On September 12, researchers at FireEye announced an actively exploited zero-day vulnerability tied to Microsoft’s .NET framework. CVE-2017-8759 is a .NET remote code execution vulnerability and allows attackers to utilize Rich Text documents to install malware; view, change or delete data; or create new accounts with full user rights. Once discovered, FireEye shared details of the vulnerability with Microsoft, who released a patch for the flaw in their September Patch Tuesday along with fixes for another 53 “important” vulnerabilities and 27 “critical.”

FireEye reports that the exploit causes the targeted computer to launch FINSPY (aka FinFisher or WingBird). The spyware, not new to threat actors, was developed by Gamma Group, a Germany-based firm that conducts legal intercepts via surveillance tools sold to government agencies throughout the world. So far, experts are not sure of how widespread the attacks are, but it is understood that the spyware was exploited by unidentified hackers as early as July, possibly nation–state hackers.

Microsoft fixed 81 vulnerabilities in its security update round this month, 27 of which were labelled “critical” and one zero-day which is under active attack. According to SC Media, three additional zero-day vulnerabilities have not yet been observed in exploits in the wild:

  • CVE-2017-8723 is a security feature bypass in Microsoft Edge when the Edge Content Security Policy fails to properly validate certain specially crafted documents; if exploited, the bypass could trick a user into loading a page containing malicious content.
  • CVE-2017-9417 is a flaw that exists when a Broadcom chipset in HoloLens improperly handles objects in memory that could lead to remote code execution (aka the “Broadpwn” issue).
  • CVE-2017-8746 is a security feature bypass vulnerability in Device Guard that could allow an attacker to inject malicious code into a Windows PowerShell session.

These three have lower exploitability index ratings; however, as they have been publicly disclosed, a potential exploit could be created with the information already provided.

Getting Your Priorities Straight

Vulnerabilities have certainly made headlines in the last couple weeks, from the (count it) eight zero–days in the BlueBorne attack demonstration to the tragically unpatched Apache Struts vulnerability used in the Equifax data breach — not to mention haunting memories of WannaCry and NotPetya.

In terms of patching priorities for enterprises, the Microsoft vulnerability being used to distribute FINSPY should be top of your list. While ransomware could lock you out of your files until the ransom is paid, spyware can remain undetected on systems and potentially lead to further attacks or compromises.

The exploit of CVE-2017-8759 is once again a lesson in why new approaches are needed in vulnerability management. While this vulnerability hasn’t been deemed “critical” by Microsoft, vulnerabilities with active exploits should be taken very seriously. Traditional approaches that rely on this rating alone will fail to protect organizations from the most likely attacks. Taking a threat–centric approach that considers activity in the threat landscape, exploit availability and the exposure levels within a unique environment yields much more accurate prioritization and effective action.


Learn more about the threat–centric approach to vulnerability management at skyboxsecurity.com/tcvm.

Get the special report on the Equifax data breach and see how Skybox helped customers target the vulnerability involved more than five months before the public announcement of the breach.