Yesterday's round of Patch Tuesday fixes from Microsoft included an update for a zero-day security vulnerability in Windows that was actively exploited by "an undisclosed nation" to install spyware on vulnerable PCs.
ARS Technica reports the exploit spread via a Microsoft Word document and abused a flaw in Microsoft's .Net framework to install the Finspy malware. Interestingly, this malware is developed by a British company and is sold to governments around the world:
Microsoft Word 0-day was actively exploited by strange bedfellows
The exploit, according to a blog post published Tuesday by security firm FireEye, was embedded in a Microsoft Word document. Once opened, the document exploited a zero-day vulnerability in Microsoft's .Net framework. The exploit caused the targeted computer to install Finspy (sometimes "FinSpy"), a family of surveillance software that its controversial developer, UK-based Gamma Group, sells to governments throughout the world. Tuesday's blog post said the document might have been used to infect an unnamed "Russian speaker." The vulnerability, indexed as CVE-2017-8759, comes five months after FireEye disclosed a different zero-day being used to distribute Finspy.
"These exposures demonstrate the significant resources available to 'lawful intercept' companies and their customers," FireEye researchers wrote. "Furthermore, Finspy has been sold to multiple clients, suggesting the vulnerability was being used against other targets."
Besides this 0-day .NET vulnerability, Microsoft also fixed over 80 other bugs on this month's Patch Tuesday.