin:bulletin, product:prod) == HCF_OLDER\n )\n vuln = TRUE;\n }\n else if (lync_install['Channel'] == \"First Release for Deferred\")\n {\n if (hotfix_check_fversion(file:file, version:\"16.0.7766.2084\", channel:\"First Release for Deferred\", channel_product:\"Lync\", path:lync_install[\"path\"], kb:kb, bulletin:bulletin, product:prod) == HCF_OLDER)\n vuln = TRUE;\n }\n else if (lync_install['Channel'] == \"Current\")\n {\n if (hotfix_check_fversion(file:file, version:\"16.0.7967.2161\", channel:\"Current\", channel_product:\"Lync\", path:lync_install[\"path\"], kb:kb, bulletin:bulletin, product:prod) == HCF_OLDER)\n vuln = TRUE;\n }\n }\n}\n\n######################################################################\n# Office Web Apps 2010, 2013\n######################################################################\nfunction perform_owa_checks()\n{\n local_var owa_installs, owa_install;\n local_var owa_2010_path, owa_2010_sp;\n local_var owa_2013_path, owa_2013_sp;\n local_var path;\n\n # Get installs of Office Web Apps\n owa_installs = get_installs(app_name:\"Microsoft Office Web Apps\");\n if (!empty_or_null(owa_installs))\n {\n foreach owa_install (owa_installs[1])\n {\n if (owa_install[\"Product\"] == \"2010\")\n {\n owa_2010_path = owa_install[\"path\"];\n owa_2010_sp = owa_install[\"SP\"];\n }\n else if (owa_install[\"Product\"] == \"2013\")\n {\n owa_2013_path = owa_install[\"path\"];\n owa_2013_sp = owa_install[\"SP\"];\n }\n }\n }\n\n ####################################################################\n # Office Web Apps 2010 SP2\n ####################################################################\n if (owa_2010_path && (!isnull(owa_2010_sp) && owa_2010_sp == \"2\"))\n {\n path = hotfix_append_path(path:owa_2010_path, value:\"14.0\\WebServices\\ConversionService\\Bin\\Converter\");\n if (hotfix_check_fversion(file:\"sword.dll\", version:\"14.0.7181.5000\", min_version:\"14.0.7015.1000\", path:path, kb:\"3191904\", bulletin:bulletin, product:\"Office Web Apps 2010\") == HCF_OLDER)\n vuln = TRUE;\n }\n\n ####################################################################\n # Office Web Apps 2013 SP1\n ####################################################################\n if (owa_2013_path && (!isnull(owa_2013_sp) && owa_2013_sp == \"1\"))\n {\n path = hotfix_append_path(path:owa_2013_path, value:\"WordConversionService\\bin\\Converter\");\n if (hotfix_check_fversion(file:\"sword.dll\", version:\"15.0.4927.1000\", min_version:\"15.0.4571.1500\", path:path, kb:\"3191888\", bulletin:bulletin, product:\"Office Web Apps 2013\") == HCF_OLDER)\n vuln = TRUE;\n }\n}\n\n######################################################################\n# Office Online Server\n######################################################################\nfunction perform_oos_checks()\n{\n var path;\n\n if(office_online_server_path)\n {\n path = hotfix_append_path(path:office_online_server_path, value:\"WordConversionService\\bin\\Converter\");\n if (hotfix_check_fversion(file:\"sword.dll\", version:\"16.0.7726.1035\", min_version:\"16.0.6000.0\", path:path, kb:\"3191915\", bulletin:bulletin, product:\"Office Online Server\") == HCF_OLDER)\n vuln = TRUE;\n }\n}\n\n######################################################################\n# SharePoint\n######################################################################\nfunction perform_sharepoint_checks()\n{\n local_var sps_2010_path, sps_2010_sp, sps_2010_edition;\n local_var sps_2013_path, sps_2013_sp, sps_2013_edition;\n local_var sps_2016_path, sps_2016_sp, sps_2016_edition;\n local_var installs, install, path;\n\n installs = get_installs(app_name:\"Microsoft SharePoint Server\");\n\n foreach install (installs[1])\n {\n if (install[\"Product\"] == \"2016\")\n {\n sps_2016_path = install['path'];\n sps_2016_sp = install['SP'];\n sps_2016_edition = install['Edition'];\n }\n else if (install[\"Product\"] == \"2013\")\n {\n sps_2013_path = install['path'];\n sps_2013_sp = install['SP'];\n sps_2013_edition = install['Edition'];\n }\n else if (install[\"Product\"] == \"2010\")\n {\n sps_2010_path = install['path'];\n sps_2010_sp = install['SP'];\n sps_2010_edition = install['Edition'];\n }\n }\n\n ######################################################################\n # SharePoint Server 2016\n ######################################################################\n if (sps_2016_path && sps_2016_sp == \"0\" && sps_2016_edition == \"Server\")\n {\n path = hotfix_append_path(path:sps_2016_path, value:\"WebServices\\ConversionServices\");\n if (hotfix_check_fversion(file:\"sword.dll\", version:\"16.0.4534.1000\", min_version:\"16.0.0.0\", path:path, kb:\"3191880\", bulletin:bulletin, product:\"Office SharePoint Server 2016\") == HCF_OLDER)\n vuln = TRUE;\n }\n\n ######################################################################\n # SharePoint Server 2013 SP1\n ######################################################################\n if (sps_2013_path && sps_2013_sp == \"1\")\n {\n if(sps_2013_edition == \"Server\")\n {\n # Files under <sps_2013_path>\\bin\n path = hotfix_append_path(path:sps_2013_path, value:\"Bin\");\n if (hotfix_check_fversion(file:\"Microsoft.Office.Project.Server.Library.dll\", version:\"15.0.4873.1000\", min_version:\"15.0.0.0\", path:path, kb:\"3191890\", bulletin:bulletin, product:\"Microsoft Project Server 2013\") == HCF_OLDER)\n vuln = TRUE;\n\n if (hotfix_check_fversion(file:\"xlsrv.dll\", version:\"15.0.4927.1000\", min_version:\"15.0.0.0\", path:path, kb:\"3191887\", bulletin:bulletin, product:\"Office SharePoint Server 2013 Excel Services\") == HCF_OLDER)\n vuln = TRUE;\n\n # Files under <sps_2013_path>\\WebServices\\ConversionServices\n path = hotfix_append_path(path:sps_2013_path, value:\"WebServices\\ConversionServices\");\n if (hotfix_check_fversion(file:\"sword.dll\", version:\"15.0.4927.1000\", min_version:\"15.0.0.0\", path:path, kb:\"3162040\", bulletin:bulletin, product:\"Office SharePoint Server 2013 Word Automation Services\") == HCF_OLDER)\n vuln = TRUE;\n\n if (hotfix_check_fversion(file:\"oartserver.dll\", version:\"15.0.4927.1000\", min_version:\"15.0.0.0\", path:path, kb:\"3162069\", bulletin:bulletin, product:\"Office SharePoint Server 2013\") == HCF_OLDER)\n vuln = TRUE;\n\n if (hotfix_check_fversion(file:\"msores.dll\", version:\"15.0.4913.1000\", min_version:\"15.0.0.0\", path:path, kb:\"3172482\", bulletin:bulletin, product:\"SharePoint Server 2013\") == HCF_OLDER)\n vuln = TRUE;\n\n if (hotfix_check_fversion(file:\"htmlutil.dll\", version:\"15.0.4927.1000\", min_version:\"15.0.0.0\", path:path, kb:\"3178633\", bulletin:bulletin, product:\"Office SharePoint Server 2013\") == HCF_OLDER)\n vuln = TRUE;\n\n if (hotfix_check_fversion(file:\"msoserver.dll\", version:\"15.0.4927.1000\", path:path, kb:\"3172475\", bulletin:bulletin, product:\"Office SharePoint Server 2013\") == HCF_OLDER)\n vuln = TRUE;\n\n path = hotfix_append_path(path:windir, value:\"Microsoft.NET\\assembly\\GAC_MSIL\\Microsoft.Office.Visio.Server\\v4.0_15.0.0.0__71e9bce111e9429c\");\n if (hotfix_check_fversion(file:\"Microsoft.Office.Visio.Server.dll\", version:\"15.0.4797.1000\", path:path, kb:\"3178638\", bulletin:bulletin, product:\"Office SharePoint Server 2013\") == HCF_OLDER)\n vuln = TRUE;\n\n path = hotfix_append_path(path:windir, value:\"Microsoft.NET\\assembly\\GAC_MSIL\\Microsoft.SharePoint.Publishing\\v4.0_15.0.0.0__71e9bce111e9429c\");\n if (hotfix_check_fversion(file:\"Microsoft.SharePoint.Publishing.dll\", version:\"15.0.4927.1000\", path:path, kb:\"3191886\", bulletin:bulletin, product:\"Office SharePoint Server 2013\") == HCF_OLDER)\n vuln = TRUE;\n\n path = hotfix_append_path(path:windir, value:\"Microsoft.NET\\assembly\\GAC_MSIL\\Microsoft.SharePoint.Client.UserProfiles\\v4.0_15.0.0.0__71e9bce111e9429c\");\n if (hotfix_check_fversion(file:\"Microsoft.SharePoint.Client.UserProfiles.dll\", version:\"15.0.4745.1000\", path:path, kb:\"3172532\", bulletin:bulletin, product:\"Office SharePoint Server 2013\") == HCF_OLDER)\n vuln = TRUE;\n\n path = hotfix_append_path(path:windir, value:\"Microsoft.NET\\assembly\\GAC_MSIL\\Microsoft.Office.InfoPath.Server\\v4.0_15.0.0.0__71e9bce111e9429c\");\n if (hotfix_check_fversion(file:\"Microsoft.Office.InfoPath.Server.dll\", version:\"15.0.4873.1000\", path:path, kb:\"3172536\", bulletin:bulletin, product:\"Office SharePoint Server 2013\") == HCF_OLDER)\n vuln = TRUE;\n }\n else if (sps_2013_edition == \"Foundation\")\n {\n var commonfiles = hotfix_get_commonfilesdir();\n if (!commonfiles) commonfiles = hotfix_get_commonfilesdirx86();\n\n if(commonfiles) path = hotfix_append_path(path:commonfiles, value:\"Microsoft Shared\\Web Server Extensions\\15\\BIN\");\n else path = hotfix_append_path(path:sps_2013_path, value:\"BIN\");\n if (hotfix_check_fversion(file:\"onetutil.dll\", version:\"15.0.4927.1000\", min_version:\"15.0.0.0\", path:path, kb:\"3191914\", bulletin:bulletin, product:\"Office Sharepoint Foundation 2013\") == HCF_OLDER)\n {\n vuln = TRUE;\n xss = TRUE;\n }\n\n path = hotfix_append_path(path:sps_2013_path, value:\"WebServices\\ConversionServices\");\n if (hotfix_check_fversion(file:\"htmlutil.dll\", version:\"15.0.4927.1000\", min_version:\"15.0.0.0\", path:path, kb:\"3162054\", bulletin:bulletin, product:\"Office Sharepoint Foundation 2013\") == HCF_OLDER)\n vuln = TRUE;\n }\n }\n\n ######################################################################\n # SharePoint Server 2010 SP2\n ######################################################################\n if (sps_2010_path && sps_2010_sp == \"2\" && sps_2010_edition == \"Server\")\n {\n path = hotfix_append_path(path:sps_2010_path, value:\"WebServices\\WordServer\\Core\");\n if (hotfix_check_fversion(file:\"sword.dll\", version:\"14.0.7181.5000\", path:path, kb:\"3191839\", bulletin:bulletin, product:\"Office SharePoint Server 2010 Word Automation Services\") == HCF_OLDER)\n vuln = TRUE;\n }\n}\n\nperform_office_checks();\nperform_word_checks();\nperform_comppack_checks();\nperform_viewer_checks();\nperform_skype_checks();\nperform_owa_checks();\nperform_oos_checks();\nperform_sharepoint_checks();\n\nif (vuln)\n{\n # CVE-2017-0255\n if(xss) replace_kb_item(name:'www/'+port+'/XSS', value:TRUE);\n\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "myhack58": [{"lastseen": "2017-05-17T11:27:29", "bulletinFamily": "info", "description": "In 2015, FireEye released a Microsoft Office EPS\uff08Encapsulated PostScript in the two vulnerability details. Wherein, a is 0day vulnerabilities, one in the attack a few weeks before playing the patch. Recently, FireEye and Microsoft Office products in the discovery of three new 0day vulnerabilities, these vulnerabilities are being the attacker. \nIn 2017 at the end of 3, We detected another malicious file, which uses the EPS of the unknown vulnerabilities and the Windows Graphics Device Interface GDI in the recently patched vulnerability to deliver malicious software. Subsequently, Microsoft in the 2017 year 4 months to deactivate the EPS, but FireEye in EPS, and found a second unknown vulnerability. \nFireEye believes that there are two organizations Turla and another unknown financial criminal organizations is the use of the first EPS 0day Vulnerability CVE-2017-0261, and APT28, is to use the second EPS 0day Vulnerability CVE-2017-0262 and a new privilege escalation\uff08EOP\uff09 0day Vulnerability CVE-2017-0263 in. Turla and APT28 is Russian cyber espionage organizations, they will these 0day vulnerabilities applied to European Foreign and military Department. And this unidentified financial crime organizations are specifically targeted in the Middle East with offices of regional banks and global banks. In the following, we proceed with the introduction of EPS 0day vulnerabilities, related malware and new EOP 0day vulnerabilities. Each EPS 0day vulnerabilities are provided in the corresponding EOP exploit code, in order to provide the right, the code must bypass the sandbox, in order to perform the processing for the EPS FLTLDR. EXE instance. \nWe found that the malicious file is used for the delivery of three different payload. CVE-2017-0261 for delivery SHIRIME\uff08Turla and NETWIRE\uff08unknown financial crime organization, CVE-2017-0262 for delivery GAMEFISH\uff08APT28 it. CVE-2017-0263 for delivery GAMEFISH payload during the elevated privileges. \nFireEye the company's e-mail and network product detects these malicious files. \nIn these Vulnerability Information Disclosure, FireEye has been with the Microsoft Security Response Center MSRC for coordination. Microsoft recommends that all customers follow the security advice ADV170005 in the guidance, do a good job related security and Defense work. \nCVE-2017-0261--EPS\u201crestore\u201dUAF vulnerability \nOpen the Office document, FLTLDR. EXE will be used for rendering included the vulnerability of the embedded EPS image. Here the EPS file is a PostScript program, you can\u201crestore\u201doperation using the UAF vulnerability. \nAccording to the PostScript of the official Description:\u201ca local VM object allocation and the local VM in the existing objects of the modified called by the save and restore function is completed, in the name of the corresponding operation identifier, you can refer to them. save and restore can be used to package in the local VM in the PostScript language program related to the code. restore to be able to release the newly created object, and undo from the corresponding save operation after the existing object to modify.\u201d \nAs described above, the restore operation will be recovered from the save operation after the allocated memory. For the UAF vulnerability to say, when the forall operation of the combination, then it could not be better. Figure 1 shows the use of the save and restore operation of the pseudo-code. \n! [](/Article/UploadPic/2017-5/2017517184135487. png? www. myhack58. com) \nFigure 1: exploit the pseudo-code \nThe following operation allows the pseudo-code leaks the metadata, in order to achieve the Read/Write primitives: \n1\\. Create forall_proc array, only a single restore proc elements \n2\\. The EPS state is saved to eps_state \n3\\. In the Save created after the uaf_array \n4\\. Use forall operation to traverse uaf_array elements, for each element call forall_proc \n5\\. The uaf_array the first element is passed to the restore_proc of the call, the process contained in the forall_proc. \n6\\. restore_proc \nTo restore the initial state, the release uaf_array \nalloc_string process will be recycled to release the uaf_array \nforall_proc to call leak_proc \n7\\. forall operation of the follow-up calls for the recovery of uaf_array each element of the call leak_proc, these elements are now stored alloc_string the results of the process \nFigure 2 demonstrates in recovery after using uaf_array the debug log. \n! [](/Article/UploadPic/2017-5/2017517184136535. png? www. myhack58. com) \nFigure 2: uaf_array recycle the debug log \nThrough the operation of save operation after the identifier of the operation, the attacker can manipulate the memory layout, and the UAF vulnerability is converted to a read/write primitive. Figure 3 shows a forgery of the string, the length is set to 0x7fffffff, the cardinality is 0. \n! [](/Article/UploadPic/2017-5/2017517184136165. png? www. myhack58. com) \nFigure 3: Forge of the string object \nThe use of read and write arbitrary user memory capacity, The EPS program may further search the gadgets to build ROP chains, and create a file object. Figure 4 shows the in-memory fake file objects. \n! [](/Article/UploadPic/2017-5/2017517184136436. png? www. myhack58. com) \nFigure 4: with the ROP of the pseudo-file object \nBy Faking the file object call to closefile, the exploit code can be transferred to the ROP and start the shellcode with. Figure 5 shows closefile processing program part of the disassembly procedure. \n! [](/Article/UploadPic/2017-5/2017517184136717. png? www. myhack58. com) \nFigure 5: closefile Stack Pivot the disassembly code \nOnce executed, the malware will use the ROP chain to modify the stored shellcode memory region of the protection mechanisms. Thus, the shellcode will be able to perform FLTLDR. EXE running in a sandbox, and at the same time, in order to escape the sandbox detection, it also needs to further mention the right. \nAccording to FireEye found that the use of the vulnerability of the EPS program has two different versions. Wherein st07383. en17. docx using 32 or 64 bit version of CVE-2017-0001 to provide the right, and then perform a contains called SHIRIME malware inject the JavaScript payload. SHIRIME is Turla commonly used specially crafted JavaScript injector one, as the first stage of the payload into the target system, and implements the management and control functions. From the beginning of 2016 since we observed in the wild using the SHIRIME had many times revision, in this 0day vulnerability used in the attack was the latest version, v1. 0. 1004\uff09 \nThe second document Confirmation_letter. docx using 32 or 64 bit version of CVE-2016-7255 to mention the right, and then injected into the NETWIRE malware a new variant. According to our observation, the file is a different version of the file name is very similar. \nThese documents in the EPS program contains different logic to complete the ROP chain and shellcode construct. At the same time, it also uses a simple algorithm for the shellcode part of the obfuscation process, specifically as shown in Figure 6. \n\n\n**[1] [[2]](<86206_2.htm>) [[3]](<86206_3.htm>) [next](<86206_2.htm>)**\n", "modified": "2017-05-17T00:00:00", "published": "2017-05-17T00:00:00", "id": "MYHACK58:62201786206", "href": "http://www.myhack58.com/Article/html/3/62/2017/86206.htm", "title": "For the APT organization to use the EPS vulnerabilities in and mention the right vulnerability analysis-vulnerability warning-the black bar safety net", "type": "myhack58", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-06-13T15:28:22", "bulletinFamily": "info", "description": "This article is for me at Bluehat Shanghai 2019 presentation of an extended summary. In this article, I will summarize the 2010 to 2018 years of Office-related 0day/1day vulnerability. I will be for each type of vulnerability do once carded, and for each vulnerability related to the analysis of the articles referenced and categorized. \nHope this article can help to follow-up engaged in office vulnerability research. \n\nOverview \nFrom 2010 to 2018, the office of the 0day/1day attack has never been suspended before. Some of the following CVE number, is my in the course of the study specifically observed, there have been actual attacks sample 0day/1day vulnerability(perhaps there are some omissions, the reader can Supplement the). \nWe first look at the specific CVE number. \nYear \nNumber \n2010 \nCVE-2010-3333 \n2011 \nCVE-2011-0609/CVE-2011-0611 \n2012 \nCVE-2012-0158/CVE-2012-0779/CVE-2012-1535/CVE-2012-1856 \n2013 \nCVE-2013-0634/CVE-2013-3906 \n2014 \nCVE-2014-1761/CVE-2014-4114/CVE-2014-6352 \n2015 \nCVE-2015-0097/CVE-2015-1641/CVE-2015-1642/CVE-2015-2424/CVE-2015-2545/CVE-2015-5119/CVE-2015-5122/CVE-2015-7645 \n2016 \nCVE-2016-4117/CVE-2016-7193/CVE-2016-7855 \n2017 \nCVE-2017-0199/CVE-2017-0261/CVE-2017-0262/CVE-2017-8570/CVE-2017-8759/CVE-2017-11826/CVE-2017-11882/CVE-2017-11292 \n2018 \nCVE-2018-0798/CVE-2018-0802/CVE-2018-4878/CVE-2018-5002/CVE-2018-8174/CVE-2018-8373/CVE-2018-15982 \nOur first press Assembly of the type above-described vulnerability classification. Note that, the Flash itself also belongs to the ActiveX control-a, the following table of classification I be independently classified as a class. \nComponent type \nNumber \nRTF control word parsing problem \nCVE-2010-3333/CVE-2014-1761/CVE-2016-7193 \nThe Open XML tag parsing problem \nCVE-2015-1641/CVE-2017-11826 \nActiveX control to resolve the problem \nCVE-2012-0158/CVE-2012-1856/CVE-2015-1642/CVE-2015-2424/CVE-2017-11882/CVE-2018-0798/CVE-2018-0802 \nOffice embedded Flash vulnerabilities \nCVE-2011-0609/CVE-2011-0611/CVE-2012-0779/CVE-2012-1535/CVE-2013-0634/CVE-2015-5119/CVE-2015-5122/CVE-2015-7645/CVE-2016-4117/CVE-2016-7855/CVE-2017-11292/CVE-2018-4878/CVE-2018-5002/CVE-2018-15982 \nOffice TIFF image parsing vulnerability \nCVE-2013-3906 \nOffice EPS file parsing vulnerability \nCVE-2015-2545/CVE-2017-0261/CVE-2017-0262 \nBy means of the Moniker the loading vulnerability \nCVE-2017-0199/CVE-2017-8570/CVE-2017-8759/CVE-2018-8174/CVE-2018-8373 \nOther Office logic vulnerability \nCVE-2014-4114/CVE-2014-6352/CVE-2015-0097 \nWe then based on the vulnerability type of the above-mentioned non-Flash vulnerabilities classification. Flash vulnerabilities related to the summary you can refer to other researcher's articles \nVulnerability type \nNumber \nStack Overflow(Stack Overflow) \nCVE-2010-3333/CVE-2012-0158/CVE-2017-11882/CVE-2018-0798/CVE-2018-0802 \nStack bounds write(Out-of-bound Write) \nCVE-2014-1761/CVE-2016-7193 \nType confusion(Type Confusion) \nCVE-2015-1641/CVE-2017-11826/CVE-2017-0262 \nAfter the release of reuse(Use After Free) \nCVE-2012-1856/CVE-2015-1642/CVE-2015-2424/CVE-2015-2545/CVE-2017-0261/CVE-2018-8174/CVE-2018-8373 \nInteger overflow(Integer Overflow) \nCVE-2013-3906 \nLogic vulnerabilities(Logical vulnerability) \nCVE-2014-4114/CVE-2014-6352/CVE-2015-0097/CVE-2017-0199/CVE-2017-8570/CVE-2017-8759 \nNext We according to the above second table Flash vulnerability, except to one by one look at these vulnerabilities. \n\nRTF control word parsing problem \nCVE-2010-3333 \nThe vulnerability is the Cohen laboratory head of the wushi found. This is a stack overflow vulnerability. \nOn the vulnerability analysis of the article to see snow on a lot, the following are a few articles. \nCVE-2010-3333 vulnerability analysis(in depth analysis) \nMS10-087 from vulnerability to patch to the POC \nThe vulnerability of the war of Chapter 2, Section 4 of this vulnerability also have to compare the system description, the interested reader can read The Associated chapters. \nCVE-2014-1761 \nThe vulnerability is Google found a 0day in. This is a heap memory bounds write vulnerability. \nLi Hai fly was on the vulnerability done a very wonderful analysis. \nA Close Look at RTF Zero-Day Attack CVE-2014-1761 Shows Sophistication of Attackers \nSee snow forum is also related to the vulnerability of the two high-quality analysis articles. \nCVE-2014-1761 analysis notes \nms14-017(cve-2014-1761)learn the notes inside there is mentioned how to configure the correct environment \nThe security agent is also related to the vulnerability of a high-quality analysis. \nHand to hand teach you how to construct the office exploits EXP\uff08the third period\uff09 \nIn addition, South Korea's AhnLab also made a post about this vulnerability report. \nAnalysis of Zero-Day Exploit_Issue 01 Microsoft Word RTF Vulnerability CVE-2014-1761 \nDebugging this vulnerability requires attention is the vulnerability of some of the samples to trigger the environment is relatively harsh, the article inside mentions how to construct a relevant experimental environment. \nCVE-2016-7193 \nThe vulnerability is the Austrian Military Cyber Emergency Readiness Team Austria military Cyber Emergency Readiness Team reported to Microsoft a 0day is. \nIt is also a heap memory bounds write vulnerability. \nBaidu Security Labs has worked on the vulnerability done a more complete analysis. \nAPT attack weapon-the Word vulnerability, CVE-2016-7193 principles of the secret \nI also worked on the vulnerability of the use of writing to share through an article analysis. \nCombined with a field sample to construct a cve-2016-7193 bomb calculator use \n\nThe Open XML tag parsing problem \nCVE-2015-1641 \nGoogle 0day summary table will be listed for 2015 0day one. \nThis is a type confusion vulnerability. \nAbout the vulnerability, the fly tower has written an article analysis article. \nThe Curious Case Of The Document Exploiting An Unknown Vulnerability \u2013 Part 1 \nAli safe is also about the vulnerability wrote a wonderful analysis. \nword type confusion vulnerability CVE-2015-1641 analysis \nThe security agent also has the vulnerability of a wonderful analysis. \nHand to hand teach you how to construct the office exploits EXP\uff08fourth period\uff09 \nKnow Chong Yu the 404 lab also wrote an article on the vulnerability the wonderful analysis. \nCVE-2015-1641 Word using the sample analysis \nI've also written relates to the vulnerability of the principles of an article to share. \nThe Open XML tag parsing class vulnerability analysis ideas \nIn debugging this relates to the heap spray in the office sample, the need to pay special attention to the debugger intervention tends to affect the process heap layout, particularly some of the heap option settings. If when debugging the sample behavior can not be a normal trigger, often directly with the debugger launch the sample result, this time you can try double-click the sample after Hang, the debug controller. \n\n\n**[1] [[2]](<94516_2.htm>) [[3]](<94516_3.htm>) [[4]](<94516_4.htm>) [next](<94516_2.htm>)**\n", "modified": "2019-06-13T00:00:00", "published": "2019-06-13T00:00:00", "id": "MYHACK58:62201994516", "href": "http://www.myhack58.com/Article/html/3/62/2019/94516.htm", "title": "The macro perspective of the office vulnerability, 2010-2018-a vulnerability warning-the black bar safety net", "type": "myhack58", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "fireeye": [{"lastseen": "2018-08-31T00:18:21", "bulletinFamily": "info", "description": "In 2015, FireEye published details about two attacks exploiting vulnerabilities in Encapsulated PostScript (EPS) of Microsoft Office. One was a [zero-day](<https://www.fireeye.com/blog/threat-research/2015/09/attack_exploitingmi.html>) and one was [patched](<https://www.fireeye.com/blog/threat-research/2015/12/the_eps_awakens.html>) weeks before the attack launched.