Microsoft’s security updates for April 2017 address more than 40 vulnerabilities ranging from critical, important and moderate severity levels. The patches include three zero-day flaws that have been exploited in the wild.
According to Microsoft, these updates resolve flaws affecting Edge, Internet Explorer, Windows, Office, Visual Studio for Mac, .NET Framework, Silverlight and Adobe Flash Player components – so there is a high degree of chance that your windows machine is affected, almost 100% chance!
One of these zero-days patched by Microsoft this month is CVE-2017-0199, an Office and WordPad vulnerability that can be exploited for remote code execution (RCE) – the highlest level of security flaw. The security hole has been exploited in the wild by malicious actors to deliver various pieces of malware, including Dridex, WingBird, Latentbot and Godzilla.
Another vulnerability that has been actively exploited is CVE-2017-0210, a privilege escalation weakness affecting Internet Explorer. Microsoft stated that the flaw exists due to the lack of proper enforcement of cross-domain policies, and it can be exploited by tricking the targeted user into accessing a specially crafted web page. They have not shared information about the attacks where this vulnerability was exploited.
The 3rd zero-day is an Office flaw which Microsoft says has been exploited in limited targeted attacks, has not been fully patched with this set of updates. They have released a mitigation that should help reduce the risk of exploitation until a full patch is available.
The issue, tracked by Microsoft with the identifier 2017-2605 (no CVE), is related to the Encapsulated PostScript (EPS) Filter in Office. The company’s mitigation turns off the EPS filter by default.
The list of critical flaws addressed on Tuesday also includes 13 bugs affecting Internet Explorer, Edge, .NET, Office and Hyper-V.
Microsoft has been transitioning from security bulletins to a database called Security Update Guide. The transition is now been complete – no security bulletins have been published this month. The change from bulletins to Security Update Guide has met with mixed feedback, some users preferring the old bulletins, while others like the new method.
This is the last round of security updates for Windows Vista, which has reached end of support.