Patch Tuesday: Microsoft Tackles Multiple Zero-Day Flaws

business security

Internet Explorer among usual suspects to get updates, that includes a fix for AdGholas malvertising campaign

Microsoft has delivered its monthly Patch Tuesday update that includes fixes for the usual suspects such as Internet Explorer, Edge and Microsoft Office.

Redmond is also changing the way it delivers its security update with a new system designed to give system administrators more time to test the patches on their own systems.

Patch Tuesday

The latest Patch Tuesday from Microsoft delivers 10 bulletins that has a total of 36 unique CVEs (Common Vulnerabilities and Exposures).

Six of these bulletins are rated critical and a large number of zero-day flaws have been fixed, so system administrators will have a busy few days ahead.

This Patch Tuesday … definitely a step back from September’s massive list, but also not a light month by any measure,” blogged Karl Sigler, Threat Intelligence Manager at Trustwave. “Six of the bulletins are rated Critical and is mostly a list of our usual suspects, namely Internet Explorer, Edge, Graphics Component, Adobe Flash and the Microsoft Office suite.”

google“The sixth Critical bulletin is in Windows Object Linking and Embedding (OLE),” wrote Sigler. “The vulnerability allows an attacker to execute arbitrary code in the context of the victim’s account by tricking the victim into opening a specific email or visiting a website.”

Microsoft has fixed zero day flaws with Internet Explorer and Edge with MS16-118 and MS16-118 respectively. MS16-121 resolves a vulnerability in Microsoft Office for an RTF remote code execution flaw. MS16-120 tackles a flaw with Microsoft Graphics Component.

MS16-127 addresses the vulnerabilities in Adobe Flash Player by updating the affected Flash libraries contained within both of Microsoft web browsers.

Researchers at Proofpoint meanwhile pointed out in a new blog post that Microsoft has patched a zero day vulnerability which was associated with the AdGholas malvertising campaign.

It seems that Proofpoint researchers Will Metcalf and Kafeine first detected AdGholas earlier this year, and they warned at the time that it had pulled in as many as one million client machines per day, and that it had been in operation since 2015.

“Threat actors, particularly those in the AdGholas and GooNky groups, continue to look for new means to exploit browser flaws,” blogged the Proofpoint researchers. “More importantly, though, they are turning to flaws that allow them to focus on ‘high-quality users’, specifically consumers rather than researchers, vendors, and sandbox environments that could detect their operations.”

Update Changes

Microsoft meanwhile has begun to change the way it delivers its Patch Tuesday update to help ease the burden on system administrators.

Microsoft’s new approach to patches will be based on a two-step method,” explained Amol Sarwate, director of Vulnerability Labs at Qualys. Firstly “Patch Tuesday … includes two main parts in itself; a security-only update and a security monthly rollup. Internet Explorer is included within this update.”

Second is “Third Tuesday …this is a monthly package of information of what to expect as a non-security fix in the next monthly rollup,” blogged Sarwate. “It details what the fixes were from the previous month to enable customers to test their systems before the next month.”

Quiz: What do you know about cybersecurity in 2016?