\n\nRecently, FireEye identified three new zero-day vulnerabilities in Microsoft Office products that are being exploited in the wild.\n\nAt the end of March 2017, we detected another malicious document leveraging an unknown vulnerability in EPS and a recently [patched](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0001>) vulnerability in Windows Graphics Device Interface (GDI) to drop malware. Following the April 2017 Patch Tuesday, in which Microsoft disabled EPS, FireEye detected a second unknown vulnerability in EPS.\n\nFireEye believes that two actors \u2013 [Turla](<https://www.fireeye.com/content/dam/fireeye-www/company/events/infosec/threat-landscape-overview-fireeye-summit-paris.pdf>) and an unknown financially motivated actor \u2013 were using the first EPS zero-day ([CVE-2017-0261](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0261>)), and [APT28](<https://www.fireeye.com/blog/threat-research/2014/10/apt28-a-window-into-russias-cyber-espionage-operations.html>) was using the second EPS zero-day ([CVE-2017-0262](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0262>)) along with a new Escalation of Privilege (EOP) zero-day ([CVE-2017-0263](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0263>)). Turla and APT28 are Russian cyber espionage groups that have used these zero-days against European diplomatic and military entities. The unidentified financial group targeted regional and global banks with offices in the Middle East. The following is a description of the EPS zero-days, associated malware, and the new EOP zero-day. Each EPS zero-day is accompanied by an EOP exploit, with the EOP being required to escape the sandbox that executes the FLTLDR.EXE instance used for EPS processing.\n\nThe malicious documents have been used to deliver three different payloads. CVE-2017-0261 was used to deliver SHIRIME (Turla) and NETWIRE (unknown financially motivated actor), and CVE-2017-0262 was used to deliver GAMEFISH (APT28). CVE-2017-0263 is used to escalate privileges during the delivery of the GAMEFISH payload.\n\nFireEye [email](<https://www.fireeye.com/products/ex-email-security-products.html>) and [network](<https://www.fireeye.com/products/nx-network-security-products.html>) products detected the malicious documents.\n\nFireEye has been coordinating with the Microsoft Security Response Center (MSRC) for the responsible disclosure of this information. Microsoft advises all customers to follow the guidance in [security advisory ADV170005](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV170005>) as a defense-in-depth measure against EPS filter vulnerabilities.\n\n#### CVE-2017-0261 \u2013 EPS _\"restore\"_ Use-After-Free\n\nUpon opening the Office document, the FLTLDR.EXE is utilized to render an embedded EPS image, which contains the exploit. The EPS file is a PostScript program, which leverages a Use-After-Free vulnerability in \u201c_restore_\u201d operand.\n\nFrom the [PostScript Manual](<https://www-cdf.fnal.gov/offline/PostScript/PLRM2.pdf>): \u201cAllocations in local VM and modifications to existing objects in local VM are subject to a feature called **save** and **restore**, named after the operators that invoke it. **save** and **restore** bracket a section of a PostScript language program whose local VM activity is to be encapsulated. **restore** deallocates new objects and undoes modifications to existing objects that were made since the matching **save**.\u201d\n\nAs the manual described, the _restore_ operator will reclaim memory allocated since the _save_ operator. This makes a perfect condition of Use-After-Free, when combined with _forall_ operator. Figure 1 shows the pseudo code to exploit the save and restore operation.\n\nFigure 1: Pseudo code for the exploit\n\nThe following operations allow the Pseudo code to leak metadata enabling a read/write primitive:\n\n 1. forall_proc array is created with a single element of the restore proc\n 2. The EPS state is **_saved_** to eps_state\n 3. uaf_array is created after the save\n 4. The forall operator loops over the elements of the uaf_array calling forall_proc for each element\n 5. The first element of uaf_array is passed to a call of restore_proc, the procedure contained in forall_proc\n 6. restore_proc\n * **_restores_** the initial state freeing the uaf_array\n * The alloc_string procedure reclaims the freed uaf_array\n * The forall_proc is updated to call leak_proc\n 7. Subsequent calls by the forall operator call the leak_proc on each element of the reclaimed uaf_array which elements now contain the result of the alloc_string procedure\n\nFigure 2 demonstrates a debug log of the uaf_array being used after being reclaimed.\n\nFigure 2: uaf_array reclaimed debug log\n\nBy manipulating the operations after the _save_ operator, the attacker is able to manipulate the memory layouts and convert the Use-After-Free to create a read/write primitive. Figure 3 shows the faked string, with length set as 0x7fffffff, base as 0.\n\nFigure 3: Faked String Object\n\nLeveraging the power of reading and writing arbitrary user memory, the EPS program continues by searching for gadgets to build the ROP chain, and creates a **_file_** object. Figure 4 demonstrates the faked file object in memory.\n\nFigure 4: Fake File Object, with ROP\n\nBy calling **_closefile_** operand with the faked file object, the exploit pivots to the ROP and starts the shellcode. Figure 5 shows part of the disassembler of **_closefile_** operand handler.\n\nFigure 5: Stack Pivot disassembler of closefile\n\nOnce execution has been achieved, the malware uses the ROP chain to change the execution protection of the memory region containing the shellcode. At this point, the shellcode is running within a sandbox that was executing FLTLDR.EXE and an escalation of privilege is required to escape that sandbox.\n\nFireEye detected two different versions of the EPS program exploiting this vulnerability. The first, st07383.en17.docx, continues by utilizing 32 or 64 bit versions of CVE-2017-0001 to escalate privileges before executing a final JavaScript payload containing a malware implant known as SHIRIME. SHIRIME is one of multiple custom JavaScript implants used by Turla as a first stage payload to conduct initial profiling of a target system and implement command and control. Since early 2016, we have observed multiple iterations of SHIRIME used in the wild, having the most recent version (v1.0.1004) employed in this zero-day\n\nThe second document, Confirmation_letter.docx, continues by utilizing 32 or 64 bit versions of CVE-2016-7255 to escalate privilege before dropping a new variant of the NETWIRE malware family. Several versions of this document were seen with similar filenames.\n\nThe EPS programs contained within these documents contained different logic to perform the construction of the ROP chain as well as build the shellcode. The first took the additional step of using a simple algorithm, shown in Figure 6, to obfuscate sections of the shellcode.\n\nFigure 6: Shellcode obfuscation algorithm\n\n#### CVE-2017-0262 \u2013 Type Confusion in EPS\n\nThe second EPS vulnerability is a type confused procedure object of forall operator that can alter the execution flow allowing an attacker to control values onto the operand stack. This vulnerability was found in a document named \u201cTrump's_Attack_on_Syria_English.docx\u201d.\n\nBefore triggering the vulnerability, the EPS program sprays the memory with predefined data to occupy specific memory address and facilitate the exploitation. Figure 7 demonstrates the PostScript code snippet of spraying memory with a string.\n\nFigure 7: PostScript code snippet of spray\n\nAfter execution, the content of string occupies the memory at address 0x0d80d000, leading to the memory layout as shown in Figure 8. The exploit leverages this layout and the content to forge a procedure object and manipulate the code flow to store predefined value, in yellow, to the operator stack.\n\nFigure 8: Memory layout of the sprayed data\n\nAfter spraying the heap, the exploit goes on to call a code statement in the following format: _1 array 16#D80D020 forall_. It creates an Array object, sets the procedure as the hex number 0xD80D020, and calls the _forall_ operator. During the operation of the forged procedure within _forall_ operator, it precisely controls the execution flow to store values of the attacker's choices to operand stack. Figure 9 shows the major code flow consuming the forged procedure.\n\nFigure 9: Consuming the forged procedure\n\nAfter execution of _forall_, the contents on the stack are under the attacker's control. This is s shown in Figure 10.\n\nFigure 10: Stack after the forall execution\n\nSince the operand stack has been manipulated, the subsequent operations of _exch_ defines objects based on the data from the manipulated stack, as shown in Figure 11.\n\nFigure 11: Subsequent code to retrieve data from stack\n\nThe A18 is a string type object, which has a length field of 0x7ffffff0, based from 0. Within memory, the layout as shown in Figure 12.\n\nFigure 12: A18 String Object\n\nThe A19 is an array type object, with member values all purposely crafted. The exploit defines another array object and puts it into the forged array A19. By performing these operations, it puts the newly created array object pointer into A19. The exploit can then directly read the value from the predictable address, 0xD80D020 + 0x38, and leak its vftable and infer module base address of EPSIMP32.flt. Figure 13 shows code snippets of leaking EPSIMP32 base address.\n\nFigure 13: Code snippet of leaking module base\n\nFigure 14 shows the operand stack of calling _put_ operator and the forged Array A19 after finishing the _put_ operation.\n\nFigure 14: Array A19 after the put operation\n\nBy leveraging the RW primitive string and the leaked module base of EPSIMP32, the exploit continues by searching ROP gadgets, creating a fake file object, and pivoting to shellcode through the _bytesavailable_ operator. Figure 15 shows the forged file type object and disassembling of pivoting to ROP and shellcode.\n\nFigure 15: Pivots to ROP and Shellcode\n\nThe shellcode continues by using a previously unknown EOP, CVE-2017-0263, to escalate privileges to escape the sandbox running FLTLDR.EXE, and then drop and execute a GAMEFISH payload. Only a 32-bit version of CVE-2017-0263 is contained in the shellcode.\n\n#### CVE-2017-0263 \u2013 win32k!xxxDestroyWindow Use-After-Free\n\nThe EOP Exploit setup starts by suspending all threads other than the current thread and saving the thread handles to a table, as shown in Figure 16.\n\n\n\nFigure 16: Suspending Threads\n\nThe exploit then checks for OS version and uses that information to populate version specific fields such as token offset, syscall number, etc. An executable memory area is allocated and populated with kernel mode shellcode as wells as address information required by the shellcode. A new thread is created for triggering the vulnerability and further control of exploitation.\n\nThe exploit starts by creating three PopupMenus and appending menus to them, as shown in Figure 17. The exploit creates 0x100 windows with random classnames. The User32!HMValidateHandle trick is used to leak the tagWnd address, which is used as kernel information leak throughout the exploit.\n\nFigure 17: Popup menu creation\n\nRegisterClassExW is then used to register a window class \u201cMain_Window_Class\u201d with a WndProc pointing to a function, which calls DestroyWindow on window table created by EventHookProc, explained later in the blog. This function also shows the first popup menu, which was created earlier.\n\nTwo extra windows are created with class name as \u201cMain_Window_Class\u201d. SetWindowLong is used to change WndProc of second window, wnd2, to a shellcode address. An application defined hook, WindowHookProc, and an event hook, EventHookProc, are installed by SetWindowsHookExW and SetWinEventHook respectively. PostMessage is used to post 0xABCD to first window, wnd1.\n\nThe EventHookProc waits for EVENT_SYSTEM_MENUPOPUPSTART and saves the window\u2019s handle to a table. WindowHookProc looks for **SysShadow **classname and sets a new WndProc for the corresponding window. Inside this WndProc, NtUserMNDragLeave syscall is invoked and SendMessage is used to send 0x9f9f to wnd2, invoking the shellcode shown in Figure 18.