Security Experts:

Connect with us

Hi, what are you looking for?



Microsoft Patches Zero-Days Exploited by Russia-Linked Hackers

Microsoft’s Patch Tuesday updates for May 2017 address tens of vulnerabilities, including several zero-day flaws exploited by profit-driven cybercriminals and two notorious Russia-linked cyber espionage groups.

Microsoft’s Patch Tuesday updates for May 2017 address tens of vulnerabilities, including several zero-day flaws exploited by profit-driven cybercriminals and two notorious Russia-linked cyber espionage groups.

The company has resolved more than 50 security holes affecting Windows, Internet Explorer, Edge, Office, the .NET framework, and Flash Player, for which Adobe released an update on Tuesday.

A blog post published by Microsoft revealed that the company had worked with ESET and FireEye to protect customers against attacks leveraging vulnerabilities in the Encapsulated PostScript (EPS) filter in Office. Both ESET and FireEye have released reports on the attacks they have observed.

FireEye has spotted attacks launched by a couple of cyber espionage groups believed to be connected to the Russian government and an unknown financially-motivated threat actor.

According to the security firm, the group known as Turla, Waterbug, KRYPTON and Venomous Bear has been exploiting an Office remote code execution (RCE) vulnerability tracked as CVE-2017-0261 to deliver a custom JavaScript implant dubbed by FireEye “SHIRIME.” The same vulnerability has also been exploited by profit-driven cybercriminals to deliver a new variant of the NETWIRE malware, a threat used by multiple actors over the past years.

The Turla group’s attacks also leveraged CVE-2017-0001 for privilege escalation, while the cybercriminals used CVE-2016-7255 for privilege escalation.

Both FireEye and ESET have observed attacks involving zero-day vulnerabilities launched by the group known as APT28, Pawn Storm, Fancy Bear, Sofacy, Sednit and Strontium. This Russia-linked group, which some believe could be behind the recent election cyberattacks in France, has leveraged an Office RCE flaw (CVE-2017-0262) and a Windows privilege escalation (CVE-2017-0263). The malware delivered in these attacks is tracked by the security firms as Seduploader and GAMEFISH.

Microsoft pointed out that the Turla attacks were first spotted in March, and customers who had up-to-date systems had already been protected as CVE-2017-0001 was patched earlier that month. In April, the company also rolled out a defense-in-depth protection designed to prevent EPS attacks by disabling the EPS filter by default.

The updates released by the company this month patch the EPS-related vulnerabilities in Office (CVE-2017-0261 and CVE-2017-0262) to ensure that customers who need to use EPS filters are still protected.

Another zero-day patched by Microsoft on Tuesday is CVE-2017-0222, a memory corruption in Internet Explorer that can be exploited for remote code execution. No information has been shared on the attacks leveraging this security hole.

The tech giant has also addressed four vulnerabilities that have been publicly disclosed. The list includes an RCE flaw in the JavaScript engines used by web browsers (CVE-2017-0229), a SmartScreen filter-related browser spoofing vulnerability (CVE-2017-0231), a privilege escalation in Edge (CVE-2017-0241), and a Mixed Content warnings bypass in Internet Explorer (CVE-2017-0064).

Related: Turla Cyberspies Developing Mac OS X Malware

Related: Microsoft Patches Many Exploited, Disclosed Flaws

Related: Microsoft Patches Office, IE Flaws Exploited in Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...