Microsoft Patches 5 Zero-Day Vulnerabilities Being Exploited in the Wild
October 13, 2016
Seid Yassin (557 articles)
Share

Microsoft Patches 5 Zero-Day Vulnerabilities Being Exploited in the Wild

Microsoft has released its monthly Patch Tuesday update including a total of 10 security bulletin, and you are required to apply the whole package of patches altogether, whether you like it or not.

That’s because the company is kicking off a controversial new all-or-nothing patch model this month by packaging all security updates into a single payload, removing your ability to pick and choose which individual patches to install.

October’s patch bundle includes fixes for at least 5 separate dangerous zero-day vulnerabilities in Internet Explorer, Edge, Windows and Office products that attackers were already exploiting in the wild before the patch release.

The patches for these zero-day flaws are included in MS16-118, MS16-119, MS16-120, MS16-121 and MS16-126. All the zero-days are being exploited in the wild, allowing attackers to execute a remote command on victim’s system.

Although none of the zero-day flaws were publicly disclosed prior to Tuesday, the company was aware of attacks exploiting these flaws, said Microsoft.

Here’s the list of Zero-Day Vulnerabilities:

 

  1. CVE-2016-3298: An Internet Explorer zero-day flaw is a browser information disclosure vulnerability patched in MS16-118 bulletin among 11 other vulnerabilities. It could allow attackers to “test for the presence of files on disk.”
  2. CVE-2016-7189: A zero-day in the browser’s scripting engine has been patched in Microsoft Edge bulletin, MS16-119, among others. The flaw is a remote code execution vulnerability.
  3. CVE-2016-3393: Another zero-day in Microsoft Windows Graphics Component has been addressed in MS16-120 that could be exploited over the web, or via an email containing malicious file or over a file-sharing app to conduct RCE attack.
  4. CVE-2016-7193: A single zero-day in Office has been addressed in MS16-121 bulletin. The flaw is a remote code execution vulnerability caused by the way Office handles RTF files.
  5. CVE-2016-3298: The last publicly attacked zero-day has been patched in MS16-126, which is the only zero-day that is not rated critical, just moderate. The flaw is an information disclosure bug affecting Vista, Windows 7 and 8 and exists in the Microsoft Internet Messaging API.

Another bulletin rated critical is MS16-122 that patches a remote code execution flaw, CVE-2016-0142, in the Windows Video Control, affecting Windows Vista, 7, 8 and 10. The bug can be exploited when a user opens a crafted file or app from the web page or email.

Microsoft also patched twelve vulnerabilities in Adobe Flash Player for Windows 8.1, Windows 10, and Server 2012 in MS16-127.

source | thehackernews

Related articles

Critical Vulnerability in WordPress Ad Inserter Plugin Let Hackers to Execute Arbitrary PHP Code

Critical Vulnerability in WordPress Ad Inserter Plugin Let Hackers to Execute Arbitrary PHP Code

Experts Show That Is Easy to Hack Hardware-Based Cryptocurrency Wallets

Experts Show That Is Easy to Hack Hardware-Based Cryptocurrency Wallets

Chinese Video App VidMate Stealing Personal Data, Drain Battery, Fake Ad Click to Generate Revenue From 500 Million Android Users

Chinese Video App VidMate Stealing Personal Data, Drain Battery, Fake Ad Click to Generate Revenue From 500 Million Android Users