Microsoft released security patches Tuesday for 55 vulnerabilities across the company’s products, including for three flaws that are already exploited in targeted attacks by cyberespionage groups.
Fifteen of the vulnerabilities fixed in Microsoft’s patch bundle for May are rated as critical and they affect Windows, Microsoft Office, Microsoft Edge, Internet Explorer, and the malware protection engine used in most of the company’s anti-malware products.
System administrators should prioritize the Microsoft Office patches because they address two vulnerabilities that attackers have exploited in targeted attacks over the past two months. Both of these flaws, CVE-2017-0261 and CVE-2017-0262, stem from how Microsoft Office handles Encapsulated PostScript (EPS) image files and can lead to remote code execution on the underlying system.
According to researchers from FireEye, the CVE-2017-0261 vulnerability has been exploited since late March by an unidentified gang of financially motivated attackers and by a Russian cyberespionage group called Turla.
Also known as Snake or Uroburos, the Turla group has been active since at least 2007 and has been responsible for some of the most complex cyberespionage attacks to date. Its targets are usually government entities, intelligence agencies, embassies, military organizations, research and academic institutions, and large corporations.
The CVE-2017-0261 exploits came in the form of Word documents with embedded malicious EPS content that were distributed via email. The attacks also attempted to exploit a Windows privilege escalation vulnerability tracked as CVE-2017-0001 that Microsoft patched on March 14.
Later, in April, researchers from FireEye and ESET discovered a different cyberespionage campaign exploiting the second EPS-related Microsoft Office vulnerability that was patched Tuesday: CVE-2017-0262. Those attacks were traced back to a Russian cyberespionage group known in the security industry as APT28, Fancy Bear, or Pawn Storm.
APT28 is the group blamed for hacking into the U.S. Democratic National Committee last year during the presidential election. The group’s selection of targets over the years has reflected Russia’s geopolitical interests leading many researchers to believe that APT28 is tied to the Russian Military Intelligence Service (GRU).
APT28’s past attacks have demonstrated that the group has access to an arsenal of zero-day exploits — exploits for previously undisclosed vulnerabilities. Its exploit for CVE-2017-0262 was distributed in a decoy document about President Donald Trump’s decision to launch an attack in Syria last month and was chained with another zero-day exploit for a Windows privilege escalation vulnerability (CVE-2017-0263) that was also patched Tuesday.
Even though the CVE-2017-0262 EPS vulnerability was technically patched Tuesday, users who installed the Microsoft Office updates released in April were protected against it. That’s because those updates disabled the EPS filter in Office as a defense-in-depth measure, Microsoft researchers said Tuesday in a blog post.
System admins should also prioritize this month’s security updates for Internet Explorer and Edge, because they fix critical vulnerabilities that could be exploited by visiting malicious websites or by viewing specially crafted advertisements inside the browsers. One of the patched IE flaws is already exploited by attackers, while one patched in Edge has been publicly disclosed.
The updates for Windows should come next on the priority list because they address several remote code execution vulnerabilities in the SMB network file-sharing protocol. These vulnerabilities put Windows desktop and server installations at risk of hacking if they use SMBv1.
Finally, users of Microsoft’s anti-malware products, including Windows Defender and Microsoft Security Essentials should make sure that their engine is updated to version 1.1.13704.0. Older versions contain a highly critical vulnerability that can be easily exploited by attackers to take complete control of computers.