InfoSec: Governments were also using MS Word 0-Day Exploit

Governments were also using MS Word 0-Day Exploit

Summary:

It turns out that the previously undisclosed vulnerability in Word (CVE-2017-0199) used for Dridex was also actively being exploited by government-sponsored hackers to spy on Russian targets since at least this January.
The news comes after security firm FireEye, that independently discovered this flaw last month, published a blog post, revealing that FinSpy spyware was installed as early as January using the same vulnerability in Word that was patched on Tuesday by Microsoft.

FinSpy or FinFisher is associated with the controversial UK-based firm "Gamma Group", which sells so-called "lawful intercept" spyware to governments around the world.

Extra References

  1. https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199
  2. https://www.theregister.co.uk/2017/04/11/patch_tuesday_mess

Affects

  • Office/Word Pad
  • Internet Explorer
    (All being actively targetted in the wild)

Fix

These fixes can now be installed automatically via Windows Update. Reboot and you're done. But there are caveats. For example, the patch bundles KB4015549, KB4015546, KB4015550, KB4015547 that install the security fixes on Windows 7 and 8 have an unfortunate side-effect on computers using AMD Carrizo-based processors – they'll be blocked from receiving further software updates until Microsoft sorts that out. (probably never)

"If the PC uses an AMD Carrizo DDR4 processor, installing this update will block downloading and installing future Windows updates. Microsoft is working on a resolution and will provide an update in an upcoming release," was Microsofts official statement.