Microsoft May Patch Tuesday faces down three zero-day exploits, but is it too little, too late?

Russian hackers swarm all over bugs as company plugs gaps long after the event

Microsoft's May Patch Tuesday release is seeking to plug three zero-day vulnerabilities in Office suite and Windows itself, two of which are already known to be exploited by threat actors APT28 and Turl, as well as another unknown criminal group.

Two of the exploits - namely CVE-2017-0261 and CVE-2017-0262 - are remote code execution (RCE) bugs that our effective in Microsoft Office 2010, 2013 and 2016, while CVE-2017-0263 is an escalation of privilege vulnerability that can affect all versions of Windows.

It seems the RCE exploits can be triggered simply an end user viewing a specially-coded image file in a Microsoft Office application, while the privilege escalation bug, which again,Windows kernel mode driver failing to properly handle an object.

This can then lead to an attacker being able to take control of a device fully, easily installing spyware or using the machine for otherwise illegal means.

Security experts at FireEye have published a blog in which they say they believe Russian cyber espionage group Turla, as well as another, unknown "financially motivated actor" were utilising the first Office exploit, while APT28 - another Russian group - were using the second.

"Turla and APT28 are Russian cyber espionage groups that have used these zero-days against European diplomatic and military entities," said FireEye.

"The unidentified financial group targeted regional and global banks with offices in the Middle East. The following is a description of the EPS zero-days, associated malware, and the new EOP zero-day. Each EPS zero-day is accompanied by an EOP exploit, with the EOP being required to escape the sandbox that executes the FLTLDR.EXE instance used for EPS processing."

Other flaws - less severe, but still potentially colossal - include another remote execution bug in CVE-2017-0290. This one can force Microsoft's built-in antivirus software to execute malicious code in specially designed files while scanning them.

A total of nine RCE bugs in IE and Edge will also be addressed.

Microsoft's security guidance documentation on all the new fixes can be found at the Microsoft Security TechCenter. Good luck out there.

With Microsoft seemingly in a situation where its ‘reacting' to problems already well-known and capitalised upon in the wild, it can only be hoped that the company begins to actually plug flaws before they're known - or better yet, released - rather than playing catch-up to this rather alarming degree on Patch Tuesdays.