Recently, Microsoft patched a vulnerability that could be used in phishing attacks to direct users to malicious websites, known as CVE-2017-0022. This is one of three that have been exploited by attackers in the wild since last year.
The security update is available in March’s Patch Tuesday, which included two months of updates and 18 security bulletins - 9 of which were rated as critical.
The CVE-2017-0022 is a Microsoft XML Core Services Information Disclosure vulnerability that could be used by an attacker hosting a spoofed website that could allow the attacker to test for the presence of files on disk. The attacker would have to convince a user to click a link in an email message that would direct them to the malicious website.
According to Trend Micro, the vulnerability was used in the AdGholas malvertising campaign and packaged into the Neutrino exploit kit. In addition to using the vulnerability in phishing attacks and to access information on files found on the user’s system, the attacker could also detect if the system was using particular security software, such as malware analysis tools.
How does a user get exploited by this vulnerability? First, they visit a website using a web browser that serves up a malicious advertisement. The browser is then redirected to a malicious landing page that hosts the exploit kit. After checking the user’s system for security software, the kit launches its malware if the tools aren’t detected. To test your organization’s risk of getting phished, launch an internal phishing campaign.
Attackers will often target non-critical vulnerabilities (such as CVE-2017-0022, considered medium severity) as part of a strategic approach - these type of vulnerabilities will often be relegated to getting fixed at a later date by software vendors than the more critical, attention-grabbing vulnerabilities. That means attackers have more time to exploit them, according to Trend Micro.
Other critical vulnerabilities patched in March by Microsoft affect the web browser, Internet Explorer (IE). The most severe could allow for remote code execution if a user visits a malicious website via IE, giving an attacker the same user rights as the user, according to the Microsoft Security Bulletin.
This is why it’s imperative for organizations to update their software regularly and on a timely basis to stay protected against the latest vulnerabilities that may be leveraged via phishing attempts. With Duo’s Device Insight, you can check every endpoint that logs into your company’s applications for out-of-date software. Plus, you can enforce device access policies that require the latest versions by either warning users if they need to update, or blocking them until they do, by using Duo’s Endpoint Remediation.
Duo Beyond gives you even more control and insight - differentiating between managed (corporate-owned) and unmanaged (employee-owned) devices accessing your services. To protect against unknown and potentially risky devices, you can leverage Trusted Endpoints to block access by unmanaged devices.
See the latest enterprise endpoint trends in Duo’s 2016 Trusted Access Report: Microsoft Edition.