The latest 14 security bulletins by Microsoft have patched 60 vulnerabilities in Windows OS, Office, Edge and Internet Explorer browsers, and SQL servers. One of the bulletins addresses flaws in Adobe Flash Player upgraded via Windows Update in Windows 10 and 8.1. Six of these bulletins have been rated critical, and eight are labeled “important”.
One of the most crucial bulletins that should be prioritized by network administrators is MS16-135 as it addresses a zero-day vulnerability – CVE-2016-7255 – exploited in the wild by the Fancy Bear attackers. The group is also known as APT28.
More about CVE-2016-7255
As already mentioned, this zero-day was leveraged by Russian attackers to gain administrator-level control by escaping the sandbox protection and executing malicious code. Google disclosed the vulnerability 10 days after they reported it to Microsoft in private mode. Microsoft didn’t have much time to issue the appropriate security patches. Google says they didn’t wait longer for the public disclosure because of the attacks detected in the wild.
Because the attacks were leveraging the CVE-2016-7255 flaw, Google felt they needed to inform users as soon as possible. In addition, Google gives vendors only seven days to fix vulnerabilities or to publish mitigation advice in case the vulnerabilities are actually exploited in active attacks.
Microsoft, however, criticized Google for their decision because it put users at potential risk. This is what a Microsoft spokesperson said in a statement not too long ago:
We believe in coordinated vulnerability disclosure, and today’s disclosure by Google puts customers at potential risk. Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection.
MS16-135 is not the only security bulletin that needs to be prioritized.
MS16-132 is rated critical and addresses several remote code execution flaws, plus another zero-day also leveraged in real-time attacks. This particular flaw is found in the Windows font library and can be exploited via specially crafted fonts embedded into websites or documents. Shortly said, successful exploitation allows attackers to take full control of the affected systems, as explained by Microsoft.
There are three other flaws of critical character in IE and Edge addressed in MS16-142 and MS16-129 bulletins. The flaws were disclosed before being actually patched. Fortunately, Microsoft says the flaws weren’t exploited in the wild.
Make sure to apply all patches.