Besides a previously undisclosed code-execution flaw in Microsoft Word, the tech giant patches two more zero-day vulnerabilities that attackers had been exploiting in the wild for months, as part of this month’s Patch Tuesday.
In total, Microsoft patches 45 unique vulnerabilities in its nine products, including three previously undisclosed vulnerabilities under active attack.
The first vulnerability (CVE-2017-0199) under attack is a remote-code execution flaw that could allow an attacker to remotely take over a fully patched and up to date computer when the victim opens a Word document containing a booby-trapped OLE2link object.
The attack can bypass most exploit mitigations developed by Microsoft, and according to Ryan Hanson of security firm Optiv, in some cases, exploits can execute malicious code even when Protected View is enabled.
Microsoft has released a fix for CVE-2017-0199 and credited Hanson with responsible reporting the critical vulnerability to the company.
Patch for Critical IE Flaw Being Exploited in the Wild
The company also pushed out a patch for another critical vulnerability (CVE-2017-0210) under active attack. The flaw is an elevation of privilege vulnerability in Internet Explorer that would allow an attacker to trick a victim into visiting a compromised website.
The vulnerability could allow the attacker to access sensitive information from one domain and inject it into another domain.
“The vulnerability by itself does not allow arbitrary code to be run. However, the vulnerability could be used in conjunction with another vulnerability (for example, a remote code execution vulnerability) that could take advantage of the elevated privileges when running arbitrary code,” Microsoft’s guidance for the flaw reads.
This IE vulnerability is also being exploited in the wild.
Another Critical Word Vulnerability Yet Unpatched!
The third previously undisclosed flaw (CVE-2017-2605) resides in the Encapsulated PostScript (EPS) filter in Microsoft Office, but Microsoft did not actually release an update for this flaw in Tuesday’s update batch.
However, the tech giant issued an update for Microsoft Office that, by default, disable the EPS filter in MS Office as a defense measure. This Word vulnerability is also being exploited in the wild when a target opens a malicious EPS image in Word.
“Microsoft is aware of limited, targeted attacks that could leverage an unpatched vulnerability in the EPS filter and is taking this action to help reduce customer risk until the security update is released,” the guidance for the flaw reads.
The company also issued a patch for Windows 10 Creators Update, which was made available on Tuesday, addressing some remote code execution flaws and elevation of privilege bugs.
In total, Microsoft rolled out 15 security updates on Tuesday patching dozens of unique CVEs in its products, including the Windows OS, Exchange Server, Edge and Internet Explorer, Office, Office Services and Office Web Apps, Visual Studio for Mac Silverlight and Adobe Flash.
Users are strongly advised to install updates as soon as possible in order to protect themselves against the active attacks in the wild on three separate Microsoft products.