FacebookTwitterLinkedIn

Windows Patches Zero Day Spyware

Microsoft, as part of September Patch Tuesday, has released patches for a total of 81 CVE listed vulnerabilities of varying severity. The latest security update addresses 27 critical and 54 important vulnerabilities in severity, of which 38 vulnerabilities are impacting Windows, 39 could lead to Remote Code Execution (RCE). The updates are applicable to all Microsoft products that are currently supported.

Four of the patches are known and have already been exploited in the wild. One of the vulnerabilities was previously unknown to the public with details been released on September 12. The previously unknown vulnerability was discovered by researchers at FireEye and privately reported to Windows, with both parties only releasing details to the public in conjunction with the release of the patch.

The following programs are affected by the latest batch of updates:

  • Internet Explorer
  • Microsoft Edge
  • Microsoft Windows
  • .NET Framework
  • Skype for Business and Lync
  • Microsoft Exchange Server
  • Microsoft Office, Services, and Web Apps
  • Adobe Flash Player

List of the known vulnerabilities

 Windows .NET Framework RCE (CVE-2017-8759).  This is the flaw mentioned above which was discovered by researchers at FireEye is dependent on the way Microsoft .NET Framework processes untrusted input data. Ultimately the flaw would enable an attacker to take control of an affected system, install programs, view, change, or delete data through initially a crafted email campaign containing documents laced with malicious code. It is believed that the flaw could be used to create user accounts with increased privileges.

windows patches zero day spyware

FireEye has detected instances where the flaw has been used in the wild. In those instances detected by researchers, the flaw was leveraged with a Rich Text Format (RTF) document. According to FireEye, this flaw has been used, by a well-funded cyber espionage group targeting Russian speakers. The flaw is used to deliver FinSpy spyware to targeted victims. FinSpy is a highly secret surveillance software that has previously been associated with British company Gamma Group, a company that legally sells surveillance and espionage software to government agencies. Once infected FinSpy can perform a plethora of cyber espionage tasks including turning on webcams, record user activity with key loggers and intercept Skype calls.

FireEye concluded that because FinSpy was sold as part of a “lawful intercept” company’s product the vulnerability may have been used to target others not just Russian speaking entities. It also indicates the level of resources such “lawful intercept” companies have at their disposal.

Device Guard Security Feature Bypass Vulnerability (CVE-2017-8746). This flaw could allow an attacker to inject malicious code into a Windows PowerShell session by bypassing the Device Guard Code Integrity policy.

Microsoft Edge Security Feature Bypass Vulnerability (CVE-2017-8723). This flaw resides in Edge where the Content Security Policy (CSP) fails to properly validate certain specially crafted documents, allowing attackers to trick users into visiting a website hosting malware.

Broadcom BCM43xx Remote Code Execution Vulnerability (CVE-2017-9417). Occurring in the Broadcom chipset in HoloLens, the flaw could be exploited by attackers in order to send a specially crafted WiFi packet which could enable them to install programs, view, change, or delete data, even create new accounts with full admin rights.

BlueBorne provides another reason to patch immediately

Discovered earlier this year and silently patched by Microsoft in July details of the BlueBorne attack have only now been released to the public. The attack leveraged vulnerabilities in over 5 billion devices that use Bluetooth across multiple operating systems be they Apple iOS, Microsoft, Android, or Linux. In total, researchers discovered 8 zero day vulnerabilities that if exploited by threat actors could surrender control of mobile devices, PCs, and other IoT devices without the victim from necessarily having to do anything. Researchers at Armis, who dubbed the possible attack BlueBorne, managed to create an instance were an attack could spread malware, or even establish a "man-in-the-middle" connection to gain access to devices' critical data and networks without requiring any victim interaction. All that would be required from the attacker would to be close enough to the victim and that the victim’s Bluetooth was turned on.

Researcher’s at Armis also believed that any attack leveraging one of the 8 flaws discovered above could be further manipulated into making BlueBorne wormable. Although one of the lead researchers, Ben Sari, at Armis believes that in order to create a universally wormable utilising the flaws would be difficult. That been said Armis stated that “Unfortunately, this set of capabilities is extremely desireable to a hacker. BlueBorne can serve any malicious objective, such as cyber espionage, data theft, ransomware, and even creating large botnets out of IoT devices like the Mirai Botnet or mobile devices as with the recent WireX Botnet,”. Another worrying facet is that this attack vector goes after networks that although secure are independent of other networks like the internet for example.

The vulnerabilities discovered include:

  • Information Leak Vulnerability in Android (CVE-2017-0785)
  • Remote Code Execution Vulnerability (CVE-2017-0781) in Android's Bluetooth Network Encapsulation Protocol (BNEP) service
  • Remote Code Execution Vulnerability (CVE-2017-0782) in Android BNEP's Personal Area Networking (PAN) profile
  • The Bluetooth Pineapple in Android—Logical flaw (CVE-2017-0783)
  • Linux kernel Remote Code Execution vulnerability (CVE-2017-1000251)
  • Linux Bluetooth stack (BlueZ) information leak vulnerability (CVE-2017-1000250)
  • The Bluetooth Pineapple in Windows—Logical flaw (CVE-2017-8628)
  • Apple Low Energy Audio Protocol Remote Code Execution vulnerability (CVE Pending)

Microsoft moved quickly to release patches which were applicable to it with a spokesperson from Microsoft stating, “Microsoft released security updates in July and customers who have Windows Update enabled and applied the security updates, are protected automatically. We updated to protect customers as soon as possible, but as a responsible industry partner, we withheld disclosure until other vendors could develop and release updates.”

While BlueBorne has been successfully patched such instances serve as a great reminder as to why it is so important to ensure that users and administrators keep systems up to date and patched. Just by keeping a system up to date the user has made great strides in keeping hackers and cyber criminals at bay.

In order to install the latest batch of updates go to “Settings” then to “Update & security” followed by “Windows Update” and click “Check for updates”, or you can install the updates manually.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal