Windows 10: Severe threat called exploit:o97m/cve-2017-0199.pk!mtb.Am I in danger?

George Stanciu · Feb 26, 2023

Hi,When i turned on my pc i found in my antivirus history a severe threat called exploit97m/cve-2017-0199.pk!mtb.I have made a quick scan and a complete one and nothing showed up .It says that the fix was uncompleted .I have not installed anything and i use this pc mostly for gaming.Am i in danger?

:)

hasanHadi · Feb 26, 2023

O97M/CVE-2017-11882.A

Dear All,

Got an email with attachment, I clicked preview on outlook and immediately got Windows defender alert.

Its Exploit:O97M/CVE-2017-11882.A.

Checked the quarantined section it looks its there, but also was present under Allowed Threats section.

I couldn't remove the quarantined virus manually, and it just placed itself into the Allowed Threats.

Please advise how to remove this from my computer?

Thanks,

Hasan

Brink · Feb 26, 2023

Exploit for CVE-2017-8759 detected and neutralized

The September 12, 2017 security updates from Microsoft include the patch for a previously unknown vulnerability exploited through Microsoft Word as an entry vector. Customers using Microsoft advanced threat solutions were already protected against this threat.

The vulnerability, classified as CVE-2017-8759, was used in limited targeted attacks and reported to us by our partner, FireEye. Microsoft would like to thank FireEye for responsibly reporting this vulnerability and for working with us to protect customers.

Customers receiving automatic updates for Microsoft products are protected from this attack without any additional action required. Customers not enjoying the benefits of automatic updates should consider immediately applying this month’s updates to avoid unnecessary exposure.

Office 365 ATP and Windows Defender ATP customers protected

Customers running Microsoft advanced threat solutions such as Office 365 Advanced Threat Protection or Windows Defender Advanced Threat Protection were safe from this attack without the need of additional updates. The security configuration and reduced attack surface of Windows 10 S blocks this attack by default.

Office 365 ATP blocked the malicious attachments automatically in customer environments that have adopted the mail detonation and filtering solution. The attachment was blocked based on the detection of the malicious behaviors, as well as its similarity with previous exploits. SecOps personnel would see an ATP behavioral detection in Office 365’s Threat Explorer page:

Figure 1. Block reasons for the exploit attachment as seen in Office 365 ATP console

Windows Defender ATP was also able to raise multiple alerts related to post-exploitation activities performed by this exploit using scripting engines and PowerShell. Additional alerts may also be visible for subsequent stages of the attack performed after malware installation.

In addition, Windows Defender Antivirus detects and blocks exploits for this vulnerability as Exploit:RTF/Fitipol.A, Behavior:Win32/Fitipol.A, and Exploit:RTF/CVE-2017-8759.A using the cloud protection service, which delivers near-real-time protection against such never-before-seen threats.

Figure 2. Windows Defender ATP alerts raised for CVE-2017-8759 zero-day exploit

Protection with Windows Defender Exploit Guard

We are also happy to share with customers testing our upcoming Windows 10 Fall Creators Update that Windows Defender Exploit Guard was also able to prevent this attack using one of the many Attack Surface Reduction rules and exploit protection features.

Figure 3. Example of exploit blocking event logged by Windows Defender Exploit Guard

Windows Defender Exploit Guard is part of the defense-in-depth protection in the Windows 10 Fall Creators Update release.

Another zero-day leading to FinFisher

The CVE-2017-8759 vulnerability can allow remote code execution after users open a spam email, and double-click on an untrusted attachment and disable the Microsoft Office Protected View mode. The exploit uses Microsoft Word as the initial vector to reach the real vulnerable component, which is not related to Microsoft Office and which is responsible for certain SOAP-rendering functionalities through .NET classes.

For more information on this new campaign our partner FireEye has a good technical blog describing the infection mechanism and the details of the exploit.

After the initial notification from FireEye, Windows Defender telemetry revealed very limited usage of this zero-day exploit. The attacker used this exploit to deploy a spyware detected as Wingbird and also known to the security community as “FinFisher”, a commercial surveillance package often seen combined with expensive zero-day vulnerabilities and used by sophisticated actors.

Microsoft researchers believe that the adversary involved in this operation could be linked to the NEODYMIUM group, which has used similar zero-day exploits with spear-phishing attachments combined with the usage of FinFisher spyware. We previously reported about the NEODYMIUM group in the Windows Security blog in 2016. For additional information about this new attack as well as other NEODYMIUM attacks, we encourage ATP customers to review the in-product Threat Intelligence reports on this activity group.

Elia Florio
Windows Defender ATP Research Team
Click to expand...

Source: Exploit for CVE-2017-8759 detected and neutralized Windows Security blog

Reycko_ · Feb 26, 2023

[NEW UNPATCHED EXPLOIT] How to be safe from the CVE-2022-30190 exploit (workaround / temporary fix until it is patched) (Windows 7+)

So, there has been a new exploit called CVE-2022-30190 (MSDT exploit) that's been going on for about 7 weeks (not 100% accurate) and I kinda wanted to make a little post about the official temporary workaround (Microsoft Security Response Center article here). Also yes, it should work for Windows® 7+.

What the exploit does (not in detail because I'm not qualified for it nor ThioJoe):

(Source: https://www.youtube.com/c/ThioJoe)

So the exploit uses MSDT (Microsoft Diagnostics Troobleshooting Wizard, which is a tool for sending some PC info to get easier help from the Microsoft Phone Support) to run Powershell / Command Prompt / Batch code from Shortcuts and Microsoft Word® files.

The Workaround removes the ability to search for "ms-msdt://" in any browser to open the app (this is how it runs the app to do the exploit)

Workaround / Temporary Fix:

(Source: Microsoft Security Response Center)

Run Command Prompt as Administrator.

To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename.reg“

Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.

How to undo the workaround (when it is patched)

Run Command Prompt as Administrator.

To restore the registry key, execute the command “reg import filename.reg”

(filename is the location of the file, I personally recommend to just put it in the C:\ drive e.g. "C:\Before CVE-2022-30190 was patched.reg")

Thanks for reading, and stay safe!

* Moved from Virus & Malware

Windows 10: Severe threat called exploit:o97m/cve-2017-0199.pk!mtb.Am I in danger?

Severe threat called exploit:o97m/cve-2017-0199.pk!mtb.Am I in danger?

Severe threat called exploit:o97m/cve-2017-0199.pk!mtb.Am I in danger?

Severe threat called exploit:o97m/cve-2017-0199.pk!mtb.Am I in danger?

Severe threat called exploit:o97m/cve-2017-0199.pk!mtb.Am I in danger? - Similar Threads - Severe threat called

Severe threat called exploit:o97m/cve-2017-0199.pk!mtb.Am I in danger?

Severe threat called exploit:o97m/cve-2017-0199.pk!mtb.Am I in danger?

Microsoft Defender detected threat called - Exploit:O97M/CVE-2017-0199.AR!MSR

[NEW UNPATCHED EXPLOIT] How to be safe from the CVE-2022-30190 exploit workaround /...

Exploit CVE-2014-0543 is back

Attacks exploiting Netlogon vulnerability (CVE-2020-1472)

Exploit : O97M/CVE-2017-11882.BY!MTB

Get-SpeculationControlSettings not checking for CVE-2017-5753?

Exploit for CVE-2017-8759 detected and neutralized