Security Experts:

Connect with us

Hi, what are you looking for?



Microsoft Patches Flaws Exploited in Targeted Attacks

Microsoft released on Tuesday 16 security bulletins to patch more than 30 vulnerabilities, including JScript and VBScript zero-days exploited in attacks targeting users in South Korea.

Microsoft released on Tuesday 16 security bulletins to patch more than 30 vulnerabilities, including JScript and VBScript zero-days exploited in attacks targeting users in South Korea.

The exploited flaws have been addressed by Microsoft in two separate critical bulletins. One of them, MS16-053, fixes the actual vulnerabilities, which affect the JScript and VBScript scripting engines in Windows. These security holes, tracked as CVE-2016-0187 and CVE-2016-0189, can be used for remote code execution.

However, since the vulnerabilities have been exploited via Internet Explorer, Microsoft released a separate bulletin, MS16-051, for the web browser. The company explained that MS16-051 protects systems running Internet Explorer 9, 10 and 11, while MS16-053 addresses the vulnerabilities on systems running Internet Explorer 7 and earlier.

Symantec reported that attackers exploited these flaws in limited targeted attacks aimed at South Korea, a country where Internet Explorer is highly popular. According to the security firm, attackers likely delivered the exploit via spear-phishing emails or compromised websites.

The exploit landing page hosts JavaScript code designed to profile the user’s computer and deliver the actual exploit in an obfuscated VBScript file. The exploit has been used to download a malicious file from a Korean website, but Symantec says the final payload is currently unknown.

Another critical bulletin released by Microsoft on Tuesday addresses several remote code execution vulnerabilities in Edge running on Windows 10. An attacker can exploit the flaws by getting the victim to access a specially crafted webpage.

A bulletin that addresses vulnerabilities in Office has also been rated critical. Malicious actors can exploit these for remote code execution via a specially crafted Office file.

The other critical and important updates patch various security holes affecting Windows components, including the graphics component, Journal, Windows Shell, IIS, Media Center, Kernel-Mode and Volume Manager drivers, and Virtual Secure Mode.

An important update for the .NET Framework addresses a TLS vulnerability (CVE-2016-0149) that has already been publicly disclosed.

“The vulnerability is an information disclosure in TLS/SSL that could enable an attacker to decrypt encrypted SSL/TLS traffic. To exploit the vulnerability, an attacker would first have to inject unencrypted data into the secure channel and then perform a man-in-the-middle attack between the targeted client and a legitimate server,” Chris Goettl, product manager with Shavlik, told SecurityWeek. “On network this may be harder to achieve, but users who leave the network could be at higher risk of exposure to a scenario where this type of attack is possible. Keep in mind, Microsoft recommends thorough testing before rolling out to production environments.”

Microsoft has also released Flash library updates for Internet Explorer and Edge to address two dozen vulnerabilities. Adobe informed customers on Tuesday that it’s working on fixing a serious Flash flaw that has been exploited in the wild. Judging by Microsoft’s advisory, the update prepared by Adobe will patch not only the zero-day, but two dozen other Flash vulnerabilities as well.

Adobe has also published advisories describing nearly 100 vulnerabilities patched in Reader, Acrobat and ColdFusion.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet