As part of this month’s Patch Tuesday, Microsoft has released security patches for a total of 55 vulnerabilities across its products, including fixes for four zero-day vulnerabilities being exploited in the wild.
Just yesterday, Microsoft released an emergency out-of-band update separately to patch a remote execution bug (CVE-2017-0290) in Microsoft’s Antivirus Engine that comes enabled by default on Windows 7, 8.1, RT, 10 and Server 2016 operating systems.
The vulnerability, reported by Google Project Zero researchers, could allow an attacker to take over your Windows PC with just an email, which you haven’t even opened yet.
May 2017 Patch Tuesday — Out of 55 vulnerabilities, 17 have been rated as critical and affect the company’s main operating systems, along with other products like Office, Edge, Internet Explorer, and the malware protection engine used in most of the Microsoft’s anti-malware products.
Sysadmins all over the world should prioritize the May’s Patch Tuesday as it addresses four critical zero-day vulnerabilities, three of which being actively exploited by cyber-espionage groups in targeted attacks over the past few months.
3 Zero-Days Were Exploited in the Wild by Russian Cyber-Espionage Group
First Zero-Day Vulnerability (CVE-2017-0261) — It affects the 32- and 64-bit versions of Microsoft Office 2010, 2013 and 2016, and resides in how Office handles Encapsulated PostScript (EPS) image files, leading to remote code execution (RCE) on the system.
This Office vulnerability could be exploited by tricking victims into opening a file containing a malformed graphics image in an email. The attack also exploits a Windows privilege escalation bug (CVE-2017-0001) that the company patched on March 14 to gain full control over the system – essentially allowing attackers to install spyware and other malware.
According to the FireEye researchers, the CVE-2017-0261 flaw has been exploited since late March by an unknown group of financially motivated hackers and by a Russian cyber espionage group called Turla, also known as Snake or Uroburos.
Second Zero-Day Vulnerability (CVE-2017-0262) — FireEye and ESET researchers believe that the APT28 hacking group, also known as Fancy Bear, or Pawn Storm, was actively using this EPS-related Microsoft Office zero-day vulnerability which leads to remote code execution on opening a malformed file.
Third Zero-Day Vulnerability (CVE-2017-0263) — The third zero-day bug is an elevation of privilege (EoP) vulnerability in all supported versions of Microsoft’s Windows operating system.
This vulnerability exists in the way Windows kernel-mode driver handles objects in memory, allowing attackers to run arbitrary code in kernel mode and then install malware, view, change, or delete data, and even create new accounts with full user rights.
Researchers believe that the Russian cyber-espionage group was also actively exploiting this flaw (CVE-2017-0263) along with the second zero-day vulnerability (CVE-2017-0262).
Fourth Zero-Day Vulnerability (CVE-2017-0222) — Another zero-day vulnerability affects Internet Explorer 10 and 11 and resides in how Internet Explorer handles objects in memory.
Opening a malicious web page can corrupt memory to trigger remote code execution, allowing attackers to take control of an affected system. According to the tech giant, this issue was also exploited in the wild.
Patches for Other Critical Vulnerabilities — This month’s security updates also fix critical vulnerabilities in both Edge and Internet Explorer (IE) that could lead to remote code execution by tricking victims into visiting malicious websites or viewing specially crafted advertisements inside the browsers.
Besides this, Microsoft also addresses four critical remote code execution bugs (CVE-2017-0272, CVE-2017-0277, CVE-2017-0278, and CVE-2017-0279) in Windows SMB network file-sharing protocol, which affects Windows 7 through 10 and Windows Server 2008 through 2016.
These vulnerabilities put Windows PCs and server installations at risk of hacking if they use SMBv1, though there have been no reports of any of these flaws exploited in the wild.
As usual, Adobe Flash Players patches are also included in the security update to address 7 CVE-listed flaws in the Windows, macOS, and Linux.
Windows users are strongly advised to install the latest updates as soon as possible in order to protect themselves against the active attacks in the wild.