Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Microsoft Patches Flaws Exploited in Targeted Attacks

Microsoft released on Tuesday 16 security bulletins to patch more than 30 vulnerabilities, including JScript and VBScript zero-days exploited in attacks targeting users in South Korea.

Microsoft released on Tuesday 16 security bulletins to patch more than 30 vulnerabilities, including JScript and VBScript zero-days exploited in attacks targeting users in South Korea.

The exploited flaws have been addressed by Microsoft in two separate critical bulletins. One of them, MS16-053, fixes the actual vulnerabilities, which affect the JScript and VBScript scripting engines in Windows. These security holes, tracked as CVE-2016-0187 and CVE-2016-0189, can be used for remote code execution.

However, since the vulnerabilities have been exploited via Internet Explorer, Microsoft released a separate bulletin, MS16-051, for the web browser. The company explained that MS16-051 protects systems running Internet Explorer 9, 10 and 11, while MS16-053 addresses the vulnerabilities on systems running Internet Explorer 7 and earlier.

Symantec reported that attackers exploited these flaws in limited targeted attacks aimed at South Korea, a country where Internet Explorer is highly popular. According to the security firm, attackers likely delivered the exploit via spear-phishing emails or compromised websites.

The exploit landing page hosts JavaScript code designed to profile the user’s computer and deliver the actual exploit in an obfuscated VBScript file. The exploit has been used to download a malicious file from a Korean website, but Symantec says the final payload is currently unknown.

Another critical bulletin released by Microsoft on Tuesday addresses several remote code execution vulnerabilities in Edge running on Windows 10. An attacker can exploit the flaws by getting the victim to access a specially crafted webpage.

A bulletin that addresses vulnerabilities in Office has also been rated critical. Malicious actors can exploit these for remote code execution via a specially crafted Office file.

The other critical and important updates patch various security holes affecting Windows components, including the graphics component, Journal, Windows Shell, IIS, Media Center, Kernel-Mode and Volume Manager drivers, and Virtual Secure Mode.

Advertisement. Scroll to continue reading.

An important update for the .NET Framework addresses a TLS vulnerability (CVE-2016-0149) that has already been publicly disclosed.

“The vulnerability is an information disclosure in TLS/SSL that could enable an attacker to decrypt encrypted SSL/TLS traffic. To exploit the vulnerability, an attacker would first have to inject unencrypted data into the secure channel and then perform a man-in-the-middle attack between the targeted client and a legitimate server,” Chris Goettl, product manager with Shavlik, told SecurityWeek. “On network this may be harder to achieve, but users who leave the network could be at higher risk of exposure to a scenario where this type of attack is possible. Keep in mind, Microsoft recommends thorough testing before rolling out to production environments.”

Microsoft has also released Flash library updates for Internet Explorer and Edge to address two dozen vulnerabilities. Adobe informed customers on Tuesday that it’s working on fixing a serious Flash flaw that has been exploited in the wild. Judging by Microsoft’s advisory, the update prepared by Adobe will patch not only the zero-day, but two dozen other Flash vulnerabilities as well.

Adobe has also published advisories describing nearly 100 vulnerabilities patched in Reader, Acrobat and ColdFusion.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

SSH Communications Security has appointed Pauli Haikonen as the company’s Chief Information Security Officer (CISO).

Cloud and container security firm Sysdig has tapped William Welch as CEO on its path to an IPO.

Dave Scher has been promoted to Deputy Chief Information Officer at MITRE.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.