Recommendations for mitigating threats related to CVE-2017-8759
General threat description
On September 12, 2017, information was published about the vulnerability CVE-2017-8759 , which is associated with remote code execution using Microsoft Office documents.
The vulnerability was discovered by FireEye as a result of fixing a number of attacks using a previously unknown exploit.
Vulnerabilities CVE-2017-8759 are affected by the Microsoft Windows family of operating systems. The exploitation of this vulnerability with the introduction of third-party code is performed using the vulnerable component of Microsoft.NET Framework - SOAP WSDL Parser, which allows to obtain user rights on the vulnerable system.
This vulnerability is highly critical for a number of reasons:
1) The exploitation of the vulnerability does not require the use and inclusion of macros in office applications Microsoft Office;
2) To exploit the vulnerability, it is enough for the user to open a malicious file;
3) The exploit code for this vulnerability is published in the public domain on the Internet and this means that any network user can take advantage of this vulnerability.
Threat name: CVE-2017-8759 ".NET Framework Remote Code Execution Vulnerability".
Possible attack vectors: sending targeted phishing with an attachment to a Microsoft Office document (doc, rtf, etc.).
Vulnerable systems:operating systems of the Microsoft Windows family from Windows 7 to the latest versions, the Microsoft .NET Framework component from version 2.0 to 4.72. A complete list of vulnerable OS and components is available here .
Threat propagation scale: at the moment, there is one phishing campaign that uses the CVE-2017-8759 exploit for installing the FINSPY Trojan (FinFisher).
Preventive measures
To reduce the risks associated with the CVE-2017-8759 vulnerability, it is recommended:
1. Install a security update that matches the version of the operating system and version of the Microsoft .NET Framework. A complete list of vulnerable OS and components is available here ;
2. Update signature databases of installed anti-virus software;
3. Update the IPS signature database, secure mail and web gateways (ESG, WSG) and other signature SPI.
Note: the link provides identifiers for full updates, while for systems prior to Windows 8.1 and Windows Server 2012 R2, it is possible to install only security updates - the Security Only Release columnin the original Microsoft table.
It is also necessary to update the signature databases of the installed antivirus software in order to prevent FINSPY infection.
Vulnerability Description
Remote Code Execution Vulnerability, registered with CVE-2017-8759 ID, was discovered by FireEye experts in the WSDL Parser module (Web Services Description Language) in the Microsoft .NET Framework. The method of the IsValidUrl module does not correctly check the passed values for the presence of the CRLF sequence (line and carriage wrapping) in them. Thus, an attacker using this sequence has the ability to inject malicious code into the module execution process.

Figure 1. An example of using the vulnerability
Compromise indicators
Currently known hash sums (MD5) of malicious files:
- Project.doc malicious file: fe5c4d6bb78e170abf5cf3741868ea4c;
- FINSPY: a7b990d5f57b244dd17e9a937a41e7f5.
The team of experts at Informzashchita is ready to advise all companies concerned about the current situation on the issues of risks and threats, as well as quickly ensure the protection of infrastructure.
Posted by: Technical Directorate of Informzashchita