Coming together to address Encapsulated PostScript (EPS) attacks
Today’s security updates include three updates that exemplify how the security ecosystem can come together to help protect consumers and enterprises. We would like to thank FireEye and ESET for working with us.
Customers that have the latest security updates installed are protected against the attacks described below. As a best practice to ensure customers have the latest protections, we recommend they upgrade to the most current versions.
Through the Microsoft Active Protections Program (MAPP), partners separately alerted us to closely related, targeted attacks. These attacks both used malformed Word documents to ensnare their targets through carefully crafted phishing mails intended for a very select audience. Both attacks were comprised of multiple vulnerabilities including a remote code execution flaw in the Encapsulated PostScript (EPS) filter in Office and a Windows elevation of privilege to elevate out of sandbox protections in Office. EPS files are a legacy format that has largely fallen out of favor in today’s ecosystem. For that reason, in April 2017, we released a defense-in-depth protection that turned that code path off by default for all customers. Customers who installed the cumulative update for Office last month have mitigated the attacks described below.
- A Word EPS + Windows Elevation of Privilege (EoP) (CVE-2017-0261 + CVE-2017-0001)
This attack was reported to us in late March; however, customers were already protected by the March updates. Today, to fully address the EPS vulnerability and further protect the small number of customers who may choose to continue using the EPS filter, we released an update to address the Encapsulated PostScript vulnerability.
In terms of activity, we’ve seen a limited number of targeted attempts to use this method, which is no longer valid.
- A Word EPS + Windows EoP (CVE-2017-0262 + CVE-2017-0263)
Microsoft detected this attack in mid-April; however, customers were already protected by the April defense-in-depth update (noted above) that broke the attack chain by turning off the EPS filter by default. Today, we are releasing further updates to address the underlying filter vulnerability and the elevation of privilege vulnerability in this attack.
In terms of activity, we’ve seen a limited number of attempts to use this method, which is no longer valid.
These updates highlight the benefit of keeping current to protect against emerging malware. For consumers, Windows 10 protects customers by default, automatically deploying updates. For enterprises, utilize the guidance we publish each month with the exploitability index to help prioritize your evaluation of the updates. Additionally, using up-to-date anti-malware software like those from partners in the Microsoft Active Protections Program will help protect you from the cycle of attackers looking to quickly utilize addressed vulnerabilities.
We have long supported coordinated vulnerability disclosure as the most effective means to ensure customers and the computing ecosystem remains protected, and we work closely with security researchers worldwide who privately report concerns to us at [email protected]. When a potential vulnerability is reported to Microsoft, either from an internal or external source, the Microsoft Security Response Center (MSRC) kicks off an immediate and thorough investigation. We follow an extensive process involving thorough investigation, update development for all versions of affected products, and testing for compatibility among other operating systems and related applications. Ultimately, developing a security update is a delicate balance between timeliness and best quality. Our goal is to help ensure maximized customer protection, with minimized customer disruption.
More information about this month’s security updates can be found on the Security Update Guide.
MSRC Team
Related links:
CVE-2017-0261, CVE-2017-0262 and CVE-2017-0263.
Enterprise customers can check here to see if they have the latest Office 365 updates.
Source: Coming together to address Encapsulated PostScript (EPS) attacks
Leave a Reply