This information is intended for U-M IT staff who are responsible for university computers that run any of the Microsoft products listed below, which include Microsoft Office, Internet Explorer, Edge, Windows, Server, and more. It is also intended for those who manage their own machines with any of the affected Microsoft products on them. It was sent via email to U-M IT staff groups on April 12, 2017.
Multiple vulnerabilities have been discovered in Microsoft products, the most severe of which could allow for remote code execution. Updates to address these vulnerabilities are available from Microsoft. These updates should be applied immediately after appropriate testing. The highest priority update is the one for Microsoft Office, which addresses a vulnerability currently being exploited in the wild.
Vulnerabilities were found across multiple Microsoft products. Successful exploitation of the most severe of these could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts. The vulnerability in Microsoft Office is being actively exploited.
- Microsoft Edge
- Microsoft Internet Explorer 9, 10, and 11
- Microsoft .NET Framework
- Microsoft Office 2007, 2010, 2013, and 2016
- Microsoft Windows: Vista, 7, 8.1, RT 8.1, and 10
- Microsoft Windows Server: 2008, 2008 R2, 2012, 2012 R2, and 2016
- Microsoft Windows Server Core Installations: 2008, 2008 R2, 2012, 2012 R2, and 2016
- Microsoft Silverlight 5 for Windows and Microsoft Silverlight 5 Developer Runtime for Windows
- Visual Studio for Mac
Apply updates provided by Microsoft to vulnerable systems immediately after appropriate testing. Prioritize the update for Microsoft Office, because it addresses a vulnerability that is being actively exploited. See Microsoft's links to updates at Security Update Guide (Microsoft Security TechCenter).
There are reports of a remote code execution vulnerability (CVE-2017-0199) being exploited in the wild. The way that Microsoft Office and WordPad parse specially crafted files is vulnerable to attack. Exploitation of this vulnerability requires that a user open or preview a specially crafted file with an affected version of Microsoft Office or WordPad.
FireEye recently detected malicious Microsoft Office RTF documents that leverage CVE-2017-0199, a previously undisclosed vulnerability. This vulnerability allows a malicious actor to download and execute a Visual Basic script containing PowerShell commands when a user opens a document containing an embedded exploit. FireEye has observed Office documents exploiting CVE-2017-0199 that download and execute malware payloads from different well-known malware families.
MiWorkspace machines will be patched as soon as possible. If you have Microsoft Office, Microsoft Windows, or any of the other products listed in this alert installed on your own devices that are not managed by the university, please check for available updates and install them immediately. We recommend that you set your software to update automatically whenever possible.
In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Suspicious Email, Secure Your Devices, and Use a Secure Internet Connection on the U-M Safe Computing website.
- CVE-2017-0199: In the Wild Attacks Leveraging HTA Handler (FireEye, 4/12/17)
- Security Update Guide (Microsoft Security TechCenter)
- Release Notes: April 2017 Security Updates (Microsoft Security TechCenter, 4/11/17)
- Microsoft Security Updates April 2017 release (ghacks.net, 4/11/17)
- Critical Word 0-day is only 1 of 3 Microsoft bugs under attack (Ars Technica 4/11/17)
- Microsoft Word 0-day used to push dangerous Dridex malware on millions (Ars Technica 4/11/17)
- Booby-trapped Word documents in the wild exploit critical Microsoft 0-day (Ars Technica 4/8/17; updated 4/10)