Microsoft’s Patch Tuesday updates for May 2017 address tens of vulnerabilities, including several zero-day flaws exploited by profit-driven cybercriminals and two notorious Russia-linked cyber espionage groups.
The company has resolved more than 50 security holes affecting Windows, Internet Explorer, Edge, Office, the .NET framework, and Flash Player, for which Adobe released an update on Tuesday.
A blog post published by Microsoft revealed that the company had worked with ESET and FireEye to protect customers against attacks leveraging vulnerabilities in the Encapsulated PostScript (EPS) filter in Office. Both ESET and FireEye have released reports on the attacks they have observed.
FireEye has spotted attacks launched by a couple of cyber espionage groups believed to be connected to the Russian government and an unknown financially-motivated threat actor.
The Turla group’s attacks also leveraged CVE-2017-0001 for privilege escalation, while the cybercriminals used CVE-2016-7255 for privilege escalation.
Both FireEye and ESET have observed attacks involving zero-day vulnerabilities launched by the group known as APT28, Pawn Storm, Fancy Bear, Sofacy, Sednit and Strontium. This Russia-linked group, which some believe could be behind the recent election cyberattacks in France, has leveraged an Office RCE flaw (CVE-2017-0262) and a Windows privilege escalation (CVE-2017-0263). The malware delivered in these attacks is tracked by the security firms as Seduploader and GAMEFISH.
Microsoft pointed out that the Turla attacks were first spotted in March, and customers who had up-to-date systems had already been protected as CVE-2017-0001 was patched earlier that month. In April, the company also rolled out a defense-in-depth protection designed to prevent EPS attacks by disabling the EPS filter by default.
The updates released by the company this month patch the EPS-related vulnerabilities in Office (CVE-2017-0261 and CVE-2017-0262) to ensure that customers who need to use EPS filters are still protected.
Another zero-day patched by Microsoft on Tuesday is CVE-2017-0222, a memory corruption in Internet Explorer that can be exploited for remote code execution. No information has been shared on the attacks leveraging this security hole.
Related: Turla Cyberspies Developing Mac OS X Malware
Related: Microsoft Patches Many Exploited, Disclosed Flaws
Related: Microsoft Patches Office, IE Flaws Exploited in Attacks