Microsoft has released their monthly security bulletin—colloquially known as Patch Tuesday—for September. The most important update is one that addresses a zero-day vulnerability that exploits Microsoft Word. CVE-2017-8759 is a .NET Framework Remote Code Execution Vulnerability that allows attackers to execute code on the target system remotely when exploited. The vulnerability is exploited via the use of a spam email that prompts the user to open the attached Microsoft Office RTF document. Opening the attachment drops payloads (Detected by Trend Micro as TSPY_FINSPY.A, TROJ_POWLOAD.ASUKQ, TROJ_CVE20178759.A and TROJ_CVE20178759.A) that are often used with zero-day vulnerabilities to pull off attacks.
The bulletin also addresses CVE-2017-8628, a vulnerability concerning the Windows Bluetooth driver, specifically its implementation of the Bluetooth stack. An attacker who successfully exploits this vulnerability could pull off man-in-the-middle attacks to reroute network traffic, allowing the attacker to monitor and manipulate data before passing it to the actual recipient. This vulnerability was actually patched back in July, but details were revealed in the September update. Three additional zero-day issues were covered in the update:
It is important to note that these three vulnerabilities have not been used in any attacks or campaigns at the time of publication. However, given their public disclosure by Microsoft, it means that they consider these vulnerabilities serious enough to focus on.
Adobe also released APSB17-28, which address CVE-2017-11281 and CVE-2017-11282, which are critical memory corruption vulnerabilities in Adobe Flash that could lead to code execution. Users are encouraged to update to the latest version of Flash Player, which is 184.108.40.206. The following vulnerabilities were disclosed via Trend Micro’s Zero Day Initiative (ZDI):
Trend Micro Solutions
TippingPoint customers are protected via the following MainlineDV filters:
Trend Micro™ Deep Discovery™ provides detection, in-depth analysis, and proactive response to attacks using exploits and other similar threats through specialized engines, custom sandboxing, and seamless correlation across the entire attack lifecycle, allowing it to detect these kinds of attacks even without any engine or pattern update.
Deep Discovery Inspector protects customers from CVE-2017-8759 via this DDI Rule: