Microsoft released 14 new security bulletins on Tuesday, in which, it addressed many security issues including a vulnerability actively exploited by a Russia-linked group and several other bugs for which exploits are publicly available.
One of the security updates is MS16-135, a bulletin rated Important on severity level. MS16-135 resolves two information disclosure and three privilege elevation vulnerabilities, including a Windows kernel bug exploited by Russia-linked hack group to escalate privileges and evade the browser sandbox function.
The zero-day CVE-2016-7255 tracked by the Google researchers on October 21st was informed to Microsoft and disclosed 10 days later. Google usually gives 90 days to vendors to patch the issues, but the deadline was only 7 days because the exploit was in the wild and needed to address immediately.
While Google decided that it had a responsibility and it is in the best interest of Windows users to disclose the vulnerability, Microsoft disagreed and criticized Google for putting its customers at potential risk.
Microsoft explained the vulnerability had been exploited in several low-volume spear phishing campaigns by the hacking group known as APT28, Fancy Bear, Pawn Storm, Sednit, Tsar Team, and Sofacy.
