Coming together to address Encapsulated PostScript (EPS) attacks
MSRC Team May 9, 2017
TodayÆs security updates include three updates that exemplify how the security
ecosystem can come together to help protect consumers and enterprises. We would
like to thank FireEye and ESET for working with us.
Customers that have the latest security updates installed are protected against
the attacks described below. As a best practice to ensure customers have the
latest protections, we recommend they upgrade to the most current versions.
Through the Microsoft Active Protections Program (MAPP), partners separately
alerted us to closely related, targeted attacks. These attacks both used
malformed Word documents to ensnare their targets through carefully crafted
phishing mails intended for a very select audience. Both attacks were comprised
of multiple vulnerabilities including a remote code execution flaw in the
Encapsulated PostScript (EPS) filter in Office and a Windows elevation of
privilege to elevate out of sandbox protections in Office. EPS files are a
legacy format that has largely fallen out of favor in todayÆs ecosystem. For
that reason, in April 2017, we released a defense-in-depth protection that
turned that code path off by default for all customers. Customers who installed
the cumulative update for Office last month have mitigated the attacks described
below.
A Word EPS + Windows Elevation of Privilege (EoP) (CVE-2017-0261 +
CVE-2017-0001)
This attack was reported to us in late March; however, customers were already
protected by the March updates. Today, to fully address the EPS vulnerability
and further protect the small number of customers who may choose to continue
using the EPS filter, we released an update to address the Encapsulated
PostScript vulnerability.
In terms of activity, weÆve seen a limited number of targeted attempts to use
this method, which is no longer valid.
A Word EPS + Windows EoP (CVE-2017-0262 + CVE-2017-0263)
Microsoft detected this attack in mid-April; however, customers were already
protected by the April defense-in-depth update (noted above) that broke the
attack chain by turning off the EPS filter by default. Today, we are releasing
further updates to address the underlying filter vulnerability and the elevation
of privilege vulnerability in this attack.
In terms of activity, weÆve seen a limited number of attempts to use this
method, which is no longer valid.
These updates highlight the benefit of keeping current to protect against
emerging malware. For consumers, Windows 10 protects customers by default,
automatically deploying updates. For enterprises, utilize the guidance we
publish each month with the exploitability index to help prioritize your
evaluation of the updates. Additionally, using up-to-date anti-malware software
like those from partners in the Microsoft Active Protections Program will help
protect you from the cycle of attackers looking to quickly utilize addressed
vulnerabilities.
We have long supported coordinated vulnerability disclosure as the most
effective means to ensure customers and the computing ecosystem remains
protected, and we work closely with security researchers worldwide who privately
report concerns to us at secure@microsoft.com. When a potential vulnerability is
reported to Microsoft, either from an internal or external source, the Microsoft
Security Response Center (MSRC) kicks off an immediate and thorough
investigation. We follow an extensive process involving thorough investigation,
update development for all versions of affected products, and testing for
compatibility among other operating systems and related applications.
Ultimately, developing a security update is a delicate balance between
timeliness and best quality. Our goal is to help ensure maximized customer
protection, with minimized customer disruption.
More information about this monthÆs security updates can be found on the
Security Update Guide.
MSRC Team
Related links:
CVE-2017-0261, CVE-2017-0262 and CVE-2017-0263.
Enterprise customers can check here to see if they have the latest Office 365
updates.
link : http://tinyurl.com/mo27pjs
note from poster : I didn't put in the link for a few spots
---
■ Synchronet ■ Time Warp of the Future BBS - Home of League 10 IBBS Games
|
