Update: Microsoft today said it mislabeled CVE-2016-7189 in bulletin MS16-119 as exploited. “There is no evidence of any active attacks using this vulnerability and the bulletin text has been corrected.” – a Microsoft spokesperson said.
Microsoft today patched a handful of zero-day vulnerabilities that have been publicly attacked in Internet Explorer, Edge, Windows and Office products. The security updates were included among 10 Patch Tuesday bulletins, half of which were rated critical by Microsoft.
Today also signaled the first time Microsoft issued security updates for older Windows versions (Windows 7 and 8, and Windows Server 2008 and 2012) as single, cumulative security and feature updates.
Last week Microsoft announced that admins will have three choices for patch distribution going forward: a single update that includes all new patches for the month available on WSUS; a monthly security update that includes new patches for the month and patches from previous monthly rollups available via Windows Update; and a monthly rollup with a preview of upcoming feature updates and patches from previous rollups to be delivered via WSUS on the third Tuesday of every month.
None of the zero-day vulnerabilities were publicly disclosed prior to today, but Microsoft said it was aware of attacks exploiting the flaws.
The Internet Explorer zero day, CVE-2016-3298, was one of 11 remote code execution flaws patched in a cumulative update, MS16-118. The flaw is an information-disclosure vulnerability and could allow an attacker to “test for the presence of files on disk,” Microsoft said, adding that a user would have to visit a malicious website via IE 9-11 to trigger the vulnerability. The update also patches a mix of memory corruption and privilege elevation flaws, all of which enable remote code execution.
The Microsoft Edge bulletin, MS16-119, also includes a patch for a zero day, CVE-2016-7189, in the browser’s scripting engine.
“A remote code execution vulnerability exists when Microsoft Edge improperly handles objects in memory,” Microsoft said in its advisory. “An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system.”
The zero day is one of 13 vulnerabilities patched in Edge, most of which are memory corruption flaws in the browser.
Another zero day, CVE-2016-3393, was addressed in Microsoft Windows Graphics Component in MS16-020. Attackers could exploit this flaw over the web, or through a malicious file attached to an email or sent over a file-sharing application.
The bulletin patches eight vulnerabilities overall in Graphics Component, GDI+ and True Type Font Parsing, which is used in Windows, Office, Skype for Business, Silverlight and Microsoft Lync, exposing those applications to remote code execution.
An Office zero-day, CVE-2016-7193, was also patched in MS16-121, the lone vulnerability addressed in the bulletin. Microsoft said the flaw is a remote code execution vulnerability caused by the way Office handles RTF files. An attacker would have to convince a victim to open an infected file with an Office application.
The remaining publicly attacked zero day, CVE-2016-3298, was in the Microsoft Internet Messaging API and patched in MS16-126. The flaw is an information disclosure vulnerability affecting Vista, Windows 7 and 8. The protocol was used by email clients such as Outlook and Exchange Server to communicate access public and private files and folders; that is no longer the case.
The remaining bulletin rated critical, MS16-122, patches a vulnerability in the Windows Video Control. The vulnerability, CVE-2016-0142, is a remote code execution bug in Windows Vista, 7, 8 and 10 and can be exploited by a user opening a crafted file or application from the Internet or email. The vulnerability can be triggered from the Preview Pane, Microsoft said.
Microsoft also patched Adobe Flash Player native to Internet Explorer and Edge in MS16-127; a new version of Flash Player was released today by Adobe that patched a dozen vulnerabilities in the software, most of which were remote code execution.
The remaining bulletins were rated important or moderate severity by Microsoft: