Microsoft released on Tuesday 16 security bulletins to patch more than 30 vulnerabilities, including JScript and VBScript zero-days exploited in attacks targeting users in South Korea.
The exploited flaws have been addressed by Microsoft in two separate critical bulletins. One of them, MS16-053, fixes the actual vulnerabilities, which affect the JScript and VBScript scripting engines in Windows. These security holes, tracked as CVE-2016-0187 and CVE-2016-0189, can be used for remote code execution.
However, since the vulnerabilities have been exploited via Internet Explorer, Microsoft released a separate bulletin, MS16-051, for the web browser. The company explained that MS16-051 protects systems running Internet Explorer 9, 10 and 11, while MS16-053 addresses the vulnerabilities on systems running Internet Explorer 7 and earlier.
Symantec reported that attackers exploited these flaws in limited targeted attacks aimed at South Korea, a country where Internet Explorer is highly popular. According to the security firm, attackers likely delivered the exploit via spear-phishing emails or compromised websites.
The exploit landing page hosts JavaScript code designed to profile the user’s computer and deliver the actual exploit in an obfuscated VBScript file. The exploit has been used to download a malicious file from a Korean website, but Symantec says the final payload is currently unknown.
Another critical bulletin released by Microsoft on Tuesday addresses several remote code execution vulnerabilities in Edge running on Windows 10. An attacker can exploit the flaws by getting the victim to access a specially crafted webpage.
A bulletin that addresses vulnerabilities in Office has also been rated critical. Malicious actors can exploit these for remote code execution via a specially crafted Office file.
The other critical and important updates patch various security holes affecting Windows components, including the graphics component, Journal, Windows Shell, IIS, Media Center, Kernel-Mode and Volume Manager drivers, and Virtual Secure Mode.
An important update for the .NET Framework addresses a TLS vulnerability (CVE-2016-0149) that has already been publicly disclosed.
“The vulnerability is an information disclosure in TLS/SSL that could enable an attacker to decrypt encrypted SSL/TLS traffic. To exploit the vulnerability, an attacker would first have to inject unencrypted data into the secure channel and then perform a man-in-the-middle attack between the targeted client and a legitimate server,” Chris Goettl, product manager with Shavlik, told SecurityWeek. “On network this may be harder to achieve, but users who leave the network could be at higher risk of exposure to a scenario where this type of attack is possible. Keep in mind, Microsoft recommends thorough testing before rolling out to production environments.”
Microsoft has also released Flash library updates for Internet Explorer and Edge to address two dozen vulnerabilities. Adobe informed customers on Tuesday that it’s working on fixing a serious Flash flaw that has been exploited in the wild. Judging by Microsoft’s advisory, the update prepared by Adobe will patch not only the zero-day, but two dozen other Flash vulnerabilities as well.
Adobe has also published advisories describing nearly 100 vulnerabilities patched in Reader, Acrobat and ColdFusion.