Microsoft on Tuesday released 259 individual security patches, covering 82 security holes (counting by CVE number). You may feel rushed to apply those patches, particularly when you hear about a really bad vulnerability involving Word, RTF, and the .NET Framework. The facts are a little less alarmist.
Windows 7: 22 vulnerabilities of which three are rated critical, 19 important
Windows 8.1: 26 vulnerabilities of which four are rated critical, 22 important
Windows 10 version 1703: 25 vulnerabilities of which two are rated critical, 23 important
… in addition to a wide variety of patches to all versions of Windows, from Server 2008 R2 on, Internet Explorer, Edge, Skype, Exchange Server and — importantly — the .NET Framework. That’s in addition to a bonus pack of 45 security and 30 non-security patches for Office 2003 and later. We also have a new version of Office 2013 Click-to-Run, 15.0.4963.1002, and a new Office 2010 Click-to-Run, 14.0.7188.5002.
Patch Tuesdays have turned into massive, bloated affairs, and this one’s no exception. It’s far too early to know whether any of the patches have bad problems lurking inside — we’ll be following that closely in the weeks ahead — but there’s one patch in particular that you need to consider.
The key patch involves a bug in .NET called CVE-2017-8759, which surfaces when you use Word — but you need to use Word in a specific, unusual way. If you (or your users) jump through the right hoops, there’s a chance your machine will acquire a snooping program known, variously, as Finspy, Wingbird and FinFisher.
Are you at risk?
Microsoft says its “telemetry revealed very limited usage of this zero-day exploit.” It goes on to say “the adversary involved in this operation could be linked to the NEODYMIUM group,” which is a group Microsoft has long identified as being interested in “campaigns simply to gather information about certain individuals.” FireEye, which discovered the security hole, says “we assess with moderate confidence that this malicious document [the only known infected sample] was used by a nation-state to target a Russian-speaking entity for cyber espionage purposes.”
So if you’re protecting cyber espionage worthy launch codes, federal indictments, or secret interview tapes, for or from Russian speakers, you should take notice.
The weird infection vector should give you pause. First, the bad guys have to get you to click on an RTF file, typically attached to an email. (RTF is an ancient formatted document file specification.) Second, the RTF file has to open in Word — savvy security folks set things up so RTF files open with the Word Viewer, or some other program, because RTF has been subverted so many times.
Then, once you’ve opened the nasty RTF file using Word, you have to click the button at the top of the Word screen that says “Enable Editing.” That button overrides Word’s “Protected view” mode. (You can disable Protected view using a Group Policy, but that’s unusual.) Only with Protected view turned off will the bad RTF file do the dirty deed.
So, to get infected, you have to use Word to open an RTF file attached to an email (the only identified sample in the wild is called Проект.doc), and then you have to click on Enable Editing.
If you want to block Проект.doc and its ilk, Microsoft has a list of a hundred-or-so patches that you should consider for immediate installation.
For most of us, I think it’s a good idea to sit tight and see what the unpaid beta testers say about this month’s Patch Tuesday patches.
I’ll be posting updates as they occur on the AskWoody blog.