- Jul 22, 2014
- 2,525
The saga of CVE-2017-0199, a recently patched zero-day vulnerability affecting Microsoft Office and WordPad, just got a little stranger yesterday after cyber-security firm FireEye revealed the vulnerability was used by both cyber-criminals pushing mundane malware, and also by state-sponsored cyber-espionage groups.
This twisted tale starts in July 2016, when security researcher Ryan Hanson discovered a flaw in RTF files that he could exploit to execute code on the underlying operating system.
After finishing his research, Hanson submitted a write-up on the three bugs he found to Microsoft in October 2016, via the company's bug bounty program.
Uncharacteristic to Microsoft, the company took almost six months to fix the three bugs discovered by Hanson, delivering patches for all three (CVE-2017-0106, CVE-2017-0199, and CVE-2017-0204) in April's Patch Tuesday.
A few days before Microsoft patched the zero-day, news about it broke via blog posts from McAfee and FireEye, both companies revealing the zero-day was under active exploitation.
Zero-day used to target pro-Russian separatists in Ukraine
Unfortunately, this long patching period gave others the time to discover the same flaw. While initially McAfee and FireEye restrained from revealing any details about the zero-day, now that a patch is available, several security firms are now sharing more behind-the-scenes details.
According to FireEye, the zero-day first came on their radar on January 25, 2017, when they discovered a FinSpy module exploiting the flaw.
......
......
Zero-Day affected WordPad, not just Office
While initially this zero-day was classified as an Office vulnerability, Microsoft's security advisory revealed this vulnerability also affected WordPad, a free document viewer included by default with all Windows versions.
.....
.....
The WordPad exploitation angle is also more dangerous because WordPad doesn't include Protected View, a protection mechanism that blocked the zero-day's exploitation in Office.
Nevertheless, if attackers chained CVE-2017-0199 with CVE-2017-0204, Hanson says they could also bypass Office Protected View if they wanted to.
This twisted tale starts in July 2016, when security researcher Ryan Hanson discovered a flaw in RTF files that he could exploit to execute code on the underlying operating system.
After finishing his research, Hanson submitted a write-up on the three bugs he found to Microsoft in October 2016, via the company's bug bounty program.
Uncharacteristic to Microsoft, the company took almost six months to fix the three bugs discovered by Hanson, delivering patches for all three (CVE-2017-0106, CVE-2017-0199, and CVE-2017-0204) in April's Patch Tuesday.
A few days before Microsoft patched the zero-day, news about it broke via blog posts from McAfee and FireEye, both companies revealing the zero-day was under active exploitation.
Zero-day used to target pro-Russian separatists in Ukraine
Unfortunately, this long patching period gave others the time to discover the same flaw. While initially McAfee and FireEye restrained from revealing any details about the zero-day, now that a patch is available, several security firms are now sharing more behind-the-scenes details.
According to FireEye, the zero-day first came on their radar on January 25, 2017, when they discovered a FinSpy module exploiting the flaw.
......
......
Zero-Day affected WordPad, not just Office
While initially this zero-day was classified as an Office vulnerability, Microsoft's security advisory revealed this vulnerability also affected WordPad, a free document viewer included by default with all Windows versions.
.....
.....
The WordPad exploitation angle is also more dangerous because WordPad doesn't include Protected View, a protection mechanism that blocked the zero-day's exploitation in Office.
Nevertheless, if attackers chained CVE-2017-0199 with CVE-2017-0204, Hanson says they could also bypass Office Protected View if they wanted to.
