On the tuesday of this week Microsoft announced 14 security issues. In this 14, two are highly active and exploits and bugs for this are publicly available.
One of the above mentioned dangerous ones was patched with MS16-135, a bulletin rated important. This MS16-135 fixes two information disclosure and a three privilege escalation flaws, one of these is a Windows kernel bug exploited in attacks by a Russia-linked cyber espionage group to elevate privileges and escape the browser sandbox.
The zero-day, tracked as CVE-2016-7255, was reported to Microsoft by Google researchers on October 21 and it was disclosed by the search giant ten days later. Google typically gives vendors a few months to patch vulnerabilities, but the deadline is only 7 days for flaws exploited in the wild.
While Google decided that it would be in the best interest of users to disclose the vulnerability, Microsoft disagreed and criticized the company for putting its customers at risk. Microsoft said the vulnerability had been exploited in a low-volume spear-phishing campaign by the threat group known as Pawn Storm, APT28, Fancy Bear, Sednit, Sofacy and Tsar Team.
The vulnerability affects Windows Vista through Windows 10 Anniversary Update, but new mitigations prevent exploitation against the latter. The same attacks also leverage a Flash Player vulnerability that Adobe patched on October 26.
This is not the only zero-day vulnerability patched by Microsoft on Tuesday. The critical security bulletin MS16-132 addresses several issues related to the Windows Media Foundation, the Windows Animation Manager and OpenType fonts, including a remote code execution vulnerability (CVE-2016-7256) caused due to the way the Windows font library handles specially crafted embedded fonts.
The vulnerability has been exploited in the wild, but Microsoft has not shared any details on these attacks. The company said the flaw can be exploited via specially crafted websites or documents that victims must open in order to trigger the exploit.
Microsoft also patched a couple of vulnerabilities that have not been exploited in the wild, but for which exploits are publicly available. This includes a browser information disclosure vulnerability (CVE-2016-7199) and an Edge spoofing flaw (CVE-2016-7209) – both fixed with MS16-129.