Microsoft's May 2017 Patch Tuesday, released yesterday, included fixes for three zero-days, which according to ESET and FireEye, were used by cyber-espionage groups operating out of Russia.

The three zero-days are CVE-2017-0261, CVE-2017-0262, and CVE-2017-0263.

First zero-day: CVE-2017-0261

The first of these, CVE-2017-0261, affects the Office suite and allows attackers to execute code on the victims' machines via a vulnerability in the Office EPS (Encapsulated PostScript) feature.

Attacks using this zero-day were seen sparingly in March, coupled with CVE-2017-0001, an elevation of privilege vulnerability, which allowed attackers to escalate their exploit's reach.

US cyber-security firm FireEye says a cyber-espionage group known as Turla (Waterbug, KRYPTON, or Venomous Bear) was seen using this zero-day to deliver a JavaScript-based malware named Shirime.

Microsoft knew of this issue since March but wasn't able to deliver a patch at the time. Instead, the company turned off the EPS filter in Office, which prevented the bug from being exploited in up-to-date systems. With yesterday's release, the zero-day's cause has been fixed.

Besides Turla, FireEye said a financially motivated actor was also seen using this zero-day but didn't release any other details about the attacker.

Second and third zero-days: CVE-2017-0262 & CVE-2017-0263

The second and third zero-days Microsoft patched were used together. These are CVE-2017-0262, a remote code execution vulnerability in Microsoft Word, and CVE-2017-0263, a local privilege escalation in the Windows OS.

These two bugs were used by the cyber-espionage group known as APT28 (Fancy Bear, Sofacy, Sednit, Tsar Team, Pawn Storm, or Strontium). This group is infamous, being suspected of hacking the DNC (Democratic National Committee), NATO, and the German Bundestag.

According to reports from ESET and FireEye, the group used these two zero-days to infect members of the Macron campaign in the recently concluded French presidential election.

The group used spear-phishing emails with a document attached, named "Trump’s_Attack_on_Syria_English.docx." This document delivered exploits for the two zero-days, which would be used to install malware specific to the APT28 group, named Seduploader. This malware would then be used to download more potent malware that could steal data from infected systems or move to other computers on the same network.

These attacks happened in mid-April. Because CVE-2017-0262 also used a vulnerability in EPS, users who already installed the Microsoft March security updates were protected. Nonetheless, attacks on older systems would have been successful.

A report from Trend Micro's Zero-Day Initiative group, also highlights that Microsoft patched four vulnerabilities that were publicly known, but not necessarily exploited. These are CVE-2017-0229 (Edge), CVE-2017-0064 (Internet Explorer), CVE-2017-0231 (Edge & IE), and CVE-2017-0241 (Edge).