\n\n\n\nFigure 18: Triggering the shellcode\n\nThe Use-After-Free happens inside WM_NCDESTROY event in kernel and overwrites wnd2\u2019s tagWnd structure, which sets bServerSideWindowProc flag. With bServerSideWindowProc set, the user mode WndProc is considered as a kernel callback and will be invoked from kernel context \u2013 in this case wnd2\u2019s WndProc is the shellcode.\n\nThe shellcode checks whether the memory corruption has occurred by checking if the code segment is not the user mode code segment. It also checks whether the message sent is 0x9f9f. Once the validation is completed, shellcode finds the TOKEN address of current process and TOKEN of system process (pid 4). The shellcode then copies the system process\u2019 token to current process, which elevates current process privilege to SYSTEM.\n\n#### Conclusion\n\n_EPS processing has become a ripe exploitation space for attackers._\n\nFireEye has discovered and analyzed two of these recent EPS zero-days with examples seen before and after Microsoft disabled EPS processing in the April 2017 Patch Tuesday. The documents explored utilize differing EPS exploits, ROP construction, shellcode, EOP exploits and final payloads. While these documents are detected by FireEye appliances, users should exercise caution because FLTLDR.EXE is not monitored by EMET.\n\n_Russian cyber espionage is a well-resourced, dynamic threat_\n\nThe use of zero-day exploits by Turla Group and APT28 underscores their capacity to apply technically sophisticated and costly methods when necessary. Russian cyber espionage actors use zero-day exploits in addition to less complex measures. Though these actors have relied on credential phishing and macros to carry out operations previously, the use of these methods does not reflect a lack of resources. Rather, the use of less technically sophisticated methods \u2013 when sufficient \u2013 reflects operational maturity and the foresight to protect costly exploits until they are necessary.\n\n_A vibrant ecosystem of threats_\n\nCVE-2017-0261\u2019s use by multiple actors is further evidence that cyber espionage and criminal activity exist in a shared ecosystem. Nation state actors, such as those leveraging [CVE-2017-0199 to distribute FINSPY](<https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199_useda.html>), often rely on the same sources for exploits as criminal actors. This shared ecosystem creates a proliferation problem for defenders concerned with either type of threat.\n\nCVE-2017-0261 was being used as a zero-day by both nation state and cyber crime actors, and we believe that both actors obtained the vulnerability from a common source. Following [CVE-2017-0199](<https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html>), this is the second major vulnerability in as many months that has been used for both espionage and crime.\n\n**MD5**\n\n| \n\n**Filename**\n\n| \n\n**C2 Host** \n \n---|---|--- \n \n2abe3cc4bff46455a945d56c27e9fb45\n\n| \n\nConfirmation_letter.docx.bin\n\n(NETWIRE)\n\n| \n\n84.200.2.12 \n \ne091425d23b8db6082b40d25e938f871\n\n| \n\nConfirmation_letter.docx\n\n(NETWIRE)\n\n| \n\n138.201.44.30 \n \n006bdb19b6936329bffd4054e270dc6a\n\n| \n\nConfirmation_letter_ACM.docx\n\n(NETWIRE)\n\n| \n\n185.106.122.113 \n \n15660631e31c1172ba5a299a90938c02\n\n| \n\nst07383.en17.docx\n\n(SHIRIME)\n\n| \n\ntnsc.webredirect.org \n \nf8e92d8b5488ea76c40601c8f1a08790\n\n| \n\nTrump's_Attack_on_Syria_English.docx\n\n(GAMEFISH)\n\n| \n\nwmdmediacodecs.com \n \nTable 1: Source Exploit Documents\n\nTable 2: CVEs related to these attacks\n\n#### Acknowledgements\n\niSIGHT Intelligence Team, FLARE Team, FireEye Labs, Microsoft Security Response Center (MSRC).\n", "modified": "2017-05-09T13:00:00", "published": "2017-05-09T13:00:00", "id": "FIREEYE:35D0439B3D476357F4D2F51F3D5CD294", "href": "https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html", "title": "EPS Processing Zero-Days Exploited by Multiple Threat Actors ", "type": "fireeye", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-06-06T23:14:39", "bulletinFamily": "info", "description": "In 2015, FireEye published details about two attacks exploiting vulnerabilities in Encapsulated PostScript (EPS) of Microsoft Office. One was a [zero-day](<https://www.fireeye.com/blog/threat-research/2015/09/attack_exploitingmi.html>) and one was [patched](<https://www.fireeye.com/blog/threat-research/2015/12/the_eps_awakens.html>) weeks before the attack launched.\n\nRecently, FireEye identified three new zero-day vulnerabilities in Microsoft Office products that are being exploited in the wild.\n\nAt the end of March 2017, we detected another malicious document leveraging an unknown vulnerability in EPS and a recently [patched](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0001>) vulnerability in Windows Graphics Device Interface (GDI) to drop malware. Following the April 2017 Patch Tuesday, in which Microsoft disabled EPS, FireEye detected a second unknown vulnerability in EPS.\n\nFireEye believes that two actors \u2013 [Turla](<https://www.fireeye.com/content/dam/fireeye-www/company/events/infosec/threat-landscape-overview-fireeye-summit-paris.pdf>) and an unknown financially motivated actor \u2013 were using the first EPS zero-day ([CVE-2017-0261](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0261>)), and [APT28](<https://www.fireeye.com/blog/threat-research/2014/10/apt28-a-window-into-russias-cyber-espionage-operations.html>) was using the second EPS zero-day ([CVE-2017-0262](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0262>)) along with a new Escalation of Privilege (EOP) zero-day ([CVE-2017-0263](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0263>)). Turla and APT28 are Russian cyber espionage groups that have used these zero-days against European diplomatic and military entities. The unidentified financial group targeted regional and global banks with offices in the Middle East. The following is a description of the EPS zero-days, associated malware, and the new EOP zero-day. Each EPS zero-day is accompanied by an EOP exploit, with the EOP being required to escape the sandbox that executes the FLTLDR.EXE instance used for EPS processing.\n\nThe malicious documents have been used to deliver three different payloads. CVE-2017-0261 was used to deliver SHIRIME (Turla) and NETWIRE (unknown financially motivated actor), and CVE-2017-0262 was used to deliver GAMEFISH (APT28). CVE-2017-0263 is used to escalate privileges during the delivery of the GAMEFISH payload.\n\nFireEye [email](<https://www.fireeye.com/products/ex-email-security-products.html>) and [network](<https://www.fireeye.com/products/nx-network-security-products.html>) products detected the malicious documents.\n\nFireEye has been coordinating with the Microsoft Security Response Center (MSRC) for the responsible disclosure of this information. Microsoft advises all customers to follow the guidance in [security advisory ADV170005](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV170005>) as a defense-in-depth measure against EPS filter vulnerabilities.\n\n#### CVE-2017-0261 \u2013 EPS _\"restore\"_ Use-After-Free\n\nUpon opening the Office document, the FLTLDR.EXE is utilized to render an embedded EPS image, which contains the exploit. The EPS file is a PostScript program, which leverages a Use-After-Free vulnerability in \u201c_restore_\u201d operand.\n\nFrom the [PostScript Manual](<https://www-cdf.fnal.gov/offline/PostScript/PLRM2.pdf>): \u201cAllocations in local VM and modifications to existing objects in local VM are subject to a feature called **save** and **restore**, named after the operators that invoke it. **save** and **restore** bracket a section of a PostScript language program whose local VM activity is to be encapsulated. **restore** deallocates new objects and undoes modifications to existing objects that were made since the matching **save**.\u201d\n\nAs the manual described, the _restore_ operator will reclaim memory allocated since the _save_ operator. This makes a perfect condition of Use-After-Free, when combined with _forall_ operator. Figure 1 shows the pseudo code to exploit the save and restore operation.\n\nFigure 1: Pseudo code for the exploit\n\nThe following operations allow the Pseudo code to leak metadata enabling a read/write primitive:\n\n 1. forall_proc array is created with a single element of the restore proc\n 2. The EPS state is **_saved_** to eps_state\n 3. uaf_array is created after the save\n 4. The forall operator loops over the elements of the uaf_array calling forall_proc for each element\n 5. The first element of uaf_array is passed to a call of restore_proc, the procedure contained in forall_proc\n 6. restore_proc\n * **_restores_** the initial state freeing the uaf_array\n * The alloc_string procedure reclaims the freed uaf_array\n * The forall_proc is updated to call leak_proc\n 7. Subsequent calls by the forall operator call the leak_proc on each element of the reclaimed uaf_array which elements now contain the result of the alloc_string procedure\n\nFigure 2 demonstrates a debug log of the uaf_array being used after being reclaimed.\n\nFigure 2: uaf_array reclaimed debug log\n\nBy manipulating the operations after the _save_ operator, the attacker is able to manipulate the memory layouts and convert the Use-After-Free to create a read/write primitive. Figure 3 shows the faked string, with length set as 0x7fffffff, base as 0.\n\nFigure 3: Faked String Object\n\nLeveraging the power of reading and writing arbitrary user memory, the EPS program continues by searching for gadgets to build the ROP chain, and creates a **_file_** object. Figure 4 demonstrates the faked file object in memory.\n\nFigure 4: Fake File Object, with ROP\n\nBy calling **_closefile_** operand with the faked file object, the exploit pivots to the ROP and starts the shellcode. Figure 5 shows part of the disassembler of **_closefile_** operand handler.\n\nFigure 5: Stack Pivot disassembler of closefile\n\nOnce execution has been achieved, the malware uses the ROP chain to change the execution protection of the memory region containing the shellcode. At this point, the shellcode is running within a sandbox that was executing FLTLDR.EXE and an escalation of privilege is required to escape that sandbox.\n\nFireEye detected two different versions of the EPS program exploiting this vulnerability. The first, st07383.en17.docx, continues by utilizing 32 or 64 bit versions of CVE-2017-0001 to escalate privileges before executing a final JavaScript payload containing a malware implant known as SHIRIME. SHIRIME is one of multiple custom JavaScript implants used by Turla as a first stage payload to conduct initial profiling of a target system and implement command and control. Since early 2016, we have observed multiple iterations of SHIRIME used in the wild, having the most recent version (v1.0.1004) employed in this zero-day\n\nThe second document, Confirmation_letter.docx, continues by utilizing 32 or 64 bit versions of CVE-2016-7255 to escalate privilege before dropping a new variant of the NETWIRE malware family. Several versions of this document were seen with similar filenames.\n\nThe EPS programs contained within these documents contained different logic to perform the construction of the ROP chain as well as build the shellcode. The first took the additional step of using a simple algorithm, shown in Figure 6, to obfuscate sections of the shellcode.\n\nFigure 6: Shellcode obfuscation algorithm\n\n#### CVE-2017-0262 \u2013 Type Confusion in EPS\n\nThe second EPS vulnerability is a type confused procedure object of forall operator that can alter the execution flow allowing an attacker to control values onto the operand stack. This vulnerability was found in a document named \u201cTrump's_Attack_on_Syria_English.docx\u201d.\n\nBefore triggering the vulnerability, the EPS program sprays the memory with predefined data to occupy specific memory address and facilitate the exploitation. Figure 7 demonstrates the PostScript code snippet of spraying memory with a string.\n\nFigure 7: PostScript code snippet of spray\n\nAfter execution, the content of string occupies the memory at address 0x0d80d000, leading to the memory layout as shown in Figure 8. The exploit leverages this layout and the content to forge a procedure object and manipulate the code flow to store predefined value, in yellow, to the operator stack.\n\nFigure 8: Memory layout of the sprayed data\n\nAfter spraying the heap, the exploit goes on to call a code statement in the following format: _1 array 16#D80D020 forall_. It creates an Array object, sets the procedure as the hex number 0xD80D020, and calls the _forall_ operator. During the operation of the forged procedure within _forall_ operator, it precisely controls the execution flow to store values of the attacker's choices to operand stack. Figure 9 shows the major code flow consuming the forged procedure.\n\nFigure 9: Consuming the forged procedure\n\nAfter execution of _forall_, the contents on the stack are under the attacker's control. This is s shown in Figure 10.\n\nFigure 10: Stack after the forall execution\n\nSince the operand stack has been manipulated, the subsequent operations of _exch_ defines objects based on the data from the manipulated stack, as shown in Figure 11.\n\nFigure 11: Subsequent code to retrieve data from stack\n\nThe A18 is a string type object, which has a length field of 0x7ffffff0, based from 0. Within memory, the layout as shown in Figure 12.\n\nFigure 12: A18 String Object\n\nThe A19 is an array type object, with member values all purposely crafted. The exploit defines another array object and puts it into the forged array A19. By performing these operations, it puts the newly created array object pointer into A19. The exploit can then directly read the value from the predictable address, 0xD80D020 + 0x38, and leak its vftable and infer module base address of EPSIMP32.flt. Figure 13 shows code snippets of leaking EPSIMP32 base address.\n\nFigure 13: Code snippet of leaking module base\n\nFigure 14 shows the operand stack of calling _put_ operator and the forged Array A19 after finishing the _put_ operation.\n\nFigure 14: Array A19 after the put operation\n\nBy leveraging the RW primitive string and the leaked module base of EPSIMP32, the exploit continues by searching ROP gadgets, creating a fake file object, and pivoting to shellcode through the _bytesavailable_ operator. Figure 15 shows the forged file type object and disassembling of pivoting to ROP and shellcode.\n\nFigure 15: Pivots to ROP and Shellcode\n\nThe shellcode continues by using a previously unknown EOP, CVE-2017-0263, to escalate privileges to escape the sandbox running FLTLDR.EXE, and then drop and execute a GAMEFISH payload. Only a 32-bit version of CVE-2017-0263 is contained in the shellcode.\n\n#### CVE-2017-0263 \u2013 win32k!xxxDestroyWindow Use-After-Free\n\nThe EOP Exploit setup starts by suspending all threads other than the current thread and saving the thread handles to a table, as shown in Figure 16.\n\n\n\nFigure 16: Suspending Threads\n\nThe exploit then checks for OS version and uses that information to populate version specific fields such as token offset, syscall number, etc. An executable memory area is allocated and populated with kernel mode shellcode as wells as address information required by the shellcode. A new thread is created for triggering the vulnerability and further control of exploitation.\n\nThe exploit starts by creating three PopupMenus and appending menus to them, as shown in Figure 17. The exploit creates 0x100 windows with random classnames. The User32!HMValidateHandle trick is used to leak the tagWnd address, which is used as kernel information leak throughout the exploit.\n\nFigure 17: Popup menu creation\n\nRegisterClassExW is then used to register a window class \u201cMain_Window_Class\u201d with a WndProc pointing to a function, which calls DestroyWindow on window table created by EventHookProc, explained later in the blog. This function also shows the first popup menu, which was created earlier.\n\nTwo extra windows are created with class name as \u201cMain_Window_Class\u201d. SetWindowLong is used to change WndProc of second window, wnd2, to a shellcode address. An application defined hook, WindowHookProc, and an event hook, EventHookProc, are installed by SetWindowsHookExW and SetWinEventHook respectively. PostMessage is used to post 0xABCD to first window, wnd1.\n\nThe EventHookProc waits for EVENT_SYSTEM_MENUPOPUPSTART and saves the window\u2019s handle to a table. WindowHookProc looks for **SysShadow **classname and sets a new WndProc for the corresponding window. Inside this WndProc, NtUserMNDragLeave syscall is invoked and SendMessage is used to send 0x9f9f to wnd2, invoking the shellcode shown in Figure 18.\n\n\n\nFigure 18: Triggering the shellcode\n\nThe Use-After-Free happens inside WM_NCDESTROY event in kernel and overwrites wnd2\u2019s tagWnd structure, which sets bServerSideWindowProc flag. With bServerSideWindowProc set, the user mode WndProc is considered as a kernel callback and will be invoked from kernel context \u2013 in this case wnd2\u2019s WndProc is the shellcode.\n\nThe shellcode checks whether the memory corruption has occurred by checking if the code segment is not the user mode code segment. It also checks whether the message sent is 0x9f9f. Once the validation is completed, shellcode finds the TOKEN address of current process and TOKEN of system process (pid 4). The shellcode then copies the system process\u2019 token to current process, which elevates current process privilege to SYSTEM.\n\n#### Conclusion\n\n_EPS processing has become a ripe exploitation space for attackers._\n\nFireEye has discovered and analyzed two of these recent EPS zero-days with examples seen before and after Microsoft disabled EPS processing in the April 2017 Patch Tuesday. The documents explored utilize differing EPS exploits, ROP construction, shellcode, EOP exploits and final payloads. While these documents are detected by FireEye appliances, users should exercise caution because FLTLDR.EXE is not monitored by EMET.\n\n_Russian cyber espionage is a well-resourced, dynamic threat_\n\nThe use of zero-day exploits by Turla Group and APT28 underscores their capacity to apply technically sophisticated and costly methods when necessary. Russian cyber espionage actors use zero-day exploits in addition to less complex measures. Though these actors have relied on credential phishing and macros to carry out operations previously, the use of these methods does not reflect a lack of resources. Rather, the use of less technically sophisticated methods \u2013 when sufficient \u2013 reflects operational maturity and the foresight to protect costly exploits until they are necessary.\n\n_A vibrant ecosystem of threats_\n\nCVE-2017-0261\u2019s use by multiple actors is further evidence that cyber espionage and criminal activity exist in a shared ecosystem. Nation state actors, such as those leveraging [CVE-2017-0199 to distribute FINSPY](<https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199_useda.html>), often rely on the same sources for exploits as criminal actors. This shared ecosystem creates a proliferation problem for defenders concerned with either type of threat.\n\nCVE-2017-0261 was being used as a zero-day by both nation state and cyber crime actors, and we believe that both actors obtained the vulnerability from a common source. Following [CVE-2017-0199](<https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html>), this is the second major vulnerability in as many months that has been used for both espionage and crime.\n\n**MD5**\n\n| \n\n**Filename**\n\n| \n\n**C2 Host** \n \n---|---|--- \n \n2abe3cc4bff46455a945d56c27e9fb45\n\n| \n\nConfirmation_letter.docx.bin\n\n(NETWIRE)\n\n| \n\n84.200.2.12 \n \ne091425d23b8db6082b40d25e938f871\n\n| \n\nConfirmation_letter.docx\n\n(NETWIRE)\n\n| \n\n138.201.44.30 \n \n006bdb19b6936329bffd4054e270dc6a\n\n| \n\nConfirmation_letter_ACM.docx\n\n(NETWIRE)\n\n| \n\n185.106.122.113 \n \n15660631e31c1172ba5a299a90938c02\n\n| \n\nst07383.en17.docx\n\n(SHIRIME)\n\n| \n\ntnsc.webredirect.org \n \nf8e92d8b5488ea76c40601c8f1a08790\n\n| \n\nTrump's_Attack_on_Syria_English.docx\n\n(GAMEFISH)\n\n| \n\nwmdmediacodecs.com \n \nTable 1: Source Exploit Documents\n\nTable 2: CVEs related to these attacks\n\n#### Acknowledgements\n\niSIGHT Intelligence Team, FLARE Team, FireEye Labs, Microsoft Security Response Center (MSRC).\n", "modified": "2017-05-09T13:00:00", "published": "2017-05-09T13:00:00", "id": "FIREEYE:AA5B50E5C593F4E6EFF300E3DE9EDB85", "href": "https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html", "title": "EPS Processing Zero-Days Exploited by Multiple Threat Actors ", "type": "fireeye", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "seebug": [{"lastseen": "2017-11-19T11:57:45", "bulletinFamily": "exploit", "description": "May has been a busy month for vulnerabilities in the world's most popular desktop operating system. Hackers have made headlines with massive infections by WannaCry ransomware, which exploits an SMB security flaw and the ETERNALBLUE tool. Shortly prior, on May 9, Microsoft fixed CVE-2017-0263, which had made it possible for attackers to gain maximum system privileges on PCs running Windows 10, Windows 8.1, Windows 7, Windows Server 2008, Windows Server 2012, and Windows Server 2016.\r\n\r\nVulnerability CVE-2017-0263 had been used already in phishing messages. The emails contained an exploit that first entered the system by taking advantage of incorrect handling of EPS files by Microsoft Office (CVE-2017-0262) and then, once on the inside, leveraged CVE-2017-0263 to get full administrator rights. Two years ago we looked at a similar vulnerability in Windows, and here we will see how the new CVE-2017-0263 opens the way to \"pwning\" remote workstations and servers.\r\n\r\nIn a word, this is a use-after-free vulnerability (CWE-416)\u2014when context menu windows were closed and the memory occupied by the menu was freed up, the pointer to the freed-up memory was not zeroed out. As a result, the pointer could be reused.\r\n\r\nThe below discussion covers the process of window handling in the win32k.sys driver and how this process makes it possible to exploit the vulnerability.\r\n#### Context menus\r\nEvery Windows user is familiar with context menus. These are the menus that drop down when we right-click.\r\n\r\n\r\nThe appearance of this menu and how it is displayed are completely up to the developer of each application. WinAPI provides developers with the TrackPopupMenuEx function, which causes a context menu to appear with the specified parameters at the specified location on the screen.\r\nThe state of the context menu is stored in the kernel in the variable win32k!gMenuState, which is a win32k!tagMENUSTATE structure:\r\n```\r\n0: kd> dt win32k!tagMenuState\r\n +0x000 pGlobalPopupMenu : Ptr32 tagPOPUPMENU\r\n +0x004 flags : Int4B\r\n +0x008 ptMouseLast : tagPOINT\r\n +0x010 mnFocus : Int4B\r\n +0x014 cmdLast : Int4B\r\n +0x018 ptiMenuStateOwner : Ptr32 tagTHREADINFO\r\n +0x01c dwLockCount : Uint4B\r\n +0x020 pmnsPrev : Ptr32 tagMENUSTATE\r\n +0x024 ptButtonDown : tagPOINT\r\n +0x02c uButtonDownHitArea: Uint4B\r\n +0x030 uButtonDownIndex : Uint4B\r\n +0x034 vkButtonDown : Int4B\r\n +0x038 uDraggingHitArea : Uint4B\r\n +0x03c uDraggingIndex : Uint4B\r\n +0x040 uDraggingFlags : Uint4B\r\n +0x044 hdcWndAni : Ptr32 HDC__\r\n +0x048 dwAniStartTime : Uint4B\r\n +0x04c ixAni : Int4B\r\n +0x050 iyAni : Int4B\r\n +0x054 cxAni : Int4B\r\n +0x058 cyAni : Int4B\r\n +0x05c hbmAni : Ptr32 HBITMAP__\r\n +0x060 hdcAni : Ptr32 HDC__\r\n```\r\nNote that all of the call stacks and structures presented here are taken from Windows 7 x86. The 32-bit OS version is used for convenience: arguments for most functions are stored on the stack and there is no WoW64 layer, which during system calls switches to a 64-bit stack due to which 32-bit stack frames are lost when the call stack is printed. A full list of vulnerable operating systems is given on the Microsoft website.\r\n\r\nThe win32k!tagMENUSTATE structure stores, for example, such information as: the clicked region of the screen, number of the most recent menu command, and pointers to the windows that were clicked or selected for drag-and-drop. The list of context menu windows is stored in the first field, pGlobalPopupMenu, which is of the type win32k!tagPOPUPMENU:\r\n```\r\n0: kd> dt win32k!tagPopupMenu\r\n +0x000 flags : Int4B\r\n +0x004 spwndNotify : Ptr32 tagWND\r\n +0x008 spwndPopupMenu : Ptr32 tagWND\r\n +0x00c spwndNextPopup : Ptr32 tagWND\r\n +0x010 spwndPrevPopup : Ptr32 tagWND\r\n +0x014 spmenu : Ptr32 tagMENU\r\n +0x018 spmenuAlternate : Ptr32 tagMENU\r\n +0x01c spwndActivePopup : Ptr32 tagWND\r\n +0x020 ppopupmenuRoot : Ptr32 tagPOPUPMENU\r\n +0x024 ppmDelayedFree : Ptr32 tagPOPUPMENU\r\n +0x028 posSelectedItem : Uint4B\r\n +0x02c posDropped : Uint4B\r\n +0x030 ppmlockFree : Ptr32 tagPOPUPMENU\r\n```\r\nIn both structures we have highlighted the fields of interest, which will be used below to describe the exploitation process.