CVE-2017-0199: What REAL 0-Day Vulnerability Protection Looks Like

News of a Microsoft Word 0-day vulnerability spread like wildfire this week. Discovered by FireEye, the attack uses is executed when a user opens a Word attachment that includes a malicious OLE2 (Object Linking and Embedding) embedded in a specially-crafted Word document that can then spread the Dridex banking Trojan. The 0-day vulnerability, CVE-2017-0199, was patched as part of Microsoft’s Patch Tuesday security updates this week.

SentinelOne customers were protected from this vulnerability even without a product update. How did we do this? In the below video demonstration, I will show how the SentinelOne Endpoint Protection Platform agent was able to detect and prevent an attack utilizing an exploit for the CVE-2017-0199 vulnerability.  The version of the agent being tested was released in the summer of 2016, before this vulnerability was publicly known, while it was still considered a 0-day.

What we have demonstrated here is how an exploit for CVE-2017-0199 is used to spread Didrex. Since it’s discovery, researchers have also discovered that the exploit has been used by a number of malicious actors for spreading other malicious malware.

Bottom line: Even with a patch, this exploit will continue to be used in the wild. This is another example of how important it is to ensure that your organizations’ systems are kept up to date.