On Friday, Trend Micro reported that one of the Windows zero-day vulnerabilities patched by Microsoft this month, has been exploited by cybercriminals since last summer.
The March 2017 Patch released on Tuesday, fixed a number of vulnerabilities alongside three flaws which had been exploited in the wild.
A flaw, that was tracked as CVE-2017-0022, has been described as an XML Core Services information disclosure vulnerability which can be exploited via Internet Explorer by making the victim to open a customized link especially made for this purpose.
“An information vulnerability exists when Microsoft XML Core Services (MSXML) improperly handles objects in memory. Successful exploitation of the vulnerability could allow the attacker to test for the presence of files on disk,” Microsoft stated.
Trend Micro said that the zero-day flaw has been used in the AdGholas malvertising campaign since July 2016, being added to the Neutrino exploit kit last September.
According to security researchers, CVE-2017-0022 replaced CVE-2016-3298 and CVE-2016-3351, which had also been used by AdGholas and another participant in malvertising operations before the new patches were released.
Several months ago, the experts reported that CVE-2016-3298 and CVE-2016-3351 had been leveraged by the hackers in order to avoid security researchers. Obviously, CVE-2017-0022 was used for similar purposes.
“Successful exploitation of this vulnerability could allow a cybercriminal access to information on the files found in the user’s system,” the threat analysts Brooks Li and Henry Li said. “In particular, the attacker would be able to detect if the system is using specific security solutions – especially ones that analyze malware.”
A technical analysis of the vulnerability and Microsoft’s patch was released by Trend Micro. In addition, the firm has provided a brief explanation of how CVE-2017-0022 is exploited in a Neutrino exploit kit malvertising campaign.