According to Microsoft, the updates resolve flaws affecting Edge, Internet Explorer, Windows, Office, Visual Studio for Mac, .NET Framework, Silverlight and Adobe Flash Player components.
One of the zero-days patched by Microsoft this month is CVE-2017-0199, an Office and WordPad vulnerability that can be exploited for remote code execution. The security hole has been exploited in the wild by malicious actors to deliver various pieces of malware, including Dridex, WingBird, Latentbot and Godzilla.
Another vulnerability that has been actively exploited is CVE-2017-0210, a privilege escalation weakness affecting Internet Explorer. Microsoft said the flaw exists due to the lack of proper enforcement of cross-domain policies, and it can be exploited by tricking the targeted user into accessing a specially crafted web page. However, the company has not shared any information about the attacks it has been exploited in.
The third zero-day, an Office flaw which Microsoft says has been exploited in limited targeted attacks, has not been patched with this month’s updates. However, the company has released a mitigation that should help reduce the risk of exploitation until a patch is made available.
The issue, tracked by Microsoft with the identifier 2017-2605 (no CVE), is related to the Encapsulated PostScript (EPS) Filter in Office. The company’s mitigation turns off the EPS filter by default. The list of critical flaws addressed on Tuesday also includes 13 bugs affecting Internet Explorer, Edge, .NET, Office and Hyper-V.