Microsoft on Tuesday expelled 259 sold security patches, covering 82 certainty holes (counting by CVE number). You might feel rushed to request those patches, quite when we hear about a unequivocally bad disadvantage involving Word, RTF, and a .NET Framework. The contribution are a small reduction alarmist.
Windows 7: 22 vulnerabilities of that 3 are rated critical, 19 important
Windows 8.1: 26 vulnerabilities of that 4 are rated critical, 22 important
Windows 10 chronicle 1703: 25 vulnerabilities of that dual are rated critical, 23 important
… in further to a far-reaching accumulation of rags to all versions of Windows, from Server 2008 R2 on, Internet Explorer, Edge, Skype, Exchange Server and — importantly — a .NET Framework. That’s in further to a bonus pack of 45 certainty and 30 non-security rags for Office 2003 and later. We also have a new chronicle of Office 2013 Click-to-Run, 15.0.4963.1002, and a new Office 2010 Click-to-Run, 14.0.7188.5002.
Patch Tuesdays have incited into massive, magisterial affairs, and this one’s no exception. It’s distant too early to know either any of a rags have bad problems sneaking inside — we’ll be following that closely in a weeks forward — though there’s one patch in sold that we need to consider.
The pivotal patch involves a bug in .NET called CVE-2017-8759, that surfaces when we use Word — though we need to use Word in a specific, surprising way. If we (or your users) burst by a right hoops, there’s a possibility your appurtenance will acquire a snooping module known, variously, as Finspy, Wingbird and FinFisher.
Are we during risk?
Microsoft says a “telemetry suggested really singular use of this zero-day exploit.” It goes on to contend “the counter concerned in this operation could be related to a NEODYMIUM group,” that is a organisation Microsoft has long identified as being meddlesome in “campaigns simply to accumulate information about certain individuals.” FireEye, that detected a certainty hole, says “we cruise with assuage certainty that this antagonistic request [the usually famous putrescent sample] was used by a nation-state to aim a Russian-speaking entity for cyber espionage purposes.”
So if you’re safeguarding cyber espionage estimable launch codes, sovereign indictments, or tip talk tapes, for or from Russian speakers, we should take notice.
The uncanny infection matrix should give we pause. First, a bad guys have to get we to click on an RTF file, typically trustworthy to an email. (RTF is an ancient formatted request record specification.) Second, a RTF record has to open in Word — savvy certainty folks set things adult so RTF files open with a Word Viewer, or some other program, since RTF has been subverted so many times.
Then, once you’ve non-stop a nasty RTF record regulating Word, we have to click a symbol during a tip of a Word shade that says “Enable Editing.” That symbol overrides Word’s “Protected view” mode. (You can invalidate Protected perspective regulating a Group Policy, though that’s unusual.) Only with Protected perspective incited off will a bad RTF record do a unwashed deed.
So, to get infected, we have to use Word to open an RTF record trustworthy to an email (the usually identified representation in a furious is called Проект.doc), and afterwards we have to click on Enable Editing.
If we wish to retard Проект.doc and a ilk, Microsoft has a list of a hundred-or-so patches that we should cruise for evident installation.
For many of us, we consider it’s a good thought to lay parsimonious and see what a delinquent beta testers contend about this month’s Patch Tuesday patches.
I’ll be posting updates as they start on a AskWoody blog.