Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Microsoft Patches Flaws Exploited in Targeted Attacks

Microsoft released on Tuesday 16 security bulletins to patch more than 30 vulnerabilities, including JScript and VBScript zero-days exploited in attacks targeting users in South Korea.

Microsoft released on Tuesday 16 security bulletins to patch more than 30 vulnerabilities, including JScript and VBScript zero-days exploited in attacks targeting users in South Korea.

The exploited flaws have been addressed by Microsoft in two separate critical bulletins. One of them, MS16-053, fixes the actual vulnerabilities, which affect the JScript and VBScript scripting engines in Windows. These security holes, tracked as CVE-2016-0187 and CVE-2016-0189, can be used for remote code execution.

However, since the vulnerabilities have been exploited via Internet Explorer, Microsoft released a separate bulletin, MS16-051, for the web browser. The company explained that MS16-051 protects systems running Internet Explorer 9, 10 and 11, while MS16-053 addresses the vulnerabilities on systems running Internet Explorer 7 and earlier.

Symantec reported that attackers exploited these flaws in limited targeted attacks aimed at South Korea, a country where Internet Explorer is highly popular. According to the security firm, attackers likely delivered the exploit via spear-phishing emails or compromised websites.

The exploit landing page hosts JavaScript code designed to profile the user’s computer and deliver the actual exploit in an obfuscated VBScript file. The exploit has been used to download a malicious file from a Korean website, but Symantec says the final payload is currently unknown.

Another critical bulletin released by Microsoft on Tuesday addresses several remote code execution vulnerabilities in Edge running on Windows 10. An attacker can exploit the flaws by getting the victim to access a specially crafted webpage.

A bulletin that addresses vulnerabilities in Office has also been rated critical. Malicious actors can exploit these for remote code execution via a specially crafted Office file.

The other critical and important updates patch various security holes affecting Windows components, including the graphics component, Journal, Windows Shell, IIS, Media Center, Kernel-Mode and Volume Manager drivers, and Virtual Secure Mode.

Advertisement. Scroll to continue reading.

An important update for the .NET Framework addresses a TLS vulnerability (CVE-2016-0149) that has already been publicly disclosed.

“The vulnerability is an information disclosure in TLS/SSL that could enable an attacker to decrypt encrypted SSL/TLS traffic. To exploit the vulnerability, an attacker would first have to inject unencrypted data into the secure channel and then perform a man-in-the-middle attack between the targeted client and a legitimate server,” Chris Goettl, product manager with Shavlik, told SecurityWeek. “On network this may be harder to achieve, but users who leave the network could be at higher risk of exposure to a scenario where this type of attack is possible. Keep in mind, Microsoft recommends thorough testing before rolling out to production environments.”

Microsoft has also released Flash library updates for Internet Explorer and Edge to address two dozen vulnerabilities. Adobe informed customers on Tuesday that it’s working on fixing a serious Flash flaw that has been exploited in the wild. Judging by Microsoft’s advisory, the update prepared by Adobe will patch not only the zero-day, but two dozen other Flash vulnerabilities as well.

Adobe has also published advisories describing nearly 100 vulnerabilities patched in Reader, Acrobat and ColdFusion.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.