Microsoft Patch Tuesday fixes three flaws actively exploited in attacks in the wild

Today Microsoft Patch Tuesday fixed the zero-day Word vulnerability that has been actively exploited in attacks in the wild.

Microsoft today patched the zero-day Word vulnerability that has been exploited in attacks in the wild. Just yesterday I wrote about a phishing campaign leveraging the flaw to deliver the Dridex banking Trojan.

Microsoft published security patches that addressed a total of 45 CVEs in nine products, including Internet Explorer, Microsoft Edge and Windows 10. Most of the updates address problems in Microsoft IE and Edge browsers.

The company confirmed that three of the vulnerabilities among this Tuesday updates are under active attack in the wild.

The first vulnerability actively exploited by attackers is tracked as CVE-2017-0199, it allowed attackers to use a specially-crafted document embedding an OLE2link object to spread malware such as the Dridex banking Trojan.

“While labelled as an Outlook issue, this is actually bug actually stems from an issue within RTF files. According to published reports, the exploit uses an embedded OLE2link object in a specially-crafted document. It should also be noted that these attacks can be thwarted by enabling Office’s Protective View feature. There are updates for both Office and Windows to be applied, and both should be considered necessary for complete protection.” reads the Patch Tuesday analysis by the Zero Day Initiative.

The second flaw exploited in the wild is an Internet Explorer elevation of privilege vulnerability tracked as CVE-2017-0210. The flaw could be exploited by attackers to access information from one domain and inject it into another domain.

“The exploit allows an attacker to access sensitive information from one domain and inject it into another domain, which could allow the attacker to gain elevated privileges. However, direct code execution is not possible through this bug alone. Instead, it would likely be used with a bug that executes code at a low integrity level to elevate the code execution to medium level integrity.” continues ZDI.

Microsoft published an the 2017-2605*: “Defense-in-Depth Update for Microsoft Office”, to address a flaw tracked as CVE-2017-2605. It is a Microsoft Office bug in the Encapsulated PostScript (EPS) filter in Office.

“According to Microsoft, they are aware of “limited targeted attacks” that take advantage of an unpatched vulnerability in the EPS filter. This temporary measure is being pushed out until a true fix is released. Issues like this used to be covered by Security Advisories, so perhaps this indicates Microsoft has chosen to do away with these as well.” states the analysis.

Microsoft did not issue an update to address this flaw, it opted to update Microsoft Office turning off, by default, the EPS filter in Office as a defense-in-depth measure.

Microsoft also issued a fix for Windows 10 (Creators Update) that addresses several remote code execution and elevation of privilege flaws.

Giving a look at the list of the vulnerabilities fixed by this last Microsoft Patch Tuesday we can find:

• CVE-2017-0201 IE RCE vulnerability ;
• CVE-2017-0093 Edge scripting engine memory corruption vulnerability;
• CVE-2017-0162, CVE-2017-0163, CVE-2017-0180 Hyper-V vulnerabilities;

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Mirai Botnet, Bitcoin)