Microsoft released 14 new security bulletins on Tuesday, in which, it addressed many security issues including a vulnerability actively exploited by a Russia-linked group and several other bugs for which exploits are publicly available.
One of the security updates is MS16-135, a bulletin rated Important on severity level. MS16-135 resolves two information disclosure and three privilege elevation vulnerabilities, including a Windows kernel bug exploited by Russia-linked hack group to escalate privileges and evade the browser sandbox function.
The zero-day CVE-2016-7255 tracked by the Google researchers on October 21st was informed to Microsoft and disclosed 10 days later. Google usually gives 90 days to vendors to patch the issues, but the deadline was only 7 days because the exploit was in the wild and needed to address immediately.
While Google decided that it had a responsibility and it is in the best interest of Windows users to disclose the vulnerability, Microsoft disagreed and criticized Google for putting its customers at potential risk.
Microsoft explained the vulnerability had been exploited in several low-volume spear phishing campaigns by the hacking group known as APT28, Fancy Bear, Pawn Storm, Sednit, Tsar Team, and Sofacy.
However, Microsoft has not disclosed any details on these attacks. It said the vulnerability could be exploited via specific websites or documents that lure victims to open in order to execute the exploit.
The vulnerability affected Windows Vista to Windows 10; Microsoft said users who are on Windows 10 Anniversary update are immune to the exploit. The same attacks also exploited Adobe Flash Player vulnerability, which was later patched on October 26th.
It is not the only vulnerability that Microsoft patched on Tuesday. The security bulletin MS16-132 rated ‘critical’ on severity level addresses various issues relating to Windows Animation Manager, Windows Media Foundation, and OpenType fonts, including an Open Type Font Execution Vulnerability (CVE-2016-7256) caused by the Windows font library that handles embedded fonts.
Microsoft also patched low-level vulnerabilities for which exploits are publicly available. It includes and Edge spoofing bug (CVE-2016-7209) and a browser information disclosure vulnerability (CVE-2016-7199), which are fixed in the patch MS16-129.
Other ‘critical’ level patches resolve issues affecting Input Method Editor (IME), Voice Control, and the Task Scheduler. ‘Important’ level patches fix SQL Server, Windows Virtual Hard Disk Driver, Windows authentication methods, Secure Boot, Windows Kernal, Office, and Windows Common Log File System (CLFS) driver.
The Flash Players vulnerabilities have also been patched in Edge and Internet Explorer with MS16-141 ‘critical’ patch.
If you haven’t updated your Windows, please do so now!