Microsoft has today published patches for more than 50 security flaws in its products – including three serious holes being exploited right now in the wild. These updates should be applied as soon as possible.
The May edition of Patch Tuesday addresses blunders in Internet Explorer, Edge, Windows, Office, and the .NET Framework. In total, 55 bugs have been squashed, including 17 that have been rated as critical security risks.
Of the three bad bugs being actively exploited in the wild, two can be used to achieve remote code execution: CVE-2017-0222 in Internet Explorer 10 and 11, and CVE-2017-0261 in Microsoft Office 2010, 2013 and 2016. The third is an elevation of privilege bug, CVE-2017-0263, in all supported versions of Windows.
Basically, when a vulnerable installation of Office opens a booby-trapped EPS document, it can end up executing code within the file, and this code can use the privilege escalation hole to gain full control over the machine – essentially allowing emailed and downloaded documents to hijack computers and install spyware and other nasties, if victims are tricked into opening them.
FireEye has published technical details on the bug, and claims that multiple hackers are all over this programming cockup, right here.
Similarly, with the IE vulnerability, opening an evil webpage can trigger remote code execution.
Among the other critical flaws fixed this month is CVE-2017-0290, a terrible remote execution bug in Microsoft's antivirus engine that is enabled by default on modern Windows systems. When the tool scans specially crafted files delivered as downloads or message attachments, it can be tricked into running malicious code hidden within that data. From there, the attacker would, ironically, be able to take control of the target machine and install malware payloads via Redmond's knackered anti-malware defenses.
As per usual, both Edge and Internet Explorer will receive critical updates this month, including remedies for the following remote code execution bugs: CVE-2017-0221, CVE-2017-0229, CVE-2017-0224, CVE-2017-0227, CVE-2017-0228, CVE-2017-0235, CVE-2017-0236, CVE-2017-0240, and CVE-2017-0266. Visiting a malicious webpage exploiting these bugs with a vulnerable copy of Edge or IE will hand over control of your computer to miscreants.
In addition to the exploited CVE-2017-0261 flaw, Office 2007 to 2016 has received patches for remote code execution holes in CVE-2017-0281, CVE-2017-0265, CVE-2017-0264 and CVE-2017-0262, all of which are triggered by opening a malformed file.
Also labeled as critical were four remote code execution flaws (CVE-2017-0272, CVE-2017-0279, CVE-2017-0278, and CVE-2017-0277) in Windows SMB services on Windows 7 through 10 and Windows Server 2008 through 2016. These bugs have not been exploited nor their details publicly exposed. These all involve SMBv1, which you shouldn't be using anyway – it's crap and old.
The .NET Framework will get an update for a security bypass flaw (CVE-2017-0248) allowing an attacker to pass off invalid certificates as genuine.
The Zero Day Initiative has a handy chart of today's Redmond security bug fixes.
Meanwhile, lest you think Microsoft is being singled out, noted malware enabler Adobe Flash Player has also been given a fresh set of patches to address seven CVE-listed vulnerabilities in the Windows, macOS, and Linux versions of the internet's screen door. Google Chrome, Microsoft Edge, and Internet Explorer 11 (on Windows 8.1 and Windows 10) will all get the fixes automatically.
In addition, Adobe patched an important (but way less exciting) information disclosure flaw in Experience Manager Forms for Windows, Linux, Solaris, and AIX. ®