Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Microsoft Patches Windows Zero-Day Exploited by Russian Hackers

The 14 security bulletins released on Tuesday by Microsoft address many serious issues, including a couple of Windows vulnerabilities actively exploited by malicious actors and bugs for which exploits are already publicly available.

The 14 security bulletins released on Tuesday by Microsoft address many serious issues, including a couple of Windows vulnerabilities actively exploited by malicious actors and bugs for which exploits are already publicly available.

One of the zero-days has been patched with MS16-135, a bulletin rated important. MS16-135 fixes two information disclosure and three privilege escalation flaws, one of which is a Windows kernel bug exploited in attacks by a Russia-linked cyber espionage group to elevate privileges and escape the browser sandbox.

The zero-day, tracked as CVE-2016-7255, was reported to Microsoft by Google researchers on October 21 and it was disclosed by the search giant ten days later. Google typically gives vendors a few months to patch vulnerabilities, but the deadline is only 7 days for flaws exploited in the wild.

While Google decided that it would be in the best interest of users to disclose the vulnerability, Microsoft disagreed and criticized the company for putting its customers at risk. Microsoft said the vulnerability had been exploited in a low-volume spear-phishing campaign by the threat group known as Pawn Storm, APT28, Fancy Bear, Sednit, Sofacy and Tsar Team.

The vulnerability affects Windows Vista through Windows 10 Anniversary Update, but new mitigations prevent exploitation against the latter. The same attacks also leverage a Flash Player vulnerability that Adobe patched on October 26.

This is not the only zero-day vulnerability patched by Microsoft on Tuesday. The critical security bulletin MS16-132 addresses several issues related to the Windows Media Foundation, the Windows Animation Manager and OpenType fonts, including a remote code execution vulnerability (CVE-2016-7256) caused due to the way the Windows font library handles specially crafted embedded fonts.

The vulnerability has been exploited in the wild, but Microsoft has not shared any details on these attacks. The company said the flaw can be exploited via specially crafted websites or documents that victims must open in order to trigger the exploit.

Microsoft also patched a couple of vulnerabilities that have not been exploited in the wild, but for which exploits are publicly available. This includes a browser information disclosure vulnerability (CVE-2016-7199) and an Edge spoofing flaw (CVE-2016-7209) – both fixed with MS16-129.

Advertisement. Scroll to continue reading.

Other critical security bulletins resolve various Windows vulnerabilities, including issues affecting Video Control, the Input Method Editor (IME) and the Task Scheduler. Important bulletins fix security holes in the Windows Virtual Hard Disk Driver, SQL Server, Windows authentication methods, the Windows kernel, Secure Boot, the Windows Common Log File System (CLFS) driver, and Office.

Adobe also released security updates this Patch Tuesday. The company addressed one vulnerability in Connect for Windows and nine arbitrary code execution flaws in Flash Player. The Flash Player issues have also been patched in Internet Explorer and Edge with the MS16-141 critical bulletin.

Related: Microsoft Edge Tops Browser Protection Tests

Related: Microsoft Delays Retirement of EMET

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.