{"id":9254,"date":"2017-09-13T04:30:21","date_gmt":"2017-09-13T12:30:21","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/09\/13\/news-3027\/"},"modified":"2017-09-13T04:30:21","modified_gmt":"2017-09-13T12:30:21","slug":"news-3027","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/09\/13\/news-3027\/","title":{"rendered":"Bloated Patch Tuesday brings fix for nasty Word\/RTF\/Net vulnerability"},"content":{"rendered":"

Credit to Author: Woody Leonhard| Date: Wed, 13 Sep 2017 04:16:00 -0700<\/strong><\/p>\n

Microsoft on Tuesday released 259 individual security patches<\/a>, covering 82 security holes (counting by CVE number). You may feel rushed to apply those patches, particularly when you hear about a really bad vulnerability involving Word, RTF, and the .NET Framework. The facts are a little less alarmist.<\/p>\n

Here’s a quick overview. The SANS Internet Storm Center has its usual handy list of CVEs<\/a> and whether there are any known exploits. Martin Brinkmann at Ghacks<\/a> stacks them up this way:<\/p>\n

\u00a0\u00a0\u00a0 Windows 7<\/strong>:\u00a0 22 vulnerabilities of which three are rated critical, 19 important<\/p>\n

\u00a0\u00a0\u00a0 Windows 8.1<\/strong>: 26 vulnerabilities of which four are rated critical, 22 important<\/p>\n

\u00a0\u00a0\u00a0 Windows 10 version 1703<\/strong>: 25 vulnerabilities of which two are rated critical, 23 important<\/p>\n

\u2026 in addition to a wide variety of patches to all versions of Windows, from Server 2008 R2 on, Internet Explorer, Edge, Skype, Exchange Server and \u2014 importantly \u2014 the .NET Framework. That\u2019s in addition to a bonus pack<\/a> of 45 security and 30 non-security patches for Office 2003 and later. We also have a new version of Office 2013 Click-to-Run, 15.0.4963.1002, and a new Office 2010 Click-to-Run, 14.0.7188.5002.<\/p>\n

Patch Tuesdays have turned into massive, bloated affairs, and this one\u2019s no exception. It\u2019s far too early to know whether any of the patches have bad problems lurking inside \u2014 we\u2019ll be following that closely in the weeks ahead \u2014 but there\u2019s one patch in particular that you need to consider.<\/p>\n

The key patch involves a bug in .NET called CVE-2017-8759, which surfaces when you use Word \u2014 but you need to use Word in a specific, unusual way. If you (or your users) jump through the right hoops, there\u2019s a chance your machine will acquire a snooping program known, variously, as Finspy, Wingbird and FinFisher.<\/p>\n

Are you at risk?<\/p>\n

Microsoft says<\/a> its \u201ctelemetry revealed very limited usage of this zero-day exploit.\u201d It goes on to say \u201cthe adversary involved in this operation could be linked to the NEODYMIUM group,\u201d which is a group Microsoft has long identified<\/a> as being interested in \u201ccampaigns simply to gather information about certain individuals.\u201d FireEye, which discovered the security hole, says<\/a> \u201cwe assess with moderate confidence that this malicious document [the only known infected sample] was used by a nation-state to target a Russian-speaking entity for cyber espionage purposes.\u201d<\/p>\n

So if you\u2019re protecting cyber espionage worthy launch codes, federal indictments, or secret interview tapes, for or from Russian speakers, you should take notice.<\/p>\n

The weird infection vector should give you pause. First, the bad guys have to get you to click on an RTF file, typically attached to an email. (RTF is an ancient formatted document file specification.) Second, the RTF file has to open in Word \u2014 savvy security folks set things up so RTF files open with the Word Viewer<\/a>, or some other program, because RTF has been subverted so many times.<\/p>\n

Then, once you\u2019ve opened the nasty RTF file using Word, you have to click the button at the top of the Word screen that says \u201cEnable Editing.\u201d That button overrides Word\u2019s \u201cProtected view\u201d mode. (You can disable Protected view using a Group Policy, but that\u2019s unusual.) Only with Protected view turned off will the bad RTF file do the dirty deed.<\/p>\n

So, to get infected, you have to use Word to open an RTF file attached to an email (the only identified sample in the wild is called \u041f\u0440\u043e\u0435\u043a\u0442.doc), and then you have to click on Enable Editing.<\/p>\n

If you want to block \u041f\u0440\u043e\u0435\u043a\u0442.doc and its ilk, Microsoft has a list of a hundred-or-so patches<\/a> that you should consider for immediate installation.<\/p>\n

For most of us, I think it\u2019s a good idea to sit tight and see what the unpaid beta testers say about this month\u2019s Patch Tuesday patches.\u00a0<\/p>\n

I\u2019ll be posting updates as they occur on the AskWoody blog<\/a>.<\/em><\/p>\n

http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Credit to Author: Woody Leonhard| Date: Wed, 13 Sep 2017 04:16:00 -0700<\/strong><\/p>\n

\n
\n

Microsoft on Tuesday released 259 individual security patches<\/a>, covering 82 security holes (counting by CVE number). You may feel rushed to apply those patches, particularly when you hear about a really bad vulnerability involving Word, RTF, and the .NET Framework. The facts are a little less alarmist.<\/p>\n

Here’s a quick overview. The SANS Internet Storm Center has its usual handy list of CVEs<\/a> and whether there are any known exploits. Martin Brinkmann at Ghacks<\/a> stacks them up this way:<\/p>\n

To read this article in full or to leave a comment, please click here<\/a><\/p>\n<\/section>\n<\/article>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[11062,10643],"tags":[13764,714,10525],"class_list":["post-9254","post","type-post","status-publish","format-standard","hentry","category-computerworld","category-independent","tag-pcs","tag-security","tag-windows"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/9254","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=9254"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/9254\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=9254"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=9254"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=9254"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}