Microsoft followed through and today patched a zero-day vulnerability being exploited in public attacks that was disclosed by Google researchers nine days ago.
The victims have yet to have been identified, but Microsoft did accuse the Sofacy APT gang of carrying out the attacks. Sofacy is generally thought to have ties to Russian military intelligence and its targets are strategic, such as government and diplomatic agencies, military and defense contractors, and public policy think-tanks.
Google’s disclosure on Oct. 31 came 10 days after it privately reported the vulnerability to Microsoft, along with a Flash zero day to Adobe also used in these attacks.
Adobe patched the Flash vulnerability with an emergency update released on Oct. 26, but Microsoft failed to publicly acknowledge the bug until only after Google publicly disclosed it. Google’s internal policy gives vendors seven days to publicly report or patch vulnerabilities being actively exploited.
Google said the vulnerability is a local privilege escalation in the Windows kernel that leads to a sandbox escape.
“It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD,” Google’s Neel Mehta and Billy Leonard said in their disclosure.
The attackers chained this bug and the Flash zero day in order to get on targeted computers. The sandbox escape allows the attacker to run code in kernel mode.
“Microsoft implemented new exploit mitigations in the Windows 10 Anniversary Update version of the win32k kernel component,” Microsoft said in its bulletin, MS16-135. “These Windows 10 Anniversary Update mitigations, which were developed based on proactive internal research, stop all observed in-the-wild instances of this exploit.”
MS16-135 also patched two other elevation of privilege vulnerabilities in the Windows kernel (CVE-2016-7215 and CVE-2016-7246), as well as an information disclosure bug in the kernel that opens the door for a kernel ASLR bypass (CVE-2016-7214), and a separate information disclosure bug in the Windows browser.sys kernel-mode driver (CVE-2016-7218).
Six of the 14 bulletins put out by Microsoft today are rated critical. One, MS16-132, included another vulnerability under attack in the Windows Graphics Component. Microsoft said a remote code execution Open Type Font vulnerability was patched in the Windows font library.
That bulletin patched three other flaws, including an information disclosure flaw in Open Type Font, specifically in the ATMFD component, which leaks enough information to carry out a further compromise. Also addressed was a remote code execution memory corruption vulnerabilities in Windows Animation Manager and Windows Media Foundation.
Microsoft also provided cumulative updates for its browsers, Edge and Internet Explorer. The Edge update, MS16-129, patched 17 vulnerabilities, most of which lead to remote code execution. Two of the flaws, CVE-2016-7209 and CVE-2016-7199, were publicly disclosed, Microsoft said, but not used in in-the-wild attacks. The second disclosed bug was also patched in the Internet Explorer update, MS16-142, which patched seven CVEs.
MS16-130 patched three critical Windows bugs, a remote code execution flaw in the way Windows’ image file loading handles malformed image files, along with two elevation of privilege flaws in Windows IME and Windows Task Scheduler.
Another remote code execution vulnerability was addressed in MS16-131 in the Microsoft Video Control component. The remaining critical bulletin is the Adobe Flash Player update for IE and Edge; Adobe released an update today for Flash Player patching nine remote code execution flaws in the software.
Though rated important by Microsoft, an Office bulletin, MS16-133, also merits attention because it patches a dozen vulnerabilities including 10 that lead to remote code execution. None of the Office bugs are being publicly attacked, Microsoft said.
Microsoft also patched SQL Server, addressing a half-dozen elevation of privilege and information disclosure vulnerabilities in MS16-136. Three of the EoP bugs are in the SQL Server RDBMS engine, along with a cross-site scripting flaw in SQL Server MDS, an information disclosure issue in SQL Analysis Services, and another EoP issue in the SQL Server Engine Server Agent.
“The top priority for most administrators will be to quickly deploy fixes for browsers, graphics components, and Office. All of these components are affected by one or more code execution vulnerabilities Microsoft has classified as highly exploitable,” said Craig Young, security researcher at Tripwire. “These are of the highest priority due to the fact that the vulnerabilities can potentially be triggered through normal web browsing activities giving an external attacker a way into networks.”
The remaining bulletins are also rated important:
- MS16-134 patches 10 elevation of privilege flaws in the Windows Common Log File System (CLFS)
- MS16-137 patches three vulnerabilities in Windows NTLM, Virtual Secure Mode and Local Security Authority Subsystem Service
- MS16-138 patches four elevation of privilege vulnerabilities in the Windows Virtual Hard Disk Driver
- MS16-139 patches a local Windows kernel elevation of privilege flaw in how the Windows Kernel API enforces permissions
- MS16-140 patches a security feature bypass in the Windows Secure Boot component; an attacker could disable code integrity checks and allow test-signed executables and drivers to be loaded.