Microsoft has issued a patch for a zero-day bug being actively being exploited in the wild, as part of its Patch Tuesday security bulletin. The vulnerability is an elevation-of-privilege flaw, rated important, affecting the Windows Win32k component.
The zero-day (), found by Kaspersky Lab, could allow an adversary to run arbitrary code in kernel mode on targeted systems. “An attacker could then install programs; view, change or delete data; or create new accounts with full user rights,” Microsoft wrote in its patch update. Windows 7, 8.1, 10, and Server 2008, 2012, 2016, and 2019 are affected.
Middle East-based APT FruityArmor, which has a history of targeting Windows zero-day, is believed to be actively exploiting the flaw, according to Kaspersky Lab. In 2016, Kaspersky Lab researchers reported that the group carried out a number of targeted attacks exploiting zero-days to escape browser-based sandboxes and execute malicious code in the wild. In that case, the adversaries targeted CVE-2016-3393, tied to Windows graphics device interface.
The zero-day patch was one of 49 fixes issued Tuesday; 12 were listed as critical.
Microsoft also patched an eight-year-old remote code-execution vulnerability, first identified in 2010 and rated critical. The bug () is tied to a nagging issue with Microsoft Foundation Class Library, a resource used by developers to manage how DLL files are loaded and handled by an application. The bug has been patched multiple times over the years: in 2010, 2011 and 2016 with the most recent update available Tuesday. Microsoft said the problem is once again an issue as it relates to installations of Exchange Server 2016.
“An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change or delete data; or create new accounts with full user rights,” Microsoft wrote.
The software giant added, “Exchange Server was not identified as an in-scope product when CVE-2010-3190 was originally published…The update addresses this vulnerability by correcting how applications built using MFC load DLL files.”
Other Microsoft patches addressed vulnerabilities in the Edge and Internet Explorer browsers; and applications such as SharePoint Enterprise server and SQL Server Management software.
“One of the most important vulnerabilities fixed in today’s Patch Tuesday release is the Microsoft JET Database Engine zero-day (), which was disclosed last month,” wrote Glen Pendley, deputy CTO at Tenable, and Allan Liska, threat intelligence analyst at Recorded Future, in a joint analysis. “The vulnerability was published along with a sample exploit code, leaving organizations everywhere exposed for the last several weeks. As such, organizations are urged to update their systems immediately.”
Of the 49 CVEs listed by Microsoft this month, the majority, 33, were fixed in Windows 10, Edge and the associated Server versions, pointed out Chris Goettl, director of security product management for Ivanti. “Also, please note that there was an update for Server 2019 which was made generally available last week. Microsoft continued the trend from last month where they introduced both a monthly roll-up and a security-only release for Server 2008,” he said.
Microsoft’s ubiquitous Office Suite bundle also received a number of updates including those for Excel, Outlook, PowerPoint and Word. With those updates came important version tweaks, according to Goettl: “Office for Mac version 16.17 from last patch Tuesday, and all future 16.17+ releases are now officially ‘Office 2019’,” he said. Office 2016 will continue to receive updates ‘as needed’ until October 2020.”