The 14 security bulletins released on Tuesday by Microsoft address many serious issues, including a couple of Windows vulnerabilities actively exploited by malicious actors and bugs for which exploits are already publicly available.
One of the zero-days has been patched with MS16-135, a bulletin rated important. MS16-135 fixes two information disclosure and three privilege escalation flaws, one of which is a Windows kernel bug exploited in attacks by a Russia-linked cyber espionage group to elevate privileges and escape the browser sandbox.
The zero-day, tracked as CVE-2016-7255, was reported to Microsoft by Google researchers on October 21 and it was disclosed by the search giant ten days later. Google typically gives vendors a few months to patch vulnerabilities, but the deadline is only 7 days for flaws exploited in the wild.
While Google decided that it would be in the best interest of users to disclose the vulnerability, Microsoft disagreed and criticized the company for putting its customers at risk. Microsoft said the vulnerability had been exploited in a low-volume spear-phishing campaign by the threat group known as Pawn Storm, APT28, Fancy Bear, Sednit, Sofacy and Tsar Team.
The vulnerability affects Windows Vista through Windows 10 Anniversary Update, but new mitigations prevent exploitation against the latter. The same attacks also leverage a Flash Player vulnerability that Adobe patched on October 26.
This is not the only zero-day vulnerability patched by Microsoft on Tuesday. The critical security bulletin MS16-132 addresses several issues related to the Windows Media Foundation, the Windows Animation Manager and OpenType fonts, including a remote code execution vulnerability (CVE-2016-7256) caused due to the way the Windows font library handles specially crafted embedded fonts.
The vulnerability has been exploited in the wild, but Microsoft has not shared any details on these attacks. The company said the flaw can be exploited via specially crafted websites or documents that victims must open in order to trigger the exploit.
Microsoft also patched a couple of vulnerabilities that have not been exploited in the wild, but for which exploits are publicly available. This includes a browser information disclosure vulnerability (CVE-2016-7199) and an Edge spoofing flaw (CVE-2016-7209) – both fixed with MS16-129.
Other critical security bulletins resolve various Windows vulnerabilities, including issues affecting Video Control, the Input Method Editor (IME) and the Task Scheduler. Important bulletins fix security holes in the Windows Virtual Hard Disk Driver, SQL Server, Windows authentication methods, the Windows kernel, Secure Boot, the Windows Common Log File System (CLFS) driver, and Office.
Adobe also released security updates this Patch Tuesday. The company addressed one vulnerability in Connect for Windows and nine arbitrary code execution flaws in Flash Player. The Flash Player issues have also been patched in Internet Explorer and Edge with the MS16-141 critical bulletin.
Related: Microsoft Delays Retirement of EMET