Microsoft Patches Office, IE Flaws Exploited in Attacks

Microsoft’s security updates for April 2017 address more than 40 critical, important and moderate severity vulnerabilities, including three zero-day flaws that have been exploited in attacks.

According to Microsoft, the updates resolve flaws affecting Edge, Internet Explorer, Windows, Office, Visual Studio for Mac, .NET Framework, Silverlight and Adobe Flash Player components.

One of the zero-days patched by Microsoft this month is CVE-2017-0199, an Office and WordPad vulnerability that can be exploited for remote code execution. The security hole has been exploited in the wild by malicious actors to deliver various pieces of malware, including Dridex, WingBird, Latentbot and Godzilla.

Another vulnerability that has been actively exploited is CVE-2017-0210, a privilege escalation weakness affecting Internet Explorer. Microsoft said the flaw exists due to the lack of proper enforcement of cross-domain policies, and it can be exploited by tricking the targeted user into accessing a specially crafted web page. However, the company has not shared any information about the attacks it has been exploited in.

The third zero-day, an Office flaw which Microsoft says has been exploited in limited targeted attacks, has not been patched with this month’s updates. However, the company has released a mitigation that should help reduce the risk of exploitation until a patch is made available.

The issue, tracked by Microsoft with the identifier 2017-2605 (no CVE), is related to the Encapsulated PostScript (EPS) Filter in Office. The company’s mitigation turns off the EPS filter by default.

The list of critical flaws addressed on Tuesday also includes 13 bugs affecting Internet Explorer, Edge, .NET, Office and Hyper-V.

Microsoft has been transitioning from security bulletins to a database called Security Update Guide. The transition has now been completed – no security bulletins have been published this month – and while some users welcome the change, others said they liked the old format better.

“[The] Security Update Guide provides a number of nice filtering options, but you lose a bit of the organization,” said Chris Goettl, product manager with Ivanti. “For instance, to look at all CVEs that are resolved for a single update, you must now look at each individually where the bulletin page had them organized into one place. Likely, it will take a while for people to get used to.”

It’s also worth noting that this is the last round of security updates for Windows Vista, which has reached end of support.

Adobe patches tens of flaws across several products

Security updates released on Tuesday by Adobe patch nearly 60 vulnerabilities across several of the company’s products. The Acrobat and Reader updates address 47 flaws, including many that could lead to arbitrary code execution.

The rest of the security holes impact Flash Player, Photoshop CC for Mac and Windows, Campaign, and the Creative Cloud Desktop Application for Windows. Adobe has found no evidence of exploitation in the wild.