Last week, we reported here at komando.com about Google's public disclosure of a zero-day vulnerability in Windows that is already exploited by hackers. This privilege escalation bug is said to be exploited through Flash Player and win32k.sys system call bugs that allow malicious code to escape Windows security sandboxing.
Yesterday, as promised, Microsoft finally issued a patch to fix the flaw as part of its regular Patch/Update Tuesday set of software security updates.
The tech company released 14 bulletins, including six vulnerabilities with a "Critical" rating and eight rated as "Important."
MS16-129 is a set of critical patches for multiple memory corruption and information disclosure vulnerabilities in the Microsoft Edge browser. The most severe of these bugs could allow an attacker to execute remote code and take control of a machine.
MS16-130 addresses an elevation of privilege vulnerability in Windows Input Method Editor and the Task Scheduler. It also patches a hole that allows remote code execution by loading a specially crafted image file from a website or an email attachment.
MS16-131 and MS16-132 are fixes for Microsoft Video Control and Microsoft Graphic Control bugs that could allow an attacker to execute remote code by exploiting object handling in memory via poisoned website or an email message.
MS16-141 plugs vulnerabilities in Flash Player for Internet Explorer 10, 11 and Microsoft Edge that could allow remote code execution.
The sixth critical update, MS16-141, resolves vulnerabilities in Internet Explorer that could allow remote code execution by viewing a poisoned website.
Interestingly, Microsoft's patch for the zero-day flaw that Google disclosed was only rated "Important." MS16-141 fixes the privilege elevation in win32k.sys as revealed by Google's security team. It also patches information disclosure exploits in Windows kernel-mode drivers.
MS16-134 patches a bug that allows elevation of privilege when the Windows Common Log File System driver improperly handles objects in memory. This flaw could allow an attacker to take full control of a machine via a malicious application.
MS16-136 likewise fixes elevation of privilege vulnerabilities in Microsoft SQL server. This flaw could allow an attacker to modify user accounts in a machine.
MS16-137 resolves flaws in Windows Authentication Methods that could allow elevation of privilege and denial of service.
MS16-138 is a security update for Virtual Hard Disk Driver flaws that allow an attacker to access and manipulate files without permission.
Lastly, MS16-139 addresses an elevation of privilege vulnerability in the Windows Kernel API and MS16-140 patches a flaw that allows a local attacker bypass security by installing a modified boot policy.
For a summary of these security bulletins, check Microsoft's TechNet page.
How to update Windows
Most Windows machines are set to download and install updates automatically by default. If you haven't changed your automatic update settings then you should be fine.
But if you want to check, here's how:
On Windows 10, click Start (Windows logo), choose "Settings," select "Update & Security," then on the "Windows Update" section, click on "Advanced Options." (Note: the "Windows Update" section is also handy for showing you updates that are currently being downloaded or applied.) Under "Advanced Options," just make sure the drop down box is set to "Automatic."
If you have an older Vista or Windows 7 system, check out our tips on how to set up and check Windows Updates.
In related news, Adobe likewise issued security patches for Flash Player and Adobe Connect as part of their own Patch/Update Tuesday release.
The Flash Player security update fixes nine critical vulnerabilities (APSB16-36) that could allow remote code execution.
Flash Player holdovers should update to Flash Player 22.214.171.124 for Windows and Mac and 126.96.36.1994 for Linux. The Flash Player plugins for Chrome, Internet Explorer and Microsoft Edge will automatically update to 188.8.131.52 via these browsers' Flash Player update mechanisms.
--> Click here to use our Adobe Flash Update Tool guide for download and install instructions.
These updates follow the emergency updates that Adobe issued for Flash Player two weeks ago to fix zero-day flaws, including the bug that was reportedly the vector for the Windows win32k.sys exploit.
An update to Adobe Connect was also released to fix a validation vulnerability in its events registration module. Adobe Connect will be upgraded to the newest version automatically.
For further reading, check out these related articles: