Microsoft today patched a zero-day Word vulnerability that has been publicly attacked along with deploying fixes for Internet Explorer, Microsoft Edge and Windows 10. In all, nine Microsoft products received updates totaling 45 unique CVEs.
Three of the vulnerabilities among Tuesday’s updates, according to Microsoft, are under active attack.
One of the bugs (CVE-2017-0199) under attack is the zero-day vulnerability that used an embedded OLE2link object in a specially-crafted document to spread the Dridex banking Trojan. “There are updates for both Office and Windows to be applied, and both should be considered necessary for complete protection,” according to a Patch Tuesday analysis by the Zero Day Initiative.
Microsoft also pushed out a patch for an Internet Explorer elevation of privilege vulnerability (CVE-2017-0210) that was being actively exploited in attacks. This vulnerability could allow an attacker to access information from one domain and inject it into another domain, according to Microsoft.
An advisory was issued for (CVE-2017-2605) a Microsoft Office bug in the Encapsulated PostScript (EPS) filter in Office. Microsoft did not issue an update for this vulnerability. However, it released an update for Microsoft Office that turns off, by default, the EPS filter in Office as a defense-in-depth measure, according to Microsoft.
“Microsoft is aware of limited targeted attacks that could leverage an unpatched vulnerability in the EPS filter and is taking this action to help reduce customer risk until the security update is released,” Microsoft noted.
Microsoft also issued a fix for its new version of Windows 10 (Creators Update), which was made generally available today. It addresses several remote code execution and elevation of privilege vulnerabilities, said Greg Wiseman, senior security researcher with Rapid7.
“Data center admins can’t rest easy, however. This month sees updates for all supported versions of Windows Server, with fixes across the board for RCE, privilege escalation and denial of service vulnerabilities,” Wiseman said.
In all, 13 critical updates were part of this month’s list of vulnerabilities. Microsoft IE and Edge browsers received the majority of the critical updates.
One of the IE vulnerabilities (CVE-2017-0201) is a RCE bug that exists in the way that the JScript and VBScript engines render when handling objects in memory in IE 9 and 10. “An attacker who successfully exploited the vulnerability could gain the same user rights as the current user,” Microsoft wrote.
Microsoft issued a fix for a scripting engine memory corruption vulnerability (CVE-2017-0093) impacting Edge. In the most common scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability in Edge. “The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user,” Microsoft wrote.
“Also listed as critical are three CVEs for Hyper-V, which was an untested target in the most recent Pwn2Own,” noted Zero Day Initiative. Pwn2Own is the hacking competition held alongside CanSecWest that took place last month in Vancouver. The vulnerabilities (CVE-2017-0162, CVE-2017-0163, CVE-2017-0180) could allow malicious guest applications to execute code on the Hyper-V host operating system.
By comparison, today Adobe patched 59 vulnerabilities across Flash, Reader and Photoshop.
Today also marked a change in the way Microsoft releases bulletins, moving from the MSxx-xxx format and replacing it with a new security update guide. “Microsoft’s new system allows users to pivot on the common vulnerabilities and exposures (CVEs) and KB article numbers. They also provide the ability to search and filter based on product, severity, and impact (e.g. RCE, DoS etc.) which can help administrators prioritize how they roll out fixes,” Wiseman noted.