Patch Tuesday brought fixes for 57 vulnerabilities in Microsoft software, including fixes for zero-day exploits

May 10, 2017 04:57 GMT  ·  By

Microsoft rolled out this month’s Patch Tuesday updates to address a total of 57 vulnerabilities in its software, including several security flaws that were being used by hacking groups linked to the Russian government.

The software giant revealed in a blog post today that it worked together with security companies ESET and FireEye to patch the vulnerabilities, explaining that users who installed the previous updates were already protected, but this month’s release introduces additional mitigations to make sure everyone is secure.

First and foremost, there’s the Office remote code execution (RCE) vulnerability documented in CVE-2017-0261 and which the company says it’s been used by hacking group Turla (also known as Venomous Bear, KRYPTON, and Waterbug). The exploit involved a compromised JavaScript script that was delivered to unpatched systems and which was used to deploy additional malware.

Microsoft says the first attacks were spotted in late March, but users running the previous updates were protected, emphasizing how important it is to run a fully up-to-date system.

“Today, to fully address the EPS vulnerability and further protect the small number of customers who may choose to continue using the EPS filter, we released an update to address the Encapsulated PostScript vulnerability,” Microsoft explains.

Fancy Bear attacks

There’s also a second round of attacks that was spotted in mid-April, but once again customers were protected by the previous updates, the company says.

This time, the attacks were aimed at exploiting an Office RCE vulnerability detailed in CVE-2017-0262 and a Windows privilege escalation documented in CVE-2017-0263. Russian hackers were once again linked with these attacks, and security companies say Fancy Bear is very likely to be involved as well. Fancy Bear, also known as Strontium, has previously been connected to the Russian government.

Attacks aimed at exploiting these two vulnerabilities attempted to deploy malware flagged as Seduploader and GAMEFISH by the two security vendors.

“In terms of activity, we’ve seen a limited number of attempts to use this method, which is no longer valid,” Microsoft says.

Windows users are recommended to patch their systems as soon as possible, though they should already be protected if the previous March and April updates were installed. Reboots will be required to complete the install of this month’s Patch Tuesday rollout.