Microsoft Patches Five Zero Days Less than Attack

Author: Emma Cui

Microsoft currently patched a handful of zero-day vulnerabilities that have been publicly attacked in World wide web Explorer, Edge, Home windows and Office environment solutions. The stability updates had been bundled amongst 10 Patch Tuesday bulletins, half of which were being rated critical by Microsoft.

Right now also signaled the first time Microsoft issued stability updates for older Windows variations (Home windows 7 and 8, and Windows Server 2008 and 2012) as single, cumulative protection and characteristic updates.

Previous 7 days Microsoft declared that admins will have three choices for patch distribution going forward: one update that features all new patches for the month out there on WSUS; a monthly stability update that contains new patches for the month and patches from previous monthly rollups obtainable via Home windows Update; and a monthly rollup which has a preview of upcoming attribute updates and patches from previous rollups to generally be delivered by using WSUS within the 3rd Tuesday of each individual month.

None of your zero-day vulnerabilities were being publicly disclosed prior to now, but Microsoft stated it was aware of attacks exploiting the flaws.

The online world Explorer zero day, CVE-2016-3298, was among 11 distant code execution flaws patched inside of a cumulative update, MS16-118. The flaw is definitely an information-disclosure vulnerability and could permit an attacker to "test for the presence of files on disk," Microsoft stated, incorporating that a person would really have to visit a malicious website by using IE 9-11 to trigger the vulnerability. The update also patches a mix of memory corruption and privilege elevation flaws, all of which help remote code execution.

The Microsoft Edge bulletin, MS16-119, also incorporates a patch for a zero day, CVE-2016-7189, in the browser's scripting motor.

"A distant code execution vulnerability exists when Microsoft Edge improperly handles objects in memory," Microsoft claimed in its advisory. "An attacker who successfully exploited the vulnerability could obtain information and facts to further compromise the user's process."

The zero day is considered one of 13 vulnerabilities patched in Edge, the vast majority of which are memory corruption flaws within the browser.

Yet another zero day, CVE-2016-3393, was addressed in Microsoft Home windows Graphics Component in MS16-020. Attackers could exploit this flaw in excess of the web, or via a malicious file attached to an email or sent over a file-sharing application.

The bulletin patches eight vulnerabilities general in Graphics Component, GDI and True Type Font Parsing, which is made use of in Home windows, Office environment, Skype for Company, Silverlight and Microsoft Lync, exposing all those applications to distant code execution.

An Office environment zero-day, CVE-2016-7193, was also patched in MS16-121, the lone vulnerability addressed from the bulletin. Microsoft explained the flaw is a distant code execution vulnerability caused by just how Office handles RTF files. An attacker would should convince a victim to open an infected file having an Place of work software.

The remaining publicly attacked zero day, CVE-2016-3298, was during the Microsoft Net Messaging API and patched in MS16-126. The flaw can be an information and facts disclosure vulnerability affecting Vista, Home windows seven and eight. The protocol was applied by email clients this sort of as Outlook and Exchange Server to communicate obtain public and non-public files and folders; that is no longer the case.

The remaining bulletin rated essential, MS16-122, patches a vulnerability within the Home windows Video Control. The vulnerability, CVE-2016-0142, can be a remote code execution bug in Windows Vista, 7, eight and 10 and can be exploited by a consumer opening a crafted file or application from the web or email. The vulnerability could be triggered from the Preview Pane, Microsoft mentioned.

Microsoft also patched Adobe Flash Player native to Web Explorer and Edge in MS16-127; a fresh version of Flash Player was launched currently by Adobe that patched a dozen vulnerabilities while in the computer software, the vast majority of which were distant code execution.