CVE-2017-0262

What Is the Office EPS Filter?

Encapsulated PostScript (EPS) is a graphics interchange format that Office could embed and render in documents via the epsimp32.flt filter. PostScript is a Turing-complete language, making its parser inherently complex and prone to memory corruption when handling malformed input. Microsoft permanently disabled EPS import in Office after the May 2017 patch cycle, recognizing the EPS parser as an unacceptable ongoing security risk given its minimal legitimate use in modern documents.

Overview

CVE-2017-0262 is a use-after-free vulnerability in Microsoft Office's EPS filter that was exploited as a zero-day by APT28 (Fancy Bear, Russian GRU) in targeted espionage campaigns against European targets before Microsoft's May 2017 patch. The companion vulnerability CVE-2017-0261 was simultaneously exploited by Turla (Russian FSB) — two distinct Russian intelligence groups using different EPS vulnerabilities in the same unpatched Office component. Both were discovered by FireEye in April 2017. Like CVE-2017-0261, CVE-2017-0262 was chained with the Win32k LPE CVE-2017-0263 for full system compromise. CISA added CVE-2017-0262 to the KEV catalog in February 2022.

Affected Versions

Technical Details

Root Cause: Use-After-Free in EPS PostScript Parser

CVE-2017-0262 is a use-after-free vulnerability (CWE-416) in the Office EPS filter (epsimp32.flt), distinct from the EPS UAF in CVE-2017-0261 but exploiting the same underlying component. During processing of a crafted EPS image embedded in an Office document, the EPS parser frees an object during PostScript operator handling but subsequently dereferences the freed pointer. Using heap grooming, attackers place controlled data at the freed memory location and redirect execution to shellcode.

Two simultaneous EPS zero-days by different Russian groups:

Both targeted the same Office EPS filter component but triggered through different code paths, indicating independent zero-day research by separate Russian intelligence agencies. Both were chained with the same Win32k LPE (CVE-2017-0263).

Post-patch EPS disable: The May 2017 patch not only fixed CVE-2017-0261 and CVE-2017-0262 but also permanently disabled EPS import capability in Office. Subsequent versions of Office ship with EPS completely removed, eliminating this entire attack surface.

Attack Characteristics

Discovery

FireEye researchers discovered active zero-day exploitation by APT28 in April 2017 and reported it to Microsoft. The simultaneous discovery of two different EPS vulnerabilities (CVE-2017-0261 by Turla and CVE-2017-0262 by APT28) revealed that two separate Russian intelligence services had independently developed EPS exploits for the same Office component.

Exploitation Context

• APT28 zero-day use: APT28's use of CVE-2017-0262 as a zero-day reflects the GRU's investment in custom offensive capabilities; the group maintained EPS exploit capabilities for targeted operations against European governments, defense organizations, and think tanks
• Parallel Russian intelligence development: The simultaneous exploitation of CVE-2017-0261 (FSB/Turla) and CVE-2017-0262 (GRU/APT28) from the same Office component demonstrated that Russian intelligence agencies operated independent vulnerability research pipelines without coordination — they discovered and exploited the same component independently
• Complete exploit chain: CVE-2017-0262 (Office EPS RCE) + CVE-2017-0263 (Win32k LPE) = full machine compromise from a phishing email with no other preconditions; this two-CVE chain required only that the target open a Word document
• EPS permanently removed: Microsoft's decision to permanently disable EPS in Office after this patch cycle was a significant attack surface reduction — the entire EPS parser was too complex and too rarely needed in legitimate use to justify continued security maintenance
• CISA KEV (2022): Added February 2022 as part of a batch of exploited Office vulnerabilities, reflecting ongoing targeting of unpatched systems

Remediation

1. Apply May 2017 Office security update — install the May 9, 2017 security update, which patches CVE-2017-0262 and permanently disables the EPS filter in Office.

2. Apply companion Win32k patch — install the May 2017 Windows update to close CVE-2017-0263 (the LPE stage of the exploit chain) on the same systems.

3. Enable Office Protected View — ensure Protected View is active for email attachments and internet-downloaded files; Protected View's sandbox blocks EPS rendering and prevents the initial RCE.

4. Block Office child process spawning — the ASR rule "Block Office applications from creating child processes" prevents shellcode from launching secondary payloads.

5. Upgrade to current Office versions — Office 2016 and later (with current patches) have EPS permanently disabled; organizations still running Office 2007/2010 with EPS enabled face the highest residual risk.