Confirm that the latest vulnerability in Word was exploited for months

would remember that malicious document who took advantage of a vulnerability in Word to download malware without a trace? The good news is that Microsoft released its patch from April 11 and its installation is recommended with extreme urgency. The bad news is that the bug was discovered in July 2016 and during the following nine months was used to carry out attacks in Russia, Ukraine, Australia and Israel.

the official designation for the vulnerability is CVE-2017 – 0199 . From a technical point of view was already corrected, and those using the builds more recent Office package (a partir de la edición 2007 SP3) should be protected. However, we know very well that for different reasons, many users and administrators decide to delay the application of hotfixes . Perhaps your corporate environment is too strict, or simply use illegal copies with systems of activation are neutralized through Windows Update. But the bugs do not discriminate and that in other circumstances would have been a routine patch, transformed in an odyssey that lasted nine months.

the bug was used to distribute malware, steal money, attacking universities, and intervene military officers

systems history leads us to July 2016, when the consultant Ryan Hanson discovered 0-day . During the following three months he worked on the bug with the idea of establishing its gravity and assess their potential for combination with other failures, to then report it to Microsoft . To see the results, in Redmond came to the conclusion that a quick patch was not going to be enough for his neutralization, and he could not share too much data on the subject, or alert the hackers. At that time there was no indication on the 0-day exposure, but that changed in January of this year, bringing us to the original report of FireEye . CVE-2017 – 0199 was used by “multiple agents” to spread at least three forms of malware, beginning with FinSpy, Latentbot, and Dridex . FinSpy case is very particular, because that also know it as FinFisher a spyware used by dozens of Governments around the world.

the first victims were bound to Russia and Ukraine, showing some level of precision in the campaign. After accumulating additional evidence, FireEye came into contact with Microsoft, but confirmation from McAfee on April 7 essentially kicked the Board, announcing to the world the existence of the 0-day. Two days later, the black market already offered variants which exploited CVE-2017 – 0199 to distribute Dridex. The attacks moved to Australia and other countries, with the aim of stealing funds from bank accounts. Ben-Gurion University in Israel announced that several of its employees were hacked «post-parche» by attackers linked to the Iranian Government, which apparently took control of their email accounts and spread malicious document distribution to more than 250 goals. The final number of people affected, and the amount of stolen money is unknown. Beyond of that delay can be justified, it is imperative to the development of a universal platform that will allow better coordination of communication between independent security researchers and corporations.

Leave your vote

0 points

Downvote Upvote

Total votes: 0

Upvotes: 0

Upvotes percentage: 0.000000%

Downvotes: 0

Downvotes percentage: 0.000000%

Be the first to comment

Leave a Reply