\r\n\r\nThe variable win32k!gMenuState is initialized when a context menu is created, during the previously mentioned TrackPopupMenuEx function. Initialization occurs when win32k!xxxMNAllocMenuState is called:\r\n```\r\n1: kd> k\r\n # ChildEBP RetAddr \r\n00 95f29b38 81fe3ca6 win32k!xxxMNAllocMenuState+0x7c\r\n01 95f29ba0 81fe410f win32k!xxxTrackPopupMenuEx+0x27f\r\n02 95f29c14 82892db6 win32k!NtUserTrackPopupMenuEx+0xc3\r\n03 95f29c14 77666c74 nt!KiSystemServicePostCall\r\n04 0131fd58 7758480e ntdll!KiFastSystemCallRet\r\n05 0131fd5c 100015b3 user32!NtUserTrackPopupMenuEx+0xc\r\n06 0131fd84 7756c4b7 q_Main_Window_Class_wndproc (call TrackPopupMenuEx)\r\n```\r\nAnd when the context menu is no longer needed\u2014for example, the user selected a menu item or clicked outside of the menu\u2014the function win32k!xxxMNEndMenuState is called and frees up the state of the menu:\r\n```\r\n1: kd> k\r\n # ChildEBP RetAddr \r\n00 a0fb7ab0 82014f68 win32k!xxxMNEndMenuState\r\n01 a0fb7b20 81fe39f5 win32k!xxxRealMenuWindowProc+0xd46\r\n02 a0fb7b54 81f5c134 win32k!xxxMenuWindowProc+0xfd\r\n03 a0fb7b94 81f1bb74 win32k!xxxSendMessageTimeout+0x1ac\r\n04 a0fb7bbc 81f289c8 win32k!xxxWrapSendMessage+0x1c\r\n05 a0fb7bd8 81f5e149 win32k!NtUserfnNCDESTROY+0x27\r\n06 a0fb7c10 82892db6 win32k!NtUserMessageCall+0xcf\r\n07 a0fb7c10 77666c74 nt!KiSystemServicePostCall\r\n08 013cfd90 77564f21 ntdll!KiFastSystemCallRet\r\n09 013cfd94 77560908 user32!NtUserMessageCall+0xc\r\n0a 013cfdd0 77565552 user32!SendMessageWorker+0x546\r\n0b 013cfdf0 100014e4 user32!SendMessageW+0x7c\r\n0c 013cfe08 775630bc q_win_event_hook (call SendMessageW(MN_DODRAGDROP))\r\n```\r\n\r\nImportant here is that the gMenuState.pGlobalPopupMenu field is updated only during initialization in the xxxMNAllocMenuState function\u2014it is not zeroed out when the structure is destroyed.\r\n\r\n#### xxxMNEndMenuState function\r\nThis function is the star of our story. Its handful of lines harbor the vulnerability.\r\n\r\n\r\nxxxMNEndMenuState starts with deinitialization and freeing of information related to the context menu. The MNFreePopup function\u2014to which we will return in the following section\u2014is called. The main task of MNFreePopup is to decrement reference counters for windows related to the particular context menu. When the reference count falls to zero, this decrementing can cause the window to be destroyed.\r\n\r\nThen the xxxMNEndMenuState function checks the fMenuWindowRef flag of the pGlobalPopupMenu field to see if any references remain to the main window of the context menu. This flag is cleared upon destruction of the window contained in the spwndPopupMenu field of the context menu:\r\n```\r\n3: kd> k\r\n # ChildEBP RetAddr \r\n00 95fffa5c 81f287da win32k!xxxFreeWindow+0x847\r\n01 95fffab0 81f71252 win32k!xxxDestroyWindow+0x532\r\n02 95fffabc 81f7122c win32k!HMDestroyUnlockedObject+0x1b\r\n03 95fffac8 81f70c4a win32k!HMUnlockObjectInternal+0x30\r\n04 95fffad4 81f6e1fc win32k!HMUnlockObject+0x13\r\n05 95fffadc 81fea664 win32k!HMAssignmentUnlock+0xf\r\n06 95fffaec 81fea885 win32k!MNFreePopup+0x7d\r\n07 95fffb14 8202c3d6 win32k!xxxMNEndMenuState+0x40\r\n\r\nxxxFreeWindow+83f disasm:\r\n.text:BF89082E loc_BF89082E:\r\n.text:BF89082E and ecx, 7FFFFFFFh ; ~fMenuWindowRef\r\n.text:BF890834 mov [eax+tagPOPUPMENU.flags], ecx\r\n```\r\nAs seen above, the flag is discarded and therefore the memory occupied by the pGlobalPopupMenu field is freed up, but the pointer itself is not zeroed out. This causes a dangling pointer, which under certain circumstances can be reused.\r\n\r\nImmediately after the context menu memory is freed up, the execution flow deletes the references stored in the context menu state structure that relate to clicked windows (uButtonDownHitArea field) when the menu was active or were selected for drag-and-drop (uDraggingHitArea field).\r\n#### Exploitation method\r\nA window object in the kernel is described by a tagWND structure. There we describe the concept of kernel callbacks, which will be needed here as well. The number of active references to a window is stored in the cLockObj field of the tagWND structure.\r\n\r\nDeleting references to a window, as shown in the previous section, can cause the window itself to be destroyed. Before the window is destroyed, a WM_NCDESTROY change-of-window-state message is sent to the window.\r\n\r\nThis means that while xxxMNEndMenuState is running, control can be transferred to user application code\u2014specifically, to the window procedure of the window being destroyed. This happens when no references remain to a window whose pointer is stored in the gMenuState.uButtonDownHitArea field. \r\n```\r\n2: kd> k\r\n # ChildEBP RetAddr \r\n0138fc34 7756c4b7 q_new_SysShadow_window_proc\r\n0138fc60 77565f6f USER32!InternalCallWinProc+0x23\r\n0138fcd8 77564ede USER32!UserCallWinProcCheckWow+0xe0\r\n0138fd34 7755b28f USER32!DispatchClientMessage+0xcf\r\n0138fd64 77666bae USER32!__fnNCDESTROY+0x26\r\n0138fd90 77564f21 ntdll!KiUserCallbackDispatcher+0x2e \r\n95fe38f8 81f56d86 nt!KeUserModeCallback\r\n95fe3940 81f5c157 win32k!xxxSendMessageToClient+0x175\r\n95fe398c 81f5c206 win32k!xxxSendMessageTimeout+0x1cf\r\n95fe39b4 81f2839c win32k!xxxSendMessage+0x28\r\n95fe3a10 81f2fb00 win32k!xxxDestroyWindow+0xf4\r\n95fe3a24 81f302ee win32k!xxxRemoveShadow+0x3e\r\n95fe3a64 81f287da win32k!xxxFreeWindow+0x2ff\r\n95fe3ab8 81f71252 win32k!xxxDestroyWindow+0x532\r\n95fe3ac4 81f7122c win32k!HMDestroyUnlockedObject+0x1b\r\n95fe3ad0 81f70c4a win32k!HMUnlockObjectInternal+0x30\r\n95fe3adc 81f6e1fc win32k!HMUnlockObject+0x13\r\n95fe3ae4 81fe4162 win32k!HMAssignmentUnlock+0xf\r\n95fe3aec 81fea8c3 win32k!UnlockMFMWFPWindow+0x18\r\n95fe3b14 8202c3d6 win32k!xxxMNEndMenuState+0x7e \r\n```\r\nFor example, in the call stack shown above, the WM_NCDESTROY message is handled by the window procedure for the SysShadow window class. Windows of this class are designed to provide shadowing and are usually destroyed together with the windows for which they are shadowing.\r\nNow let's see the most interesting part of how this window message is handled, in the form that was found in the malware sample taken from a .docx phishing attachment:\r\n\r\n\r\nWhen the attacker takes control, the first matter of business is to occupy the now-free memory that was just occupied by gMenuState.pGlobalPopupMenu, in order to reuse this pointer later. Attempting to allocate the indicated memory block, the exploit performs a large number of SetClassLongW calls, thus setting a specially formed menu name for window classes that have been specially created for this purpose:\r\n```\r\n2: kd> k\r\n # ChildEBP RetAddr \r\n00 9f74bafc 81f240d2 win32k!memcpy+0x33\r\n01 9f74bb3c 81edadb1 win32k!AllocateUnicodeString+0x6b\r\n02 9f74bb9c 81edb146 win32k!xxxSetClassData+0x1d1\r\n03 9f74bbb8 81edb088 win32k!xxxSetClassLong+0x39\r\n04 9f74bc1c 82892db6 win32k!NtUserSetClassLong+0xc8\r\n05 9f74bc1c 77666c74 nt!KiSystemServicePostCall\r\n06 0136fac0 7755658b ntdll!KiFastSystemCallRet\r\n07 0136fac4 775565bf user32!NtUserSetClassLong+0xc\r\n08 0136fafc 10001a52 user32!SetClassLongW+0x5e\r\n09 0136fc34 7756c4b7 q_new_SysShadow_window_proc (call SetClassLongW)\r\n```\r\n\r\nAfter the memory is occupied, the next stage begins. The exploit accesses the NtUserMNDragLeave system procedure, which performs a nested call of the xxxMNEndMenuState function. Clearing of the gMenuState structure starts again:\r\n```\r\n2: kd> k\r\n # ChildEBP RetAddr \r\n00 9f74bbf0 8202c3d6 win32k!xxxMNEndMenuState\r\n01 9f74bc04 8202c40e win32k!xxxUnlockMenuStateInternal+0x2e\r\n02 9f74bc14 82015672 win32k!xxxUnlockAndEndMenuState+0xf\r\n03 9f74bc24 82001728 win32k!xxxMNDragLeave+0x45\r\n04 9f74bc2c 82892db6 win32k!NtUserMNDragLeave+0xd\r\n05 9f74bc2c 100010a9 nt!KiSystemServicePostCall\r\n06 0136fafc 10001a84 q_exec_int2e (int 2Eh)\r\n07 0136fc34 7756c4b7 q_new_SysShadow_window_proc (call q_exec_int2e)\r\n```\r\nAs described in the previous section, the procedure starts by deinitializing the pGlobalPopupMenu field; this process is performed by the MNFreePopup call, which decrements the reference counters for windows contained in various fields of tagPOPUPMENU. After the prior step, the content of this structure is now controlled by the attacker. So when the described chain of actions is performed, the attacker gets a decrement primitive to an arbitrary kernel address.\r\n\r\nIn this exploit, an address is inserted in the tagPOPUPMENU.spwndPrevPopup field and the primitive is used to decrement the field for flags of one of the windows, causing that window to be marked with the flag bServerSideProc, which means that its window procedure is run in the kernel.\r\nAs the code shows, immediately after returning from NtUserMNDragLeave, a message is sent to the window by a SendMessage call, causing arbitrary kernel code execution. At this stage, the attacker usually steals a system process token to obtain system privileges. Indeed, this is what happened in the exploit here.\r\n\r\n#### In conclusion\r\nWhat are the salient points of the exploit? The most common cause of vulnerabilities in the win32k.sys library is access to callbacks in user space when any kernel structures are in an intermediate stage when a transaction is changing them. Setting the bServerSideProc flag for a window is also a popular method for kernel code execution. In addition, the most convenient method to leverage kernel code execution for privilege escalation is to copy a reference to a system token.\r\n\r\nIn that sense, the exploit looks rather mundane. At the same time many of the nuances have been simplified or purposefully omitted from this discussion.\r\n\r\nFor example, we did not dwell on the exact appearance of the context menu or menu-related actions that cause the necessary state of the flags and fields of the win32k!gMenuState variable during execution of the xxxMNEndMenuState procedure. Left unmentioned was the fact that the menu names set during SetClassLong calls should, on the one hand, be a Unicode string with no null characters but, on the other hand, be a legitimate tagPOPUPMENU structure. This also means that the address of the window in the kernel (to which the decrement field will refer) must not contain any wchar_t null characters. These are just a few examples from a rather long list. \r\n\r\nAs for the update that fixes the vulnerability, a quick glance shows that the buffer addressed by the gMenuState.pGlobalPopupMenu field is now freed closer to the end of the xxxMNEndMenuState function, much later after the MNFreePopup and UnlockMFMWPWindow calls, and is accompanied by zeroing-out of the pointer. Thus the patch addresses two causes whose simultaneous presence caused the vulnerability to occur.", "modified": "2017-05-19T00:00:00", "published": "2017-05-19T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-93116", "id": "SSV:93116", "type": "seebug", "title": "Win32k Elevation of Privilege Vulnerability(CVE-2017-0263)", "sourceData": "", "sourceHref": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "kaspersky": [{"lastseen": "2019-03-21T00:14:25", "bulletinFamily": "info", "description": "### *Detect date*:\n05/09/2017\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple serious vulnerabilities have been found in Microsoft Office. Malicious users can exploit these vulnerabilities to execute arbitrary code and gain privileges.\n\n### *Affected products*:\nMicrosoft Office 2007 Service Pack 3 \nMicrosoft Office 2010 Service Pack 2 \nMicrosoft Office 2013 Service Pack 1 \nMicrosoft Office 2013 RT Service Pack 1 \nMicrosoft Office 2016 \nMicrosoft Office 2016 for Mac \nMicrosoft Office Enterprise Server 2016 \nMicrosoft Word 2007 Service Pack 3 \nMicrosoft Word 2010 Service Pack 2 \nMicrosoft Word 2013 RT Service Pack 1 \nMicrosoft Word 2013 Service Pack 1 \nMicrosoft PowerPoint for Mac 2011 \nMicrosoft Office Compatibility Pack Service Pack 3 \nMicrosoft Office Word Viewer \nSkype for Business 2016\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2017-0261](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0261>) \n[CVE-2017-0262](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0262>) \n[CVE-2017-0265](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0265>) \n[CVE-2017-0264](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0264>) \n[CVE-2017-0281](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0281>) \n[CVE-2017-0254](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0254>) \n[CVE-2017-0255](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0255>) \n[CVE-2017-0281](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0281>) \n[CVE-2017-0265](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0265>) \n[CVE-2017-0264](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0264>) \n[CVE-2017-0262](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0262>) \n[CVE-2017-0261](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0261>) \n[CVE-2017-0255](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0255>) \n[CVE-2017-0254](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0254>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats](<https://threats.kaspersky.com/en/product/Microsoft-Office-Compatibility-Pack-for-Word,-Excel,-and-PowerPoint-2007-File-Formats/>)\n\n### *CVE-IDS*:\n[CVE-2017-0281](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0281>)9.3Critical \n[CVE-2017-0265](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0265>)9.3Critical \n[CVE-2017-0264](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0264>)9.3Critical \n[CVE-2017-0262](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0262>)9.3Critical \n[CVE-2017-0261](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0261>)9.3Critical \n[CVE-2017-0255](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0255>)3.5Critical \n[CVE-2017-0254](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0254>)9.3Critical\n\n### *Microsoft official advisories*:\n\n\n### *KB list*:\n[3191841](<http://support.microsoft.com/kb/3191841>) \n[3191835](<http://support.microsoft.com/kb/3191835>) \n[3191904](<http://support.microsoft.com/kb/3191904>) \n[3191888](<http://support.microsoft.com/kb/3191888>) \n[3191909](<http://support.microsoft.com/kb/3191909>) \n[3191880](<http://support.microsoft.com/kb/3191880>) \n[3191836](<http://support.microsoft.com/kb/3191836>) \n[3191843](<http://support.microsoft.com/kb/3191843>) \n[3178729](<http://support.microsoft.com/kb/3178729>) \n[3191865](<http://support.microsoft.com/kb/3191865>) \n[3162040](<http://support.microsoft.com/kb/3162040>) \n[3191839](<http://support.microsoft.com/kb/3191839>) \n[3118310](<http://support.microsoft.com/kb/3118310>) \n[3172458](<http://support.microsoft.com/kb/3172458>) \n[3114375](<http://support.microsoft.com/kb/3114375>) \n[3191895](<http://support.microsoft.com/kb/3191895>) \n[2596904](<http://support.microsoft.com/kb/2596904>) \n[3191899](<http://support.microsoft.com/kb/3191899>) \n[3191885](<http://support.microsoft.com/kb/3191885>) \n[3191863](<http://support.microsoft.com/kb/3191863>) \n[3191881](<http://support.microsoft.com/kb/3191881>) \n[3191890](<http://support.microsoft.com/kb/3191890>) \n[3191913](<http://support.microsoft.com/kb/3191913>) \n[3191858](<http://support.microsoft.com/kb/3191858>) \n[3191914](<http://support.microsoft.com/kb/3191914>) \n[3191915](<http://support.microsoft.com/kb/3191915>) \n[3212221](<http://support.microsoft.com/kb/3212221>)", "modified": "2019-03-07T00:00:00", "published": "2017-05-09T00:00:00", "id": "KLA11010", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11010", "title": "\r KLA11010Remote code execution and elevation of privilege vulnerabilities in Microsoft Office ", "type": "kaspersky", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "thn": [{"lastseen": "2018-01-27T09:17:39", "bulletinFamily": "info", "description": "[](<https://1.bp.blogspot.com/-vpXxMS5a1OQ/WRLsUKCC4II/AAAAAAAAsiw/8zkd69jstykdsFIkaYYDa9lAVVLKnZO2QCLcB/s1600/windows-zero-day-exploit.png>)\n\n \nAs part of this month's Patch Tuesday, Microsoft has released security patches for a total of 55 vulnerabilities across its products, including fixes for four zero-day vulnerabilities being exploited in the wild. \n \nJust yesterday, Microsoft released an [emergency out-of-band update](<https://thehackernews.com/2017/05/windows-defender-rce-flaw.html>) separately to patch a remote execution bug ([CVE-2017-0290](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0290>)) in Microsoft's Antivirus Engine that comes enabled by default on Windows 7, 8.1, RT, 10 and Server 2016 operating systems. \n \nThe vulnerability, reported by Google Project Zero researchers, could allow an attacker to take over your Windows PC with just an email, which you haven't even opened yet. \n \n**_May 2017 Patch Tuesday_ \u2014** Out of 55 vulnerabilities, 17 have been rated as critical and affect the company's main operating systems, along with other products like Office, Edge, Internet Explorer, and the malware protection engine used in most of the Microsoft's anti-malware products. \n \nSysadmins all over the world should prioritize the May's Patch Tuesday as it addresses four critical zero-day vulnerabilities, three of which being actively exploited by cyber-espionage groups in targeted attacks over the past few months. \n \n\n\n### 3 Zero-Days Were Exploited in the Wild by Russian Cyber-Espionage Group\n\n \n**_First Zero-Day Vulnerability ([CVE-2017-0261](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0261>))_ \u2014** It affects the 32- and 64-bit versions of Microsoft Office 2010, 2013 and 2016, and resides in how Office handles Encapsulated PostScript (EPS) image files, leading to remote code execution (RCE) on the system. \n \nThis Office vulnerability could be exploited by tricking victims into opening a file containing a malformed graphics image in an email. The attack also exploits a Windows privilege escalation bug ([CVE-2017-0001](<https://technet.microsoft.com/en-us/library/security/ms17-013.aspx>)) that the company patched on March 14 to gain full control over the system \u2013 essentially allowing attackers to install spyware and other malware. \n \nAccording to the [FireEye](<https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html>) researchers, the CVE-2017-0261 flaw has been exploited since late March by an unknown group of financially motivated hackers and by a Russian cyber espionage group called Turla, also known as Snake or Uroburos. \n \n**Second Zero-Day Vulnerability ([CVE-2017-0262](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0262>)) \u2014 **FireEye and [ESET](<https://www.welivesecurity.com/2017/05/09/sednit-adds-two-zero-day-exploits-using-trumps-attack-syria-decoy/>) researchers believe that the APT28 hacking group, also known as Fancy Bear, or Pawn Storm, was actively using this EPS-related Microsoft Office zero-day vulnerability which leads to remote code execution on opening a malformed file. \n \n**_Third Zero-Day Vulnerability ([CVE-2017-0263](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0263>))_ \u2014 **The third zero-day bug is an elevation of privilege (EoP) vulnerability in all supported versions of Microsoft's Windows operating system. \n \nThis vulnerability exists in the way Windows kernel-mode driver handles objects in memory, allowing attackers to run arbitrary code in kernel mode and then install malware, view, change, or delete data, and even create new accounts with full user rights. \n \nResearchers believe that the Russian cyber-espionage group was also actively exploiting this flaw (CVE-2017-0263) along with the second zero-day vulnerability (CVE-2017-0262). \n \n**_Fourth Zero-Day Vulnerability ([CVE-2017-0222](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0222>))_ \u2014 **Another zero-day vulnerability affects Internet Explorer 10 and 11 and resides in how Internet Explorer handles objects in memory. \n \nOpening a malicious web page can corrupt memory to trigger remote code execution, allowing attackers to take control of an affected system. According to the tech giant, this issue was also exploited in the wild. \n \n**_Patches for Other Critical Vulnerabilities_ \u2014** This month's security updates also fix critical vulnerabilities in both Edge and Internet Explorer (IE) that could lead to remote code execution by tricking victims into visiting malicious websites or viewing specially crafted advertisements inside the browsers. \n \nBesides this, Microsoft also addresses four critical remote code execution bugs ([CVE-2017-0272](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0272>), [CVE-2017-0277](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0277>), [CVE-2017-0278](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0278>), and [CVE-2017-0279](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0279>)) in Windows SMB network file-sharing protocol, which affects Windows 7 through 10 and Windows Server 2008 through 2016. \n \nThese vulnerabilities put Windows PCs and server installations at risk of hacking if they use SMBv1, though there have been no reports of any of these flaws exploited in the wild. \n \nAs usual, Adobe Flash Players patches are also included in the security update to address [7 CVE-listed flaws](<https://helpx.adobe.com/security/products/flash-player/apsb17-15.html>) in the Windows, macOS, and Linux. \n \nWindows users are strongly advised to install the latest updates as soon as possible in order to protect themselves against the active attacks in the wild.\n", "modified": "2017-05-10T10:37:40", "published": "2017-05-09T23:37:00", "id": "THN:35CDED923C2A70050CA53879EA860398", "href": "https://thehackernews.com/2017/05/patch-windows-zero-days.html", "type": "thn", "title": "Microsoft Issues Patches for Another Four Zero-Day Vulnerabilities", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "rapid7community": [{"lastseen": "2017-05-20T08:49:58", "bulletinFamily": "blog", "description": "<!-- [DocumentBodyStart:694c8abe-75a0-469a-9006-017f197033e3] --><div class=\"jive-rendered-content\"><p>It's a relatively light month as far as Patch Tuesdays go, with Microsoft issuing fixes for a total of seven vulnerabilities as part of their standard update program. However, an eighth, highly critical vulnerability (<a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fportal.msrc.microsoft.com%2Fen-US%2Fsecurity-guidance%2Fadvisory%2FCVE-2017-0290\" rel=\"nofollow\" target=\"_blank\">CVE-2017-0290</a>) that had some of the security community buzzing over the weekend was also <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fsecurity%2F4022344\" rel=\"nofollow\" target=\"_blank\">addressed</a> late Monday evening. A flaw in the scanning engine used by various Microsoft anti-malware products could allow attackers to fully compromise a user's system simply by sending them a file as an email attachment or in an instant message, or by enticing them to visit a malicious web page. This vulnerability is especially dangerous for two reasons. In most attacks, users need to be tricked into opening a file or visiting a web page, and even then the malware would generally run at their privilege level unless it's able to escalate. But because the engine runs as SYSTEM, the highest privilege level, it's game over for a compromised system; the attacker has full control. Additionally, because the engine may scan files in the background before the user even sees them, exploitation can occur without the typical prerequisite social engineering tactics. The only good news here is that Microsoft shipped the fix very quickly after being notified, and since it's being delivered as an anti-malware update as opposed to via Windows Update, most users should get the patch without having to take any action.</p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p>The fixes released as part of the regular Patch Tuesday updates continue some long-standing trends we've seen from Microsoft, with critical KBs for all supported operating systems addressing remote code execution (RCE) and privilege escalation vulnerabilities. Two separate RCE vulnerabilities in Office were also patched, one of which (<a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fportal.msrc.microsoft.com%2Fen-US%2Fsecurity-guidance%2Fadvisory%2FCVE-2017-0261\" rel=\"nofollow\" target=\"_blank\">CVE-2017-0261</a>) is known to be exploited in the wild. The other Office vulnerability, <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fportal.msrc.microsoft.com%2Fen-US%2Fsecurity-guidance%2Fadvisory%2FCVE-2017-0281\" rel=\"nofollow\" target=\"_blank\">CVE-2017-0281</a>, is rated \"Important\" but affects a wide range of products beyond just Office, including Skype for Business and several server platforms such as SharePoint, Office Web Apps, and Project Server 2013. Edge and Internet Explorer remain reliable attack surfaces with RCE vulnerabilities being patched for both. Rounding out the vulnerabilities this month is a DNS denial of service (<a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fportal.msrc.microsoft.com%2Fen-US%2Fsecurity-guidance%2Fadvisory%2FCVE-2017-0171\" rel=\"nofollow\" target=\"_blank\">CVE-2017-0171</a>) affecting all supported server operating systems.</p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p>Alongside today's updates Microsoft published <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Ftechnet.microsoft.com%2Flibrary%2Fsecurity%2F4010323\" rel=\"nofollow\" target=\"_blank\">Security Advisory 4010323</a> indicating that they've now fully deprecated SSL/TLS certificates that use SHA-1 due to <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FSHA-1%23Cryptanalysis_and_validation\" rel=\"nofollow\" target=\"_blank\">known weaknesses</a> in the algorithm. IE 11 and Edge will no longer load sites with such certificates, and will instead display an invalid certificate warning. The exception to this is self-signed and enterprise certificates (those not chained to a Microsoft-trusted root); however, any such sites really should switch to SHA-2 based certificates as soon as possible.</p></div><!