Security Experts:

Connect with us

Hi, what are you looking for?



Microsoft Patches Windows Zero-Day Exploited by Russian Hackers

The 14 security bulletins released on Tuesday by Microsoft address many serious issues, including a couple of Windows vulnerabilities actively exploited by malicious actors and bugs for which exploits are already publicly available.

The 14 security bulletins released on Tuesday by Microsoft address many serious issues, including a couple of Windows vulnerabilities actively exploited by malicious actors and bugs for which exploits are already publicly available.

One of the zero-days has been patched with MS16-135, a bulletin rated important. MS16-135 fixes two information disclosure and three privilege escalation flaws, one of which is a Windows kernel bug exploited in attacks by a Russia-linked cyber espionage group to elevate privileges and escape the browser sandbox.

The zero-day, tracked as CVE-2016-7255, was reported to Microsoft by Google researchers on October 21 and it was disclosed by the search giant ten days later. Google typically gives vendors a few months to patch vulnerabilities, but the deadline is only 7 days for flaws exploited in the wild.

While Google decided that it would be in the best interest of users to disclose the vulnerability, Microsoft disagreed and criticized the company for putting its customers at risk. Microsoft said the vulnerability had been exploited in a low-volume spear-phishing campaign by the threat group known as Pawn Storm, APT28, Fancy Bear, Sednit, Sofacy and Tsar Team.

The vulnerability affects Windows Vista through Windows 10 Anniversary Update, but new mitigations prevent exploitation against the latter. The same attacks also leverage a Flash Player vulnerability that Adobe patched on October 26.

This is not the only zero-day vulnerability patched by Microsoft on Tuesday. The critical security bulletin MS16-132 addresses several issues related to the Windows Media Foundation, the Windows Animation Manager and OpenType fonts, including a remote code execution vulnerability (CVE-2016-7256) caused due to the way the Windows font library handles specially crafted embedded fonts.

The vulnerability has been exploited in the wild, but Microsoft has not shared any details on these attacks. The company said the flaw can be exploited via specially crafted websites or documents that victims must open in order to trigger the exploit.

Microsoft also patched a couple of vulnerabilities that have not been exploited in the wild, but for which exploits are publicly available. This includes a browser information disclosure vulnerability (CVE-2016-7199) and an Edge spoofing flaw (CVE-2016-7209) – both fixed with MS16-129.

Other critical security bulletins resolve various Windows vulnerabilities, including issues affecting Video Control, the Input Method Editor (IME) and the Task Scheduler. Important bulletins fix security holes in the Windows Virtual Hard Disk Driver, SQL Server, Windows authentication methods, the Windows kernel, Secure Boot, the Windows Common Log File System (CLFS) driver, and Office.

Adobe also released security updates this Patch Tuesday. The company addressed one vulnerability in Connect for Windows and nine arbitrary code execution flaws in Flash Player. The Flash Player issues have also been patched in Internet Explorer and Edge with the MS16-141 critical bulletin.

Related: Microsoft Edge Tops Browser Protection Tests

Related: Microsoft Delays Retirement of EMET

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet