Microsoft patched three zero day vulnerabilities actively under attack today as part of its May Patch Tuesday release.
Researchers with FireEye who uncovered the three vulnerabilities said the bugs were actively being exploited by threat actors Turla and APT28.
Two of the zero day vulnerabilities (CVE-2017-0261 and CVE-2017-0262) were remote code execution (RCE) bugs related to how Microsoft’s Office suite handled Encapsulated PostScript (EPS). FireEye said the third zero day vulnerability was tied to Windows and is an escalation of privilege vulnerability (CVE-2017-0263).
According to security experts the RCE bugs could be triggered by simply viewing a malicious image in any number of Microsoft Office applications. The elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory, according to Microsoft.
“An attacker who successfully exploited this vulnerability (CVE-2017-0263) could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” Microsoft said.
In total, Microsoft released patches for 55 unique CVEs for Internet Explorer, Edge, Office, Windows and the .NET Framework as part of its May Patch Tuesday release. Fourteen of vulnerabilities were rated critical.
“The use of zero-day exploits by Turla Group and APT28 underscores their capacity to apply technically sophisticated and costly methods when necessary,” said Ben Read, a cyber espionage analyst with FireEye who co-authored the blog.
“APT28’s use of two zero days (CVE-2017-0262 and CVE-2017-0263) continues to demonstrate they are a very capable actor. Some of the talk about them doing less technically sophisticated credential theft, shows they can bring the fast ball when they need to against a harder target,” Read said in an interview with Threatpost.
He added that CVE-2017-0261 is being used by both a nation state (Turla) and an unidentified financially motivated group. This, he said, illustrated a dynamic vulnerability market where both nation states and criminals are buying from the same vendors.
In April, researchers at Kaspersky Lab said there was a link between Moonlight Maze cyberespionage operation of the mid- and late-1990s and the modern-day Turla APT. The malware hides on infected systems, steals data and sends it off to a remote server, much like other cyber espionage tools. In December, the Federal Bureau of Investigation and the US Department of Homeland Security implicated hacking group APT28 (also known as Fancy Bear and Sofacy) in attacks against several election-related targets.
The three zero day vulnerabilities come on the heels of Microsoft issuing an emergency out-of-band patch for a zero day reported by Google Project Zero in Microsoft’s Malware Protection Engine on Monday.
Also part of Patch Tuesday were updates to Microsoft Edge and Internet Explorer 11 to block sites that are protected with a SHA-1 certificate from loading and to display an invalid certificate warning.
“This change will only impact SHA-1 certificates that chain to a root in the Microsoft Trusted Root Program where the end-entity certificate or the issuing intermediate uses SHA-1. Enterprise or self-signed SHA-1 certificates will not be impacted, although we recommend that all customers quickly migrate to SHA-2 based certificates,” Microsoft wrote.
For the past couple of years, browser makers have raced to migrate from SHA-1 to SHA-2 as researchers have intensified warnings about collision attacks moving from theoretical to practical. Browser makers Google and Mozilla have already begun the deprecation of SHA-1.
The Microsoft updates follow in the footsteps of Adobe, who earlier in the day released a surprisingly small update, patching just eight vulnerabilities.