-- [DocumentBodyEnd:694c8abe-75a0-469a-9006-017f197033e3] -->", "modified": "2017-05-10T13:56:34", "published": "2017-05-10T13:56:34", "id": "RAPID7COMMUNITY:70FFE7CD88D4CCE4994B4B417E2B4960", "href": "https://community.rapid7.com/community/nexpose/blog/2017/05/10/patch-tuesday-may-2017", "title": "Patch Tuesday - May 2017", "type": "rapid7community", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "qualysblog": [{"lastseen": "2017-05-20T08:47:48", "bulletinFamily": "blog", "description": "Hours before today\u2019s Patch Tuesday release on the eve of May 8, Microsoft released an emergency updated to fix a vulnerability in their Malware Protection Engine. This critical vulnerability allows an attacker to take complete control of the victim's machine by just sending an e-mail attachment. When the malware protection engine scans the attachment the malicious code in the file gets executed, allowing the attacker complete and full access to the computer. The attack can also be carried out by sending the file via an instant message or having the victim download the file from a website. It is absolutely essential that organizations using Microsoft Malware Protection Engine make sure that they are at version Version [1.1.13704.0](<https://technet.microsoft.com/en-us/library/security/4022344.aspx>) or later. Users should also check if they are patched for [CVE-2017-0290](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0290>), which was released for the same issue today.\n\nIn today\u2019s Patch Tuesday update Microsoft released a total of 57 vulnerability fixes. Highest priority should go to patching 0-day issues which are actively exploited. On top of our list is the Office patch for [CVE-2017-0261](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0261>) which is triggered when a victim opens an Office file containing a malformed graphics image. The file could be delivered via email or any other means. As this is actively exploited in the wild and attackers can take complete control of the victim system, this should be treated with priority.\n\n[CVE-2017-0222](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0222>) also makes the top of the actively attacked list. This vulnerability affects Internet Explorer, and users can be compromised if they visit a malicious website hosted by attackers. This patch gets priority as the vulnerability is currently exploited in the wild and attackers can take complete control of the victim machine.\n\nNext priority goes to the Edge browser vulnerability [CVE-2017-0229](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0229>), which was publicly disclosed before today\u2019s patch Tuesday release. This issue allows attackers to take complete control of victim machine when the user visits malicious websites using Edge.\n\nNext priority goes to three critical SMB remote code execution vulnerabilities ([CVE-2017-0277](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0277>), [CVE-2017-0278](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0278>), [CVE-2017-0279](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0279>)) that affect the Windows server machines as well as desktop clients. The issue exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploits the vulnerability could gain the ability to execute code on the target. To exploit the vulnerability, in most situations an unauthenticated attacker would send a specially crafted packet to the SMBv1 server.\n\nAlso today Microsoft released [updates](<https://technet.microsoft.com/library/security/4010323>) to Microsoft Edge and Internet Explorer 11 to block sites that are protected with a SHA-1 certificate from loading and to display an invalid certificate warning. This change will only impact SHA-1 certificates that chain to a root in the Microsoft Trusted Root Program where the end-entity certificate or the issuing intermediate uses SHA-1. Enterprise or self-signed SHA-1 certificates will not be impacted.\n\nIn summary today\u2019s release fixed 3 actively exploited and 4 publicly disclosed issues including the malware protection engine, Office, IE, Edge and SMB vulnerabilities. Microsoft also deprecated SHA-1 certificates from IE and Edge.", "modified": "2017-05-09T18:06:52", "published": "2017-05-09T18:06:52", "id": "QUALYSBLOG:2AFF0D4E01534CA4823F85B912170FD0", "href": "https://blog.qualys.com/laws-of-vulnerabilities/2017/05/09/microsoft-fixes-malware-protection-engine-and-several-0-day-vulnerabilities", "title": "Microsoft Fixes Malware Protection Engine and Several 0-Day Vulnerabilities, and Deprecates SHA-1", "type": "qualysblog", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "trendmicroblog": [{"lastseen": "2017-05-18T08:47:17", "bulletinFamily": "blog", "description": "\n\nAlthough I\u2019m still dreaming of the sandy beaches of Cancun, it\u2019s time to get back to reality. Security vulnerabilities never take a holiday and this week is no exception. In addition to our normal Digital Vaccine (DV) package delivered earlier this week, we also issued an out-of-band DV package to address zero-day vulnerabilities for Intel Active Management Technology (AMT) ([CVE-2017-5689](<https://nvd.nist.gov/vuln/detail/CVE-2017-5689>)) and Windows Defender ([CVE-2017-0290](<https://nvd.nist.gov/vuln/detail/CVE-2017-0290>)).\n\nThe Intel AMT vulnerability is an escalation of privilege vulnerability that allows an unprivileged attacker to gain control of the manageability features provided by the affected Intel AMT products. The Windows Defender vulnerability is much scarier because allows a remote attacker to take over a system without any interaction from the system owner. Just the mere execution of Windows Defender scanning an email or instant message from an attacker is enough. But don\u2019t worry \u2013 customers using TippingPoint solutions are protected from these vulnerabilities with the following DV filters:\n\n| \n\n * 28214: HTTP: Null response digest\n * 28221: HTTP: Microsoft Malware Protection Engine mpengine Type Confusion Vulnerability \n---|--- \n| \n \n**Microsoft Update**\n\nThis week\u2019s Digital Vaccine (DV) package includes coverage for Microsoft updates released on or before May 9, 2017. Microsoft released patches for 55 new CVEs in Internet Explorer, Edge, Office, Windows, and .NET Framework. A total of 14 of these CVEs are rated Critical while the rest are rated Important in severity. The following table maps Digital Vaccine filters to the Microsoft updates. Filters marked with an (*) shipped prior to this DV package, providing zero-day protection for our customers. You can get more detailed information on this month\u2019s security updates from Dustin Childs\u2019 [May 2017 Security Update Review](<https://www.zerodayinitiative.com/blog/2017/5/5/the-may-2017-security-update-review>):\n\n**CVE #** | **Digital Vaccine Filter #** | **Status** \n---|---|--- \nCVE-2017-0064 | | Insufficient Vendor Information \nCVE-2017-0077 | 28112 | \nCVE-2017-0171 | | Insufficient Vendor Information \nCVE-2017-0175 | 28183 | \nCVE-2017-0190 | | Insufficient Vendor Information \nCVE-2017-0212 | | Insufficient Vendor Information \nCVE-2017-0213 | 28184 | \nCVE-2017-0214 | 28189 | \nCVE-2017-0220 | 28198 | \nCVE-2017-0221 | 28114 | \nCVE-2017-0222 | | Insufficient Vendor Information \nCVE-2017-0224 | | Insufficient Vendor Information \nCVE-2017-0226 | | Insufficient Vendor Information \nCVE-2017-0227 | 28130 | \nCVE-2017-0228 | *27538 | \nCVE-2017-0229 | | Insufficient Vendor Information \nCVE-2017-0230 | | Insufficient Vendor Information \nCVE-2017-0231 | | Insufficient Vendor Information \nCVE-2017-0233 | | Insufficient Vendor Information \nCVE-2017-0234 | *27532 | \nCVE-2017-0235 | | Insufficient Vendor Information \nCVE-2017-0236 | *27536 | \nCVE-2017-0238 | *27540 | \nCVE-2017-0240 | *27541, *27542 | \nCVE-2017-0241 | | Insufficient Vendor Information \nCVE-2017-0242 | | Insufficient Vendor Information \nCVE-2017-0243 | 28192 | \nCVE-2017-0244 | | Insufficient Vendor Information \nCVE-2017-0245 | 28185 | \nCVE-2017-0246 | 28111 | \nCVE-2017-0248 | | Insufficient Vendor Information \nCVE-2017-0254 | | Insufficient Vendor Information \nCVE-2017-0255 | | Insufficient Vendor Information \nCVE-2017-0258 | 28199 | \nCVE-2017-0259 | 28200 | \nCVE-2017-0261 | | Insufficient Vendor Information \nCVE-2017-0262 | | Insufficient Vendor Information \nCVE-2017-0263 | 28186 | \nCVE-2017-0264 | | Insufficient Vendor Information \nCVE-2017-0265 | | Insufficient Vendor Information \nCVE-2017-0266 | 28193 | \nCVE-2017-0267 | | Insufficient Vendor Information \nCVE-2017-0268 | | Insufficient Vendor Information \nCVE-2017-0269 | | Insufficient Vendor Information \nCVE-2017-0270 | | Insufficient Vendor Information \nCVE-2017-0271 | | Insufficient Vendor Information \nCVE-2017-0272 | | Insufficient Vendor Information \nCVE-2017-0273 | | Insufficient Vendor Information \nCVE-2017-0274 | | Insufficient Vendor Information \nCVE-2017-0275 | | Insufficient Vendor Information \nCVE-2017-0276 | | Insufficient Vendor Information \nCVE-2017-0277 | | Insufficient Vendor Information \nCVE-2017-0278 | | Insufficient Vendor Information \nCVE-2017-0279 | | Insufficient Vendor Information \nCVE-2017-0280 | | Insufficient Vendor Information \nCVE-2017-0281 | | Insufficient Vendor Information \n \n \n\n**Zero-Day Filters**\n\nThere are 14 new zero-day filters covering three vendors in this week\u2019s Digital Vaccine (DV) package. A number of existing filters in this week\u2019s DV package were modified to update the filter description, update specific filter deployment recommendation, increase filter accuracy and/or optimize performance. You can browse the list of [published advisories](<http://www.zerodayinitiative.com/advisories/published/>) and [upcoming advisories](<http://www.zerodayinitiative.com/advisories/upcoming/>) on the [Zero Day Initiative](<http://www.zerodayinitiative.com/>) website.\n\n**_Adobe (5)_**\n\n| \n\n * 28094: ZDI-CAN-4564: Zero Day Initiative Vulnerability (Adobe Flash)\n * 28099: ZDI-CAN-4565: Zero Day Initiative Vulnerability (Adobe Flash)\n * 28100: ZDI-CAN-4566: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)\n * 28101: ZDI-CAN-4567: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)\n * 28202: ZDI-CAN-4715, 4716: Zero Day Initiative Vulnerability (Adobe Reader DC)**_ _** \n---|--- \n| \n \n**_EMC (6)_**\n\n| \n\n * 28102: ZDI-CAN-4694: Zero Day Initiative Vulnerability (EMC Data Protection Advisor)\n * 28103: ZDI-CAN-4695: Zero Day Initiative Vulnerability (EMC Data Protection Advisor)\n * 28104: ZDI-CAN-4696: Zero Day Initiative Vulnerability (EMC Data Protection Advisor)\n * 28105: ZDI-CAN-4698: Zero Day Initiative Vulnerability (EMC Data Protection Advisor)\n * 28106: ZDI-CAN-4699: Zero Day Initiative Vulnerability (EMC Data Protection Advisor)\n * 28107: ZDI-CAN-4710: Zero Day Initiative Vulnerability (EMC AppSync)**_ _** \n---|--- \n| \n \n**_NetGain (3)_**\n\n| \n\n * 28108: ZDI-CAN-4749: Zero Day Initiative Vulnerability (NetGain Enterprise Manager)\n * 28109: ZDI-CAN-4750: Zero Day Initiative Vulnerability (NetGain Enterprise Manager)\n * 28110: ZDI-CAN-4751: Zero Day Initiative Vulnerability (NetGain Enterprise Manager)**_ _** \n---|--- \n| \n \n**Updated Existing Zero-Day Filters**\n\nThis section highlights specific filter(s) of interest in this week\u2019s Digital Vaccine package that have been updated as a result of a vendor either issuing a patch for a vulnerability found via the Zero Day Initiative or a vulnerability that has been published by the Zero Day Initiative in accordance with its [Disclosure Policy](<http://zerodayinitiative.com/advisories/disclosure_policy/>).\n\nThree of the filters we have for this month\u2019s Microsoft bulletins are a direct result of the Zero Day Initiative\u2019s Pwn2Own contest held in March. These filters have been updated to reflect the fact that the vulnerabilities have been patched:\n\n| \n\n * 27532: HTTP: Microsoft Edge Chakra JIT Array Memory Corruption Vulnerability (Pwn2Own)\n * 27538: HTTP: Microsoft Edge Chakra Array Splice Use-After-Free Vulnerability (Pwn2Own)\n * 27540: HTTP: Microsoft Edge Chakra Array Unshift Buffer Overflow Vulnerability (Pwn2Own)**_ _** \n---|--- \n| \n \n**Missed Last Week\u2019s News?**\n\nCatch up on last week\u2019s news in my [weekly recap](<http://blog.trendmicro.com/tippingpoint-threat-intelligence-zero-day-coverage-week-may-1-2017/>).", "modified": "2017-05-12T16:47:57", "published": "2017-05-12T16:47:57", "href": "http://blog.trendmicro.com/tippingpoint-threat-intelligence-zero-day-coverage-week-may-8-2017/", "id": "TRENDMICROBLOG:278CA36BE7BE1D87941A99D03E2C3D5B", "title": "TippingPoint Threat Intelligence and Zero-Day Coverage \u2013 Week of May 8, 2017", "type": "trendmicroblog", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}