Microsoft and Android have recently pushed out updates during this month’s Patch Tuesday for their known vulnerabilities on September 12 and September 5, respectively. Both of these operating system (OS) platforms patched around 80 of these known vulnerabilities. Among the vulnerabilities both OS’ patched were two specific vulnerabilities that could have allowed an unsuspecting victim’s systems to be compromised by an attacker. These vulnerabilities were in Microsoft’s .NET Framework, a software framework used for program language interoperability with several other program languages, and Android’s Toast, a feature in an Android smartphone used to briefly display messages on the screen’s display. By exploiting these vulnerabilities, an attacker could deliver malware to either system that has not been not been updated to the recent patch.
Microsoft .NET Vulnerability
A zero-day vulnerability addressed in one of Microsoft’s 80 vulnerabilities was in the Microsoft .NET Framework, which is recorded as CVE-2017-8759 and was studied by researchers at FireEye.
The vulnerable .NET versions are (for multiple OSes):
- Microsoft .NET Framework 2.0 Service Pack 2
- Microsoft .NET Framework 3.5
- Microsoft .NET Framework 3.5.1
- Microsoft .NET Framework 4.5.2
- Microsoft .NET Framework 4.6
- Microsoft .NET Framework 4.6.1
- Microsoft .NET Framework 4.6.2/4.7
- Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7
- Microsoft .NET Framework 4.7
Researchers at FireEye had conducted a forensic investigation on a recent case that had used this vulnerability. They discovered that FinFisher, a so-called lawful interception tool, was installed through remote code execution after a victim opened a Microsoft Word document called “Проект.doc”. This document, translated to English as Project.doc, contained a code to install the components of FINSPY, another naming convention FinFisher goes by. FINSPY then collected and sent the victim’s information to a command and control server to be used for the attackers purposes. FireEye researchers also suggest that a threat group Microsoft calls NEODYMIUM could have been behind the attack, since they have been know for using variants of FinFisher.
Android Toast Vulnerability
One of the vulnerabilities address in Android’s 81 vulnerabilities involved the Toast, which is recorded as CVE-2017-0752.
The vulnerable Android versions are:
- Android 2.3.3
- Android 2.3.7
- Android 4.0.3
- Android 4.0.4
- Android 4.1.x
- Android 4.2.x
- Android 4.3
- Android 4.4
- Android 5.0
- Android 5.1
- Android 6.0
- Android 7.0
- Android 7.1
Android’s Toast notification feature could be used for an attacker to elevate their privileges to lock the smartphone’s screen, reset the login PIN, erase all device data, and even prevent the victim from uninstalling the malicious application. According to researchers at Palo Alto Networks, an attacker could conduct an overlay attack to have an unsuspecting victim authorize one or multiple administrative features previously mentioned without their knowledge. An attacker could achieve this by creating a malicious application, uploading it to the Google Play store to be downloaded, then infect user’s Android devices. Palo Alto Networks researches have also discovered that Android 8.0 “Oreo” is not at risk for this type of overlay attack, since Oreo effectively handles its permissions checks.
Microsoft .NET vulnerable versions:
Microsoft Zero-Day Patch:
.NET Framework FinFisher:
Android Patch Tuesday:
Palo Alto Networks analysis: