Microsoft Patch Tuesday fixes two zero days, third one gets temporary fix

Posted on Wednesday, Apr 12 2017 @ 13:11 CEST by Thomas De Maesschalck
MS logo
This month's Patch Tuesday security update from Microsoft features 15 updates for software like the Windows operating system, Exchange, Office, and Adobe's Flash. Worth mentioning is that this month's rollout includes updates for three vulnerabilities that are exploited in the wild.

As reported by ARS Technica, this includes a Word vulnerability that allowed attackers to infect up-to-date Windows 10 systems with malware. All that was required was the opening of an infected Word file. The second vulnerability that's exploited in the wild involves Internet Explorer, it's an elevation-of-privilege bug that allows attackers to access sensitive information from one domain and inject it into another address.

There's also a third zero-day vulnerability that targets a flaw in the Encapsulated PostScript (EPS) of Office. Microsoft did not have a patch available in time for this month's Patch Tuesday cycle but decided to roll out a workaround that disables EPS by default:
The third zero-day also resides in Office 2016, 2013, and 2010 and isn't actually being patched in Tuesday's update batch. According to guidance for the flaw: "Microsoft is aware of limited targeted attacks that could leverage an unpatched vulnerability in the [Encapsulated PostScript] filter and is taking this action to help reduce customer risk until the security update is released." The flaw is exploited when a target opens a malicious EPS image in Word.


About the Author

Thomas De Maesschalck

Thomas has been messing with computer since early childhood and firmly believes the Internet is the best thing since sliced bread. Enjoys playing with new tech, is fascinated by science, and passionate about financial markets. When not behind a computer, he can be found with running shoes on or lifting heavy weights in the weight room.



Loading Comments