CVE-2017-0261

What Is the Office EPS Filter?

Encapsulated PostScript (EPS) is a graphics format embedded in Office documents via Windows Metafile (WMF) graphics. Office includes an EPS filter (epsimp32.flt) to parse and render EPS graphics when inserted into Word or Excel documents. PostScript is a full Turing-complete programming language, making EPS parsing inherently complex and a historically rich source of memory corruption vulnerabilities. The EPS filter runs inside the Office process, meaning code execution through an EPS bug executes directly within Office's security context — typically as the logged-in user.

Overview

CVE-2017-0261 is a use-after-free vulnerability in Microsoft Office's EPS (Encapsulated PostScript) filter that was actively exploited as a zero-day before Microsoft's May 2017 patch. The EPS filter frees an object during PostScript processing, then subsequently uses the freed memory — a classic use-after-free that, with heap manipulation, results in code execution when a user opens a specially crafted Office document containing a malicious EPS image. FireEye attributed active zero-day exploitation to two separate threat actor groups: APT28 (Fancy Bear, Russian GRU) and Turla (Snake, Russian FSB). Both groups chained CVE-2017-0261 with the Win32k LPE vulnerability CVE-2017-0263 to achieve full system access. CISA added CVE-2017-0261 to the KEV catalog in March 2022.

Affected Versions

Technical Details

Root Cause: Use-After-Free in EPS PostScript Parser

CVE-2017-0261 is a use-after-free vulnerability (CWE-416) in the Office EPS filter (epsimp32.flt). During processing of a crafted EPS graphic embedded in an Office document, the EPS parser frees an object during a specific PostScript operator execution sequence but continues to hold and dereference a pointer to the freed memory. Attackers use heap grooming techniques — allocating controlled data at the freed memory location before the UAF access — to control the value at the freed location and redirect code execution to shellcode.

Exploitation chain with CVE-2017-0263:

1. Target receives a spear-phishing email with a malicious Word document containing an embedded EPS graphic
2. Opening the document triggers CVE-2017-0261 — the EPS UAF executes shellcode in the Office process (user context)
3. The shellcode executes CVE-2017-0263 (Win32k UAF) to escalate from user to SYSTEM privileges
4. With SYSTEM privileges, the attacker installs a backdoor, dumps credentials, or establishes persistent C2 access

Why EPS was disabled permanently: After the May 2017 patch for CVE-2017-0261 and CVE-2017-0262, Microsoft permanently disabled the EPS filter in Office by default — acknowledging that EPS parsing was fundamentally difficult to secure and that the format had negligible legitimate use in modern Office documents.

Attack Characteristics

Discovery

FireEye discovered active zero-day exploitation of CVE-2017-0261 and CVE-2017-0262 on April 14, 2017 and reported them to Microsoft, triggering the May 2017 emergency patch. FireEye attributed the use of CVE-2017-0261 to Turla and CVE-2017-0262 to APT28.

Exploitation Context

• Nation-state zero-day exploitation: APT28 (GRU) and Turla (FSB) — two distinct Russian intelligence agencies — were both using different EPS vulnerabilities in the same MS17-010 patch cycle, reflecting independent zero-day development pipelines within Russian intelligence; FireEye's discovery of both simultaneously was notable
• APT28 targeting: CVE-2017-0261/0262 were used in spear-phishing campaigns against European targets including think tanks, government ministries, and defense contractors in the period before the May 2017 patch
• Chained with Win32k LPE: Both APT28 and Turla chained the Office EPS vulnerabilities with CVE-2017-0263 (Win32k UAF LPE) — the two-stage exploit provided RCE from the document then SYSTEM via the kernel, a complete chain from phishing email to full machine compromise
• EPS filter permanently disabled: Microsoft's response to CVE-2017-0261 and CVE-2017-0262 was to permanently disable EPS support in Office (not just patch the specific bugs), recognizing the EPS parser as an unacceptably large attack surface
• CISA KEV (2022): Added March 2022 as part of a batch of nation-state-exploited Office vulnerabilities

Remediation

1. Apply May 2017 Office security update — the May 9, 2017 security update patches CVE-2017-0261 and simultaneously disables the EPS filter in Office by default.

2. Verify EPS filter is disabled — after patching, confirm that the Office EPS filter is disabled (the May 2017 update sets a registry key to block EPS loading). Microsoft published registry keys to disable EPS manually for administrators who want to apply the mitigation without waiting for the patch.

3. Apply May 2017 Windows update — also apply the companion Win32k patch for CVE-2017-0263 to close the LPE used in the second stage of the exploit chain.

4. Enable Office Protected View — Protected View opens untrusted documents (email attachments, downloaded files) in a sandboxed read-only mode that blocks EPS rendering and prevents the initial RCE stage.

5. Block Office from spawning child processes — ASR rule "Block Office applications from creating child processes" prevents the shellcode from launching payloads even if the EPS UAF fires.