Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Microsoft Patches Office, IE Flaws Exploited in Attacks

Microsoft’s security updates for April 2017 address more than 40 critical, important and moderate severity vulnerabilities, including three zero-day flaws that have been exploited in attacks.

Microsoft’s security updates for April 2017 address more than 40 critical, important and moderate severity vulnerabilities, including three zero-day flaws that have been exploited in attacks.

According to Microsoft, the updates resolve flaws affecting Edge, Internet Explorer, Windows, Office, Visual Studio for Mac, .NET Framework, Silverlight and Adobe Flash Player components.

One of the zero-days patched by Microsoft this month is CVE-2017-0199, an Office and WordPad vulnerability that can be exploited for remote code execution. The security hole has been exploited in the wild by malicious actors to deliver various pieces of malware, including Dridex, WingBird, Latentbot and Godzilla.

Another vulnerability that has been actively exploited is CVE-2017-0210, a privilege escalation weakness affecting Internet Explorer. Microsoft said the flaw exists due to the lack of proper enforcement of cross-domain policies, and it can be exploited by tricking the targeted user into accessing a specially crafted web page. However, the company has not shared any information about the attacks it has been exploited in.

The third zero-day, an Office flaw which Microsoft says has been exploited in limited targeted attacks, has not been patched with this month’s updates. However, the company has released a mitigation that should help reduce the risk of exploitation until a patch is made available.

The issue, tracked by Microsoft with the identifier 2017-2605 (no CVE), is related to the Encapsulated PostScript (EPS) Filter in Office. The company’s mitigation turns off the EPS filter by default.

The list of critical flaws addressed on Tuesday also includes 13 bugs affecting Internet Explorer, Edge, .NET, Office and Hyper-V.

Microsoft has been transitioning from security bulletins to a database called Security Update Guide. The transition has now been completed – no security bulletins have been published this month – and while some users welcome the change, others said they liked the old format better.

Advertisement. Scroll to continue reading.

“[The] Security Update Guide provides a number of nice filtering options, but you lose a bit of the organization,” said Chris Goettl, product manager with Ivanti. “For instance, to look at all CVEs that are resolved for a single update, you must now look at each individually where the bulletin page had them organized into one place. Likely, it will take a while for people to get used to.”

It’s also worth noting that this is the last round of security updates for Windows Vista, which has reached end of support.

Adobe patches tens of flaws across several products

Security updates released on Tuesday by Adobe patch nearly 60 vulnerabilities across several of the company’s products. The Acrobat and Reader updates address 47 flaws, including many that could lead to arbitrary code execution.

The rest of the security holes impact Flash Player, Photoshop CC for Mac and Windows, Campaign, and the Creative Cloud Desktop Application for Windows. Adobe has found no evidence of exploitation in the wild.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Madhu Gottumukkala has been named Deputy Director of the cybersecurity agency CISA.

Wendi Whitmore has taken the role of Chief Security Intelligence Officer at Palo Alto Networks.

Phil Venables, former CISO of Google Cloud, has joined Ballistic Ventures as a Venture Partner.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.