.NET Framework Remote Code Execution Vulnerability Advisory

Reference: CVE-2017-8759
Affected software: Multiple product versions of Microsoft .NET Framework version 2.0 until version 4.7

A complete overview of the affected products can be consulted here: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2...

Type: By clicking on an application or opening a document and running a malicious script, access to the system can be obtained.

Sources

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2...
https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-di...

Risks

A successful execution of this vulnerability by using .NET Framework can give control of the infected machine. This results in the possibility to manipulate data (consult, modify, delete), installing applications and creation of users with full access to the system.

Summary

This vulnerability can be triggered in different ways. There are ongoing attacks that abuse specific code in a Microsoft Office document. When that document is opened by a recipient, a Visual Basic script with PowerShell will be downloaded and executed resulting in infection of the machine.
The malware in question, called FINSPY (variant), then gives remote control over the system and computer to the attacker.

Recommended actions

Verify if your product version of .NET is available in the list of affected products:
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2...
Verify via the “Download” option in the same list if an update is available for your specific product version and execute it.
It is possible to have multiple versions of the .NET Framework installed at the same time on a computer. They must all be patched for the vulnerability to disappear from such a system. Users can verify what versions of .NET are installed on a computer by visiting following page and follow the instructions:
https://support.microsoft.com/en-us/help/318785/how-to-determine-which-v... a print screen with the steps to follow is available and by consulting the value (REG_DWORD) you can verify the version(s).