Microsoft plugs zero-days exploited by cyber spies

Microsoft's May set of updates for Windows has seen four zero-day vulnerabilities exploited by hackers believed to be Russian spies closed off by Microsoft. 

Security vendor FireEye said it had identified three zero-days in Microsoft Office products.

Among these were two vulnerabilities in how the productivity suite handled Encapsulated PostScript (EPS) files, and a flaw in the Windows operating system graphics device interface (GDI).

These were exploited "in the wild" by the Turla and APT28 operations to drop malware, in a combination attack that involved using a fourth zero-day that elevated the privileges of the malicious code to provide full system access.

Microsoft also patched a memory corruption bug in Internet Explorer which could be abused to execute code on target systems remotely. The vulnerability was exploited in the wild, Microsoft said, and affected all current supported versions of Windows and Windows Server.

FireEye said Turla and APT28 are "Russian cyber espionage groups that have used these zero-days against European diplomatic and military entities".

APT28 is believed to have been behind the hack on the United States Democratic National Committee ahead of the country's presidential election, which saw a large amount of confidential emails being leaked and which sparked calls for an official investigation into Russian meddling in American politics. 

The group is also known as Fancy Bear and Pawn Storm, and is believed to have hacked the World Anti-Doping Agency and released confidental information on US athletes after their Russian counterparts were accused of taking performance enhancing drugs for sports events.

Turla has been active over the past few years, with security vendor Kaspersky linking the group to the Russian government.

The two groups attacked victims via specially crafted Office documents that contained the malicious code.

A third, unidentified group that is financially motivated also used the above exploits to attack banks in the Middle East.

Microsoft also addressed four remotely exploitable vulnerabilities in its Server Message Block version 1 file-sharing protocol with the latest set of patches.