Microsoft has released a new patch that addresses a total of 82 vulnerabilities (September Patch Tuesday) for all supported versions Windows systems and other products. Between the patches, there is one zero-day vulnerability exploited in the wild.
The Zero-Day Vulnerability (CVE-2017-8759) is a remote code execution vulnerability that affects the .NET Framework. To exploit this vulnerability, an attacker would first need to convince the user to open a malicious document or application.
According to Microsoft:
“A remote code execution vulnerability exists when Microsoft .NET Framework processes untrusted input. An attacker who successfully exploited this vulnerability in software using the .NET framework could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”
The vulnerability (CVE-2017-8759) has been discovered by two security researchers from FireEye and they reported it privately to Microsoft. It affects the .NET framework, specifically a SOAP WSDL (Web Services Description Language) parser. An attacker can exploit the security vulnerability for remote code execution by making the targeted user to open a specifically crafted document or application.
“FireEye recently detected a malicious Microsoft Office RTF document that leveraged CVE-2017-8759, a SOAP WSDL parser code injection vulnerability. This vulnerability allows a malicious actor to inject arbitrary code during the parsing of SOAP WSDL definition contents. FireEye analyzed a Microsoft Word document where attackers used the arbitrary code injection to download and execute a Visual Basic script that contained PowerShell